Technology, privacy and domestic violence

Privacy advocacy in Ireland faces a number of challenges. Often it's met with the old canard "if you've nothing to hide you've nothing to fear" - implying that privacy is something for wrongdoers and criminals. A related problem has been a lack of wider public concern about privacy issues: while occasional issues (such as the recent series of data breaches) trigger public interest, more often issues such as data retention tend to be seen as rather esoteric and remote from people's day to day lives.

This makes a recent story on domestic violence charity Women's Aid all the more significant in showing that privacy issues should be of much wider concern:

In its annual report for 2009, to be released today, the charity has noted an increase in disclosures of women being abused, controlled and stalked through technology.

Director of the charity Margaret Martin said it was very concerned at the development.

She said callers disclosed that current or former boyfriends, husbands and partners were using many forms of technology to control, coerce and intimidate them.

Women had disclosed that home and mobile phone calls were monitored, as well as their texts. Some women also found cameras secretly installed to monitor them in their own homes.

Abusers tracked and scrutinised online use and demanded access to private e-mail and social networking accounts.

Some women said their partners and ex-partners had placed lies about them on internet sites. Others had been photographed and filmed without their consent, sometimes having sex, and the images were uploaded to the internet...

“Quite often it prevents women from seeking help as they fear their partner will see that they have rung a helpline, looked at a domestic violence website or spoken of the abuse to their friends, family or colleagues in an e-mail or text.”

This story also reflects a significant wider trend not just in online privacy but in digital rights generally - slowly but surely these rights are being recognised as important by mainstream civil society groups. For example, earlier this week in the UK the National Union of Journalists agreed to support legal challenges to the Digital Economy Act while in Europe the consumers' group BEUC recently adopted a specific strategy on consumer rights in the digital environment. This trend is important in that it promises to enlist greater support for digital rights - but presents a new challenge for digital rights groups to liaise with and educate other civil society groups.

May newspapers publish the whereabouts of released rapists? Murray v. Newsgroup Newspapers interlocutory decision handed down

The High Court (Irvine J.) today gave an interlocutory judgment in the important case of convicted rapist Michael Murray who is seeking to restrain newspapers from publishing his photograph or details of his whereabouts. The case follows extensive publicity given to him post-release (e.g.) which he claims is threatening his safety and jeopardising his rehabilitation.

Today's judgment refuses to grant an interlocutory injunction which would restrain the newspapers pending a full trial - significantly noting that there is a "public interest in being informed of the identity and whereabouts of a convicted criminal who may pose a risk to the community" (p.59). The Northern Irish decision in the similar case of Callaghan v. Independent News and Media was distinguished as involving a criminal who posed a lesser threat to the community and who faced a greater risk of being physically attacked once his identity was known.

Full text of judgment:

Murray v. Newsgroup Newspapers and others

Book review: Bound by Law

I've written a short review of the superb Bound by Law? Tales from the Public Domain for the film studies journal Scope. Here's an excerpt:

You seldom find lawyers writing comic books. It's not that we have anything against them. We're happy to litigate about them (as fans of Alan Moore's Watchmen can testify, having seen Zack Snyder's film adaptation delayed by litigation between Twentieth Century Fox and Warner Brothers). We're even sometimes their subject (just consider the central role of Harvey Dent / Two-Face in the Batman canon). But writing comic books? What might the clients think? Or the tenure committee? And how might a profession known for its verbosity cope with the tight constraints of the speech bubble?

This makes Bound by Law? a rare beast indeed – a comic book written (and drawn) by lawyers which also manages to be a clear and entertaining introduction to the legal issues faced by filmmakers in the minefield that is intellectual property law. The authors are academics at UC Davis School of Law (Aoki) and Duke University Law School (Boyle and Jenkins) with a track record of innovative research at the point where law, creativity and the public domain intersect. In this book they set out to look at the position of documentary makers and how intellectual property law constrains what they do, with a view to illustrating the wider argument that the law has become imbalanced and is in need of reform.

The focus of their work is neatly set out by this example:

A cell phone happened to ring during the filming of Marilyn Agrelo and Amy Sewell's Mad Hot Ballroom, a documentary about New York City kids in a ballroom dancing competition. The ring tone was the Rocky theme song … EMI, which owns the rights to the Rocky song asked for – guess how much? $10,000. In another scene, they were filming a foosball game and one of the players spontaneously yelled "Everybody dance now" – a line from the C&C Music Factory hit. Warner Chappell demanded $5,000 for the use of the line (14).

This demonstrates an ongoing problem for documentary film makers -- the problem of documenting the world when certain aspects of the world (music playing in the background, artwork on the walls, even trademarks appearing on products) may be off limits. This book is full of examples of situations where documentary makers have found their work stifled as a result. But how did we arrive at a situation where rights holders demand payment of large sums for transient and incidental excerpts of their works? And what should we do about it?

Full review.

For a safer and cleaner internet

I was extremely impressed with this cynical but accurate video about EU internet blocking proposals. Enjoy:



For more, see the Cleanternet website.

Music Industry says "Child Pornography is Great"

”Child pornography is great,” the speaker at the podium declared enthusiastically. ”It is great because politicians understand child pornography. By playing that card, we can get them to act, and start blocking sites. And once they have done that, we can get them to start blocking file sharing sites”.

The venue was a seminar organized by the American Chamber of Commerce in Stockholm on May 27, 2007, under the title ”Sweden — A Safe Haven for Pirates?”. The speaker was Johan Schlüter from the Danish Anti-Piracy Group, a lobby organization for the music and film industry associations, like IFPI and others...

”One day we will have a giant filter that we develop in close cooperation with IFPI and MPA. We continuously monitor the child porn on the net, to show the politicians that filtering works. Child porn is an issue they understand,” Johan Schlüter said with a grin, his whole being radiating pride and enthusiasm from the podium.

And seen from the perspective of IFPI and the rest of the copyright lobby, he of course had every reason to feel both proud and enthusiastic, after the success he had had with this strategy in Denmark.

Today, the file sharing site The Pirate Bay is blocked by all major Internet service providers in Denmark. The strategy explained by Mr. Schlüter worked like clockwork.

Christian Engström MEP has more.

Update on Eircom, IRMA and "three strikes" in Ireland

In all the excitement surrounding St. Patrick's day this week the fact that Eircom and the music industry were back in court on Tuesday didn't really receive the attention it deserves.

The background to Tuesday's hearing lies in last January's settlement under which Eircom agreed to introduce a "three strikes" system to disconnect users accused of filesharing by the music industry. Under that agreement (which has never been made public, but details of which have leaked) the record companies seem to have been required to show that they - and Eircom - would be acting in compliance with data protection law.

The Data Protection Commissioner, however, threw a spanner in the works, as summarised by the Sunday Times:

As part of the agreement, Irma said it would use piracy-tracking software to trace IP addresses, which can identify the location of an internet user, and pass this information to Eircom. The company would then use the details to identify its customer, and take action.

But the office of the Data Protection Commissioner (DPC) has indicated that using customers’ IP addresses to cut off their internet connection as a punishment for illegal downloading [presumably this should be uploading] does not constitute "fair use" of personal information. Irma and Eircom have asked the High Court to rule on whether these data-protection concerns mean the 2009 settlement cannot be enforced...

The Eircom case was reopened in the High Court last month and Judge Peter Charleton will hear submissions from both sides on March 16. The record companies asked for the DPC to be joined to the High Court action, but it refused on the basis that no one would guarantee to pay its legal costs.

Charleton will first have to decide whether an IP address constitutes "personal information" under data protection law. If it does, then data controllers are required to "get and use the data fairly". They are also required to use that data for "only one or more clearly stated purposes". The DPC does not think this includes cutting off their internet service.

"The EU telecoms directive indicated people have a fundamental right to an internet connection," said a source involved in the case. "So the judge must decide whether processing a person’s IP address to cut them off is a proportionate response to discovering they have downloaded pirated music."

Consequently, arguments on these issues were heard on Tuesday, throwing up some interesting new information. (It emerged for example that Eircom has agreed to throttle user traffic after strike two, and that Eircom will have three staff devoted to running the three strikes procedure.)

Unfortunately, that hearing seems to have been something of a case of Hamlet without the Prince. With the Data Protection Commissioner not represented, the court was hearing only from parties with a vested interest in the three strikes procedure and was deprived of an independent and impartial perspective.

I don't yet have a full transcript of the hearing, but I understand that the court was asked to rule on three broad questions:

1. Do IP addresses (in the hands of the music industry) constitute personal data?
2. Is the settlement agreement itself compatible with the Data Protection Acts?
3. If IP addresses are personal data, are they "sensitive personal data" in a context where they might reveal the commission of a criminal offence?

Other issues that arose included the fundamental rights implications of disconnecting users, whether users waived those rights by agreeing to Eircom's terms of use, and whether the Eircom/IRMA agreement was compatible with the new Telecoms Package rules on disconnecting users in relation to proportionality, necessity and procedural safeguards (including judicial review). Judgment is expected next week.

Cloud computing controversy won't clear

It seems as though the controversy caused by the Chief State Solicitor's advice about purchasing cloud computing just won't go away. John Collins has an update in today's Irish Times. Here's an excerpt:

ON A Thursday afternoon early last month an e-mail with the subject line "eTenders – Cloud Computing Warning" began to arrive in the inbox of public servants.

Sent by the National Public Procurement Operations Unit, which operates the Government’s electronic tendering website, eTenders, the brief communication said the Chief State Solicitor’s Office had advised "that issues such as data protection, confidentiality and security and liability are not necessarily dealt with in a manner that would be necessary for public-sector responsibilities" by cloud services.

The e-mail was quickly forwarded around Ireland’s technology industry. Not only are companies such as Microsoft, IBM and HP investing millions into research centres and data centres here to support the new model of delivering software and other services over the internet, but Minister for Communications Eamon Ryan last year identified cloud computing as one of six "pillars" that would drive the creation of a smart economy.

In fact, Ryan is understood to have been extremely annoyed at the message being sent out, and his advisers have moved to soothe the nerves of some of the major technology multinationals based here.

While not renowned for its technology expertise, one of the roles of the Chief State Solicitor’s Office is to review commercial agreements for public bodies before they sign them.

"They must have reviewed a contract which wasn’t up to scratch and now they have concluded all cloud contracts are like this," says Philip Nolan, a partner in legal firm Mason Hayes + Curran who specialises in technology contracts. "It’s a totally disproportionate reaction and the IT industry is recoiling in shock."

Nolan equates the advice given by the Chief State Solicitor’s Office to someone saying 12 years ago "don’t buy anything using e-commerce because it’s not secure".

Describing the e-mail as "damaging", Ed Byrne, general manager of Hosting365, a local firm that provides a platform to support cloud computing, says eTenders should have instead "outlined the questions that need to be asked before buying a cloud service".

According to Byrne, this would have included questions such as where is the service based, who is the supplier, how much money can it save and what levels of support can be expected.

Previously on this blog: 1|2

Ryanair v. Billigfluege.de - Full decision now available

I've just received a copy of the decision of Hanna J. in Ryanair v. Billigfluege.de and uploaded it to Scribd. At first glance it appears to represent a significant win for site owners who wish to control screenscraping, indexing and other uses of their content:

Ryanair v. Billigfluege.de

Ryanair screenscraping: Irish court accepts jurisdiction, rules on enforceability of website terms of use

You might have noticed that Ryanair has an ongoing legal campaign to stop sites from scraping its content and then reselling flights. (Blogged previously by me: 1|2|3.)

Until now, however, Ryanair found itself stymied by jurisdictional problems, and in two separate decisions the Irish High Court held that it did not have jurisdiction to hear its claims. (The first decision saw Ryanair thwarted by its own terms of use which provided for the English courts to have jurisdiction; the second involved prior Swiss proceedings which caused the Irish court to decline jurisdiction in favour of the Swiss court.)

In the most recent development in this saga, Ryanair has now amended its terms of use to provide for the exclusive jurisdiction of the Irish courts, and has succeeded in establishing jurisdiction in Dublin in an action against Billigfluege and Ticket Point. According to the Irish Times Hanna J. held as follows:

The exclusive jurisdiction clause contained in [Ryanair’s] website’s terms of use was binding on [Billigfluege and Ticket Point] in circumstances where those terms were at all times available for inspection by [Billigfluege and Ticket Point] as users of or visitors to the website, [Ryanair] having taken appropriate steps to ensure that the terms were brought to the user’s attention through their inclusion on the website via a clearly visible hyperlink.

If you use the site, you agree not to breach its terms and if you do so, the exclusive jurisdiction clause set out in the Terms of Use makes it clear that Ireland is the appropriate jurisdiction for the purposes of litigating any disputes that may arise as a result.

The full decision isn't available online yet, but from this excerpt it may be very significant indeed.

This appears to be the first time an Irish court has ruled on whether site terms of use are enforceable, and the passage quoted seems to adopt a very wide browsewrap theory whereby visitors to a website will be bound by terms of use without any positive act on their part, provided that a hyperlink to the terms is "clearly visible". I'm not entirely sure that this result is correct - as Andres Guadamuz notes in a similar context, there are issues of acceptance and consideration in these cases - and it will be interesting to read the full decision to see whether and how these issues are considered.

The potential implications of this decision are also important. If the broad approach above is followed it would appear to have the potential to eliminate screenscraping entirely, and to enable site owners to assert exclusivity over information which is not protected by copyright or database right - in effect creating a new quasi intellectual property right and upsetting the balance created by statute. (Just witness the Dublin Bikes iPhone app case.) Hopefully if this case goes to a full hearing we will see these points raised and considered in detail.

Government departments not up in the clouds

After last week's story about the Department of Finance issuing warnings about the use of cloud computing, Sean Sherlock TD followed up by asking whether the warnings stemmed from any particular incident; whether government departments are already using cloud computing; and if so what safeguards are in place. The results are interesting: the Finance warnings don't appear to be the result of any mishap in central government as not one department is yet using cloud computing. (Though the Minister for Communications, Eamon Ryan, did say that his Department is actively promoting its use.)

Alternative routes to identifying "anonymous" online users

David Robinson and Harlan Yu have posted a superb series of posts on Freedom to Tinker (1,2,3) about tactics which might be used to identify anonymous internet posters, even in cases where IP addresses might not have been logged by the site which hosts the comment. The key insight is that sites typically embed multiple external services (such as advertising, stats counters and video hosting) which may either individually or in combination enable the identity of particular users to be pinned down:

[P]laintiffs' lawyers in online defamation suits will typically issue a sequence of two "John Doe" subpoenas to try to unmask the identity of anonymous online speakers. The first subpoena goes to the website or content provider where the allegedly defamatory remarks were posted, and the second subpoena is sent to the speaker's ISP. Both entities—the content provider and the ISP—are natural targets for civil discovery. Their logs together will often contain enough information to trace the remarks back to the speaker's real identity. But when this isn't enough to identify the speaker, the discovery process traditionally fails.

Are plaintiffs in these cases out of luck? Not if their lawyers know where else to look.

There are numerous third party web services that may hold just enough clues to reidentify the speaker, even without the help of the content provider or the ISP. The vast majority of websites today depend on third parties to deliver valuable services that would otherwise be too expensive or time-consuming to develop in-house. Services such as online advertising, content distribution and web analytics are almost always handled by specialized servers from third party businesses. As such, a third party can embed its service into a wide variety of sites across the web, allowing it to track users across all the sites where it maintains a presence.

The traceability of any given site visitor will still depend on context: the number of third party services used by the site, the popularity of each third party service across the web, the types of identifying data that these parties collect and store, whether the speaker used any online anonymity tools, and many other site-specific factors.

Despite the variability in third party tracing capabilities, the nearly simultaneous connections to a few third party services means that the results of tracing can be combined. By sleuthing through information held in third party dossiers, logs and databases, plaintiffs in John Doe lawsuits will have many more discovery options than they had ever previously imagined.

Of course, these tactics are likely to be expensive. Also, in an Irish context the uncertainty as to whether a result will be achieved may mean that a court will be less willing to grant a Norwich Pharmacal order (which is a discretionary remedy (PDF) - not something which is available as of right). But nevertheless, the research is important - particularly as it illustrates that traditional methods of ensuring online anonymity (such as TOR routing) may be vulnerable to indirect attack.

Banned in Turkey: Turkish internet filtering and blocking

 Yaman Akdeniz has recently published a superb report for the OSCE on Turkey and Internet Censorship (press release | full text pdf).
 
Ironically, Yaman Akdeniz and his co-author Kerem Altıparmak have themselves been the subject of legal threats aiming to silence their criticism of Turkish internet censorship. Fortunately their book Restricted Access: A Critical Assessment of Internet Content Regulation and Censorship in Turkey (2008) is still available.

The image above is from Richard Dawkins' website, which has been blocked in Turkey since September 2008.

(Via Chris Marsden.)

Home Office terrorist material reporting site - some thoughts

The Home Office launched a new Directgov site last week, which "provides members of the public with information about what they can do if they come across violent extremist, terrorist and hate content online" (press release). The site takes reports and forwards them to a specialist unit within Association of Chief Police Officers (ACPO), which will take action if the material is illegal. Unsurprisingly there has been a good deal of media coverage (e.g. The Register | The Inquirer | BBC News).  So far, though, there doesn't seem to have been any assessment of how this fits into the broader matrix of internet regulation in the UK. This post asks what effect it might have.
  
Reducing the role of the IWF?

One of the more significant aspects of this story is that it appears to be the first time that the UK government has set up a specific site to which internet content can be reported. Until now, the government has effectively devolved that function to the Internet Watch Foundation (IWF). Although this is a private body, official policy has been to designate the IWF as the first port of call for online content. The Surrey Police website is typical:

If you come across offensive or illegal material, please DO NOT contact Surrey Police directly.

Instead, you can make a report on the Internet Watch Foundation (IWF) web site.
If they decide any action is needed, they will contact the ISP or the police, who can take appropriate action. (It's worth remembering that evidence of illegal or offensive material can be detected even after it has been deleted from a computer.)

The Internet Watch Foundation are qualified to judge the illegality of material and will report matters to the relevant police force. They are the only authorised organisation in the UK that provides an Internet hotline for the public to report their exposure to illegal content online.

Despite this, however, the IWF has never had a remit to receive complaints in relation to all illegal material online. For example, while there have been proposals from the Home Office that the IWF's remit should be extended to cover extremist websites, these have never come to fruition. Similarly, when the Terrorism Act 2006 created a system of notifying ISPs to take down terrorist material, that system bypassed the IWF entirely and required that notices be given via the police.

Consequently, the setting up of this site may be significant - does it indicate a trend which moves away from government reliance on the IWF and towards the use of separate (and public) reporting mechanisms?

Content control as a means of protecting vulnerable people?

The rhetoric used in announcing the site is also interesting. According to Lord West:

We want to protect people who may be vulnerable to violent extremist content and will seek to remove any unlawful material.

If this sounds familiar, that's because it echoes the justifications for introducing the Cleanfeed child abuse image blocking system and later for criminalising extreme pornography - in each case, a central component was the argument that harm would be caused to the viewer (by simply viewing the material, or by predisposing them to commit crimes). Is this approach - focusing on harm to the viewer - becoming more common in controlling content in the UK?

Using consumer pressure as a regulatory tool?

Quite apart from illegal content, the site also sets out to encourage users to challenge content which is  legal. According to Lord West:

This is also about empowering individuals to tell them how they can make a civic challenge against material that they find offensive, even if it is not illegal.

The internet is not a lawless forum and should reflect the legal and accepted boundaries of society.

Consequently, the site provides information on how to make complaints:

What you can do about online hate or violence that is not illegal

Most hateful or violent website content is not illegal. While you may come across a lot of things on the internet that offend you, very little of it is actually illegal.

UK laws are written to make sure that people can speak, and write, freely without being sent to prison for their views.

To be illegal, the content must match the descriptions at the top of this page.

Still, even if what you’ve seen does not seem to be illegal, you can take the steps below to have it removed if it upsets, scares or offends you.

Report it to the website administrator

Most websites have rules known as ‘acceptable use policies’ that set out what cannot be put on their website. Most do not allow comments, videos and photos that offend or hurt people...

If what you’ve seen is on a site with a good complaints system, you should report it to the website’s owners. Look out for their ‘contact us’ page, which should be clearly linked...

Report it to the hosting company

If the website itself is hateful or supports violence or terrorism let the website’s hosting company know. Hosting companies provide a place where the website sits, and often have rules about what they are willing to host.

Let the hosting company know they are hosting a website that breaks their rules, and ask them to stop.

You can find out which company hosts a website by entering their web address on the ‘Who is hosting this?’ website.

This approach - by encouraging community pressure to force ISPs to change their behaviour - matches policy in relation to blocking, where the Home Office has abandoned plans to legislate and has instead stated its intention to rely on public pressure instead:

For the first time the IWF will publish the list of ISPs who are certified as having implemented its blacklist. "Hopefully consumer and public pressure will encourage the ISPs who aren't on the list to comply," said Carr. A Home Office spokesman said: "We will continue to urge ISPs to implement blocking, and ask consumers to check with their suppliers that they have done so."

Does this mark the start of a trend towards greater use of consumer pressure by the UK government as a means of regulating what ISPs do?

Cloud computing complications

Not too long ago the Taoiseach and the Green Party were telling us that cloud computing is the way of the future for Irish business. Now it emerges that the Department of Finance has emailed government departments and public bodies warning about the risks of cloud computing. Is this a case (as some amused observers are saying) of the left hand not knowing what the right hand is doing? Or, as some sectors of the Irish technology industry are putting it, simple technical ignorance?

A Microsoft spokeswoman said that Ireland should "embrace the cloud across all aspects of public services".

"Microsoft’s software plus services offering provides enhanced security for data over and above what has traditionally been available for private and public organisations, and this is one of the primary reasons why so many public and private organisations across the globe are beginning to deploy solutions in the cloud."

Ed Byrne, general manager of Hosting 365, which provides cloud computing services, described the e-mail as "damaging" and showed a "lack of knowledge" of what the technology involves.

The technology is "mature and not nascent" said Philip Nolan, a partner in legal firm Mason Hayes + Curran. He said any contractual issues were surmountable, and he has large clients who use cloud computing for their core systems.

So are these criticisms justified? While it's understandable that providers might be defensive, these responses seem out of place given the very moderate tone of the original email, which is not a blanket ban on the use of cloud computing but simply a reminder to take legal advice before buying these services:

The Department of Finance has warned Government departments and public sector bodies that they should not purchase cloud computing services without obtaining legal advice.

The warning e-mail, which carries the subject "cloud computing warning", says that the Chief State Solicitor’s Office has "advised that issues such as data protection, confidentiality and security and liability are not necessarily dealt with in a manner that would be necessary for public sector responsibilities".

Far from being ignorant of the nature of cloud computing, this seems to show a good awareness of the challenges it can present. As Simon McGarr points out in today's Irish Times, unless properly thought out in advance cloud computing may result in the transfer of personal information outside the EU and in inadequate security measures being put in place by data processors. Suitable contracts can deal with these risks - but not all cloud computing providers (particularly those headquartered outside the EU) seem to be fully aware of their responsibilities under European data protection law, making detailed legal advice essential in all cases.

In addition, public sector storage of data presents further problems which are distinct from those faced in private sector use of cloud computing. For example, how will the public body ensure that data held in the cloud is available to meet a Freedom of Information Act request? How will departmental records held in the cloud be preserved and archived as required by the National Archives Act 1986? Will data in the cloud be sufficiently searchable as required by the Reuse of Public Sector Information Regulations? These and other complications make the advice from the Department of Finance seem eminently reasonable.

Update (27.02.10) - Microsoft's new secure cloud product for the US government shows some of the ways in which cloud computing products may have to be tailored for public sector use.

Please forgive the technical problems...

As you might have noticed, I'm changing the look and feel of the blog at the moment: something that requires migration from FTP to hosting with Google; updating the zone file for the domain; and all sorts of other technical shenanigans. Apologies in advance for the inevitable glitches. Normal service should be resumed shortly.

Irish blogger agrees €100,000 settlement for libel

The Sunday Times has details of the settlement which was obliquely mentioned in Forbes last week:

A blogger has agreed a €100,000 settlement after libelling Niall Ó Donnchú, a senior civil servant, and his girlfriend Laura Barnes. It is the first time in Ireland that defamatory material on a blog has resulted in a pay-out.

Barnes, an American book dealer, made a profit of up to €800,000 in 2005 from selling a cache of James Joyce papers to the state. One year later she began a relationship with Ó Donnchú, an assistant secretary in the Department of Arts, Sports and Tourism.

In December 1, 2006, a blogger who styles himself as Ardmayle posted a comment about the couple and the sale of the Joycean manuscripts under the headline “Barnes and Noble”. Following a legal complaint, he took down the blog and in February 2007 he posted an apology which had been supplied by Ó Donnchú’s and Barnes’ lawyer, Ivor Fitzpatrick solicitors.

“I subsequently discovered that these remarks were inaccurate,” Ardmayle said. “I unreservedly apologise to both Laura Barnes and Niall Ó Donnchú in respect of this post.”

However, the pair subsequently issued separate proceedings. It is understood that the €100,000 settlement was agreed shortly before the case was due before the High Court. A full defamation trial before a jury can cost €700,000-€800,000 in legal costs for both parties.

The blog, still active at http://ardmayle.blogspot.com/, is in the form of a personal diary with observations on the arts, literature and sport. The author is not identified, and the litigants may have got his details through his internet server provider (ISP).

The settlement was subject to a confidentiality agreement, which forbids the blogger from speaking about it publicly. Neither Ó Donnchú nor Barnes responded to invitations to comment.

The Independent has more on the case from 2007 when proceedings were issued, and Sean Murphy has also produced a summary of the issues involved.

One interesting aspect of this case, as Mark points out, is the fact that the damages appeared to be quite high given that the blog in question was very low profile:

John Burns’s piece in today’s Sunday Times on the blogger who paid out €100,000 for libeling someone is interesting, and not just for bloggers. The blog which is the subject of the story is so obscure that Google finds zero – repeat zero – inward links. This is despite it having been operational since May 2005 (contrast that with TheStory; we’ve only been going since October or so, yet there are over 800 inward link results to the front-page alone). Additionally, the writer’s profile has only been viewed 3,000 times since the blog opened – or less than once per day.

So it’s a little-known, to say the least, blog.

Leaving aside the specifics of the case, perhaps this illustrates a more general point highlighting the importance of keeping good server logs.

The level of damages in defamation reflects the extent of publication – i.e. the extent to which the defamatory material was actually read. This is not (despite the best efforts of plaintiffs’ lawyers) the same as the extent to which it might have been read. Consequently (leaving aside other factors such as the gravity of the allegations) damages should be greatly reduced where the audience can be shown to be negligible. Potential readability worldwide notwithstanding.

Unfortunately, in the absence of server logs, it is going to be very difficult to rebut a plaintiff who claims that the material appeared quite high in search engine rankings, may have been read worldwide, etc. Consequently a defendant in that position is likely to be on the back foot, especially where a judge assumes that availability online automatically equals a mass audience.

Net Neutrality book now out

I've been looking forward to reading Chris Marsden's new book Net Neutrality and am glad to see that it's now been released by Bloomsbury - with a free download (PDF) under a CC licence being the icing on the cake. This passage gives a sense of the perspective he takes:

The network neutrality debate is only in part about economics and technology, despite what you might surmise from various pro-competitive statements by academics and the shape of the US and European debates. The extent to which even lawyers have been drawn into an open-ended debate regarding the merits of duopoly versus inset competition in telecoms, or the relative merits of open interoperable software environments versus proprietary property rights-based or corporate developments, or the benefits of end to end ‘dumb’ networks versus intelligent networks, displays the capture of the subject by economists and corporate technologists. The issues at stake are more fundamental to society than that. As a lawyer who has written for over a decade in favour of pro-competitive telecoms and media policy, I am not ashamed or abashed to state that I emphasize that communications policy is about fundamental rights of citizens as well as public welfare for consumers, and that it is about educated and informed users as well as optimally priced access networks. [Emphasis mine.]

Strongly recommended.

Sexting and the law in Ireland

I was quoted in the Daily Mail recently in a story about a supposed increase in sexting by Irish children. The reporter was interested in the possible criminal liability of children who send and receive sexual images - something which featured only to a small extent in the story - and I thought it might be useful to jot down some more observations about the surprisingly complex law in this area.

(i) When will a "sext" amount to child pornography?

The most important legislation on this point is the Child Trafficking and Pornography Act 1998. Consequently, the first question we must ask is whether sexts will amount to child pornography prohibited under that Act.

In relation to particularly explicit images, section 2 makes it clear that images of a child "engaged in explicit sexual activity", or images which focus on the "genital or anal region" will constitute child pornography.

What about less explicit images? Might e.g. a topless photo constitute child pornography? Possibly. Under section 2, child pornography includes images relating to a child that "indicates or implies that the child is available to be used for the purpose of sexual exploitation". Sexual exploitation is in turn defined in section 3 to includes inducing a child to "participate in any sexual activity which is an offence under any enactment". Consequently, even a less explicit image might amount to child pornography if it implies that a child is available for (illegal) sexual activity.

(ii) Is there a "Romeo and Juliet" defence?

Suppose a 16 year old girl takes an explicit picture amounting to child pornography and texts it to her 16 year old boyfriend. Might the boyfriend be liable for the offence of possession of child pornography, contrary to section 6?

Yes. The 1998 Act (in common with other areas of Irish criminal law - consider this case involving a 15 year old boy and a 14 year old girl) doesn't recognise a so-called Romeo and Juliet defence in relation to sexual activities between children of similar ages. One might hope that in this scenario prosecutorial discretion would prevail and no prosecution would be brought - but on the face of it a crime would have been committed.

(iii) Can the person taking and sending the sext be prosecuted?

Maybe. Section 5 of the 1998 Act creates an offence of knowingly producing or distributing child pornography which on the face of it would seem to cover the actions of children who take photos of themselves and then send them to others. Children in other jurisdictions have been charged with offences in this situation.

The Act itself doesn't provide a defence for a child in this position, unlike other legislation dealing with child sexual offences. For example, Section 5 of the Criminal Law (Sexual Offences) Act 2006 provides that "A female child under the age of 17 years shall not be guilty of an offence under this Act by reason only of her engaging in an act of sexual intercourse."

Would it be possible to read such a defence into the law, arguing perhaps that the child is the person intended to be protected by the legislation and as such it would be inappropriate to criminalise their actions? Possibly - but at this point we might be entering uncharted waters.

The common law does recognise a general principle against criminalising the victim, a rule often traced to R v Tyrell (1894) 1 QB 710 where it was held that a girl could not be guilty of aiding and abetting a male to know her carnally. In that case, Lord Coleridge CJ famously said that an Act could not have "intended that the girls for whose protection it was passed, should be punished under it for the offences committed against themselves". This has since been accepted as a wider principle - see e.g. Hallevy's interesting article on this point.

The difficulty with that principle, however, is that it generally applies where there are two or more parties involved in the commission of the criminal act - but I'm not aware of any authority applying it to the case of a single perpetrator who is simultaneously the victim. It should certainly apply where A (a child) consents to B taking explicit pictures - but it may be more difficult to argue that it should apply where A takes and sends the pictures. In that situation, could it be said that A is the victim of their own activity, so that the Tyrell principle should apply?

Any answer to that question might also be influenced by policy considerations. It could be argued, for example, that it is desirable to impose possible criminal liability in order to deter children from doing something which may result in their being further victimised in the future; it might also be said that an effective exemption for "self-produced" child pornography could hamper criminal investigations.

These thoughts merely scratch the surface of this area. Mary Graw Leary has more on the difficult problem of sexting and "self-produced" child pornography in this nuanced article, while Radley Balko has a rather different (and to my mind more convincing) argument at Reason.

Why IP addresses are no longer enough to identify internet users

Richard Clayton has an excellent post explaining (in terms even a lawyer can understand) why the traditional formula of IP address plus timestamp is increasingly inadequate as a way of identifying internet users:

The basics are that you record an IP address and a timestamp; use the Regional Internet Registry records (RIPE, ARIN etc) to determine which ISP has been allocated the IP address; and then ask the ISP to use their internal records to determine which customer account was allocated the IP address at the relevant instant. All very simple in concept, but hung about — as the thesis explained — by considerable caveats as to whether the simple assumptions involved are actually true in a particular case.

One of the caveats concerned the use of Network Address Translation (NAT), whereby the IP addresses used by internal machines are mapped back and forth to external IP addresses that are visible on the global Internet. The most familiar NAT arrangement is that used by a great many home broadband users, who have one externally facing IP address, yet run multiple machines within the household.

Companies also use NAT. If they own sufficient IP addresses they may map one-to-one between internal and external addresses (usually for security reasons), or they may only have 4 or 8 external IP addresses, and will use some or all of them in parallel for dozens of internal machines.

Where NAT is in use, as my thesis explained, traceability becomes problematic because it is rare for the NAT equipment to generate logs to record the internal/external mapping, and even rarer for those logs to be preserved for any length of time. Without these logs, it is impossible to work out which internal user was responsible for the event being traced. However, in practice, all is not lost because law enforcement is usually able to use other clues to tell them which member of the household, or which employee, they wish to interview first.

Treating NAT with this degree of equanimity is no longer possible, and that’s because of the way in which the mobile telephone companies are providing Internet access.

The shortage of IPv4 addresses has meant that the mobile telcos have not been able to obtain huge blocks of address space to dish out one IP address per connected customer — the way in which ISPs have always worked. Instead, they are using relatively small address blocks and a NAT system, so that the same IP address is being simultaneously used by a large number of customers; often hundreds at a time.

This means that the only way in which they can offer a traceability service is if they are provided with an IP address and a timestamp AND ALSO with the TCP (or UDP) source port number. Without that source port value, the mobile firm can only narrow down the account being used to the extent that it must be one out of several hundred — and since those several hundred will have nothing in common, apart from their choice of phone company, law enforcement (or anyone else who cares) will be unable to go much further.

Edited to add (14.01.10):

In two follow up posts, Richard explains what this means for data retention rules (arguing that the IP address only approach of the Data Retention Directive is flawed) and considers the practicalities of identifying mobile internet users.

Children's hospital lost data on 1m patients

In a follow up to his excellent story about Temple Street Children's Hospital storing DNA samples of over 1.5 million people without any legal basis, Mark Tighe has a piece in today's Sunday Times revealing that the hospital also lost two servers full of information about patients in 2007:

Two computer servers containing the records of almost 1m patients were stolen from the Children’s University hospital in Temple Street in 2007 and have never been recovered.

The data were far more than that lost on stolen bank laptops in recent years. The theft was investigated by the data protection commissioner (DPC) and the gardai after being reported by the Dublin hospital in February 2007. The organisations had decided that there was no need to inform the public, believing there was little chance of the thief being able to access the data.

Patients’ details, including names, date of birth and reason for admission are thought to have been included.

Interestingly, there's no mention of the servers having been encrypted, making it unclear on what basis it was decided that the data couldn't be accessed.

There's also an update indicating that there has already been some official interest in accessing the DNA records:

In Australia and New Zealand, hospital databases have been accessed by police using DNA in their investigations.

Asked if it had allowed gardai access to the database, Temple Street said it had “one tentative enquiry” by an agency but this was not followed up.

"Our patient confidentiality policy will continue to dictate the response and no access to samples will be granted," a spokeswoman said.