Friday, 27 November 2009

Data protection - new guides

The UK Information Commissioner (ICO) has published a new booklet for organisations, The Guide to Data Protection (HTML), which

"explains the purpose and effect of each [data protection] principle, and gives practical examples to illustrate how the principles apply in practice. We hope that, by answering many frequently asked questions about data protection, the Guide will prove a useful source of practical advice to those who have day-to-day responsibility for data protection."

Separately, for anyone who's not seen it, the European Data Protection Supervisor's website has a clear and detailed Q&A section (and glossary of data protection terminology) which again are intended to give practical guidance.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

DNA retention "justifications" disproved by statistics

An excellent blog post by English privacy law experts Amberhawk - "Long retention of DNA personal data has little to do with detecting ordinary crime" analyses official statistics on young male re-offenders to make some telling points about DNA data retention (as I've mentioned previously, even the President of the British Academy of Forensic Science, who is a judge, has criticised the UK's DNA database policy from a human rights law perspective).

Amberhawk point out that 60% of those who will re-offend do so within 1 year (12 months) after their release; 17% re-offend in year 2 (24 months); and there's "significant and pronounced" tailing off towards the end of months 18-24.

They suggest from extrapolating the figures that 82% of those with a criminal record reoffend within 3 years after their release from prison, which supports 3 years as the optimal retention period for DNA to catch most of those who re-offend. Retaining DNA for another 3 years after that (i.e. 6 years) would catch just another 2.5%.

They go on to say that:

"if you factor in the first statistic that “Research recently ... shows that of the male offenders born in 1953, around half of them had been convicted on only one occasion”, and include arguments such as “if someone has not re-offended in three years, then there is a very good prospect that they are not going to re-offend at all” then it looks as if the benefit of DNA retention is around three years and that further retention does very little with respect to ordinary crime"

- and to get 97% of the benefit, the police would only need a 3 year retention period.

The statistics were for periods after release from jail, but the DNA would have been taken at the time of arrest, so we'd also need to factor in some interval between arrest and imprisonment. But even so, there seems little real justification for keeping DNA of offenders more than 3 years after their release - still less retaining the DNA of people who have never been convicted of any crime.

Their speculation - the real reason the police want to keep as much DNA as possible for as long as possible is that they want to use it to help solve serious random crime. But in that case, the government should say so.

For demolition of another specious argument used in favour of DNA retention, see also the Guardian article today "Holding the police to account".

On the Human Genetics Commission report which that blog post referred to, see the HGC press release 24 Nov 2009 and report Nothing to hide, nothing to fear?. Not surprisingly, the report's main conclusion was that Britain's police DNA database "needs to be regulated on a clear statutory basis and supervised by an independent authority". I bet it won't happen, not within the lifetime of this government anyway.

As the Conservatives take the view that "The whole population must not be treated as potential suspects", perhaps things will change when, as seems almost inevitable, they come into power next year. But I'm cynical about whether a party, once it takes the reins of power, will prove willing to get rid of things that might come in handy to help keep it there.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

EU advertising law & consumers online - digital marketing

The Europa Create2009 site has a nice short history of advertising regulation in the EU and overview of the current position, including sections on specific sectors - see "Advertising and Consumer Rights".

In the UK, from about the second half of 2010 the Advertising Standards Authority are of course going to be extending their remit to cover marketing on the advertiser's own website. It's a glaring and odd gap in coverage, as currently the advertising self-regulatory codes only apply to marketing on third party sites, so at the moment the ASA can't deal with complaints about claims made in ads on the advertiser's own site.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Security, privacy - online banking via European eID cards - ENISA paper

EU agency ENISA (the European Network and Information Security Agency) have just released a position paper on Privacy and Security Risks when Authenticating on the Internet with European eID Cards (PDF).

They analysed two very different use cases (online banking and social networking) to derive requirements for electronic ID cards which might in future serve as a universally applicable authentication token. Their main conclusions:

  • "Electronic identity cards offer secure, reliable electronic authentication to internet services, and
  • a privacy-protecting universally applicable eID card is technologically feasible."

Their eID authentication paper contains (see Chapter 5) an analysis of existing technologies based on the requirements they identified, including the existing position in EU member states in the context of their own eID card systems.

The devil is, of course, in the detail. ENISA's previous Jan 2009 paper Privacy Features of European eID Card Specifications compared the privacy features of European eID card specifications and highlighted some serious flaws, including measures for improved security and privacy which could (and should) be taken - but weren't, except by 1 member state.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 26 November 2009

UGC - Guidelines for Broadcasters on Promoting User-generated Content and Media and Information Literacy

From UNESCO and Commonwealth Broadcasting Association (CBA):

"For the first time guidelines have been published on how broadcasters around the world can encourage audiences to produce better-quality user-generated content. The new guidelines will also enable the public to become more media and information literate…

UNESCO and CBA joined forces to encourage broadcasters, particularly from the developing countries, to interact with their viewers and listeners to enhance the quality of the user-generated content (UGC) through improved media and information literacy (MIL) of their audiences and, more specifically, UGC producers…

They provide guidance on how to encourage a greater diversity of material from a wider range of voices - material that serves both the public duty and commercial needs of broadcasters, as well as democratic needs of the audience."


©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 24 November 2009

Digital Economy Bill, EU Telecoms Reform - links etc

The Digital Economy Bill with (as expected) the controversial 3 strikes (or just 1 strike??) internet cut-off provisions, was introduced in the House of Lords last week - links below. Initially having in its sights copyright-infringing peer to peer file sharing of music files, its scope is potentially far, far wider.

Is the Bill compatible with the EU Telecoms Reform Package "internet freedom" provision, which was intended to guarantee preservation of human rights in this context (freedom of expression / access to information, fair trial)? The Telecoms Reform Package was approved by EU Ministers on 20 November and approved by the European Parliament today. Timetable said to include:

  • Entry into force of the whole telecoms reform package with its publication in the EU's Official Journal (planed for 18 December 2009);
  • Transposition of the telecoms reform package into national legislation in the 27 EU Member States (by June 2011).

Now in this context, although Out-Law thought the Bill was compatible with the internet freedom provision, it's interesting to see what Commissioner Viviane Reding said yesterday in Barcelona on the Spanish proposals (emphasis added - note the reference to the need for a judge!):

"In this regard, I've been following with interest the discussions in Spain, first between operators and associations of copyright holders, and now in the inter-ministerial Commission. I would like to stress the need for any possible legislative initiative to comply with the agreement reflected in the Telecoms Reform Package. Spanish measures that would allow for the cutting off of internet access without a prior fair and impartial procedure in front of a judge is certain to run into conflict with European law. The case of France has shown that national constitutional law may raise even more immediate barriers to such proposals. I therefore invite the Spanish authorities to consult very closely with the European Commission before heading into a direction which could soon turn out to be a blind alley."

There seems little sign of the UK government consulting "very closely" with the European Commission on the Bill. Earlier today, Out-Law repeated their view that a judge need not necessarily be involved before an internet disconnection could take place.

I must say I've not had the chance to look at the Bill properly yet, so more - probably much more! - about it anon, but for now here are some links on it I've been building up and some brief notes:

Primary sources

Official summaries, commentary, background

News articles, comment etc

Just a few here but there have of course been lots of news items about this:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Identity management policy & legal framework - OII workshop report

Discussion paper just published - Rundle, M. and Dopatka, A. (2009) Towards a Policy and Legal Framework for Identity Management: A Workshop Report [PDF, 640kb]. Oxford Internet Institute Forum Discussion Paper No. 16, University of Oxford.

Based on an OII workshop attended by many well known people in the field including (just to pick some names randomly) Stefan Brands, Kaliya Hamlin, Anthony Nadalin, Robin Wilton.

Not read it properly yet but it looks like an excellent overview of the current position including of course privacy and data protection.

Via OII blog.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 17 November 2009

Full text legal journal articles - how to find online

Unfortunately there seems to be no single comprehensive source from which to get full text legal journal articles online. (I've previously listed some free full text Web law journal articles on tech law.)

I'm sure I'm not the only person who's had trouble working out how to access full text law journal articles over the internet from their own home computer. For new students in particular I don't think it's obvious.

How to find full text legal journal articles online

There seem to be 3 main legal publisher sources commonly used in the UK (leaving aside the free online legal journals):

  • HeinOnline - has the most number of journals, law reviews, bulletins etc in full text, especially US ones.
  • Lexis - has the smallest selection of journals, at the date of writing, but includes International Journal of Law & Information Technology and Privacy and Data Protection. But it seems more up to date, e.g. for IJL&IT (which Westlaw also provide) I notice the latest issue is available in fulltext on Lexis, but not on Westlaw
  • Westlaw - includes Communications Law, Computer and Telecommunications Law Review, Entertainment Law Review, European Intellectual Property Review, Intellectual Property Quarterly, International Review of Intellectual Property and Competition Law, and again International Journal of Law & Information Technology

They don't all carry the same periodicals; in fact it's safest to assume that there's no overlap, so if you're looking for an article you need to check all 3 sources.

If accessing through your university or college's subscription, it's best to login to your institution's Athens or similar federation service first, using your college library username and password normally, before trying to access any of these services. Or use whichever method your library recommends for getting you into the subscription service from home.

If you don't have the exact citation - journal title, year, issue and page number etc - you may be out of luck as there doesn't seem to be a full text search facility covering all law journals.

Hein Online

The easiest as it specialises in law journals; it even has an intellectual property law journal section (I added the highlighting).

Within the Law Journal Library (or Intellectual Property Law Journal Library) section you can look for the journal you want, e.g. by browsing for its title alphabetically.

The rest is intuitive - click on journal name, then the year & volume you want, and there's a table of contents on the left to find the article.


It's the Journals tab, of course.

Within that, Full Text Articles gets the list of all periodicals which they offer in full text -

and you can just click on the name of the journal or magazine that you want.


With Lexis it's a bit trickier to figure out what journals are available in full text.

Once you're in the Journals tab, the trick is to click the i in a blue circle (highlighted below) -

This then pops up a new window listing all the journals available in full text.

Hope this helps.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 16 November 2009

Privacy - Madrid Resolution text; Madrid Declaration

Here are links for these documents, recently issued in Madrid:

I've not had the chance to do more than skim the Resolution but it seems to say nothing particularly new or startling - which is a missed opportunity, in many ways.

Via CDT blog, which reports on the Public Voice conference; see also e.g. Irish Times.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 15 November 2009

Copyright & modding - games console modchip conviction upheld, & Microsoft's moves to cut off modded XBox gamers

There's been lots of publicity about Microsoft recently cutting off people with modded XBox 360 games consoles from access to Microsoft's online multiplayer gaming service Xbox Live. "Modding" games consoles involves modifying them to enable pirated games to be played on them. I say no more about that news - see e.g. BBC, Times, Guardian.

But there's been rather less publicity about the UK Court of Appeal upholding the conviction of a trader for selling modchips and modded games consoles (here Xbox, GameCube, Playstation2), though I've found some e.g. on Gamasutra and ComputerActive, and a brief mention in the BBC article I mentioned above. So here's a writeup of the case.


In Gilham v R [2009] EWCA Crim 2293 (09 November 2009) the Court of Appeal upheld the conviction of Christopher Gilham in the Worcester Crown Court for importing, advertising and offering for sale, selling and possessing games console modchips in the course of a business (and associated money laundering offences).

The court held that a game includes sounds and images that are subject to copyright. Even if the contents in the RAM of a games console at any one time isn't a "substantial" copy of the game, the image displayed on screen is a substantial copy of the original image which is subject to copyright.

Therefore playing a DVD of a pirated game involves making a "substantial" copy of it, so as to amount to an "act restricted by copyright" which infringes copyright if done without the licence of the copyright owner.

This must also apply to playing other pirated images, e.g. a counterfeit DVD of a movie or TV show, or indeed a downloaded pirated video file. And while the court focused on images and stills, they have clearly taken the view that as "common sense" this applies to sounds too, i.e. playing pirated music or other pirated audio, though they didn't explicitly spell out how.

The court has also repeated their strong suggestion that cases which involve complex copyright law issues should be pursued in the civil rather then criminal courts as they are better suited to a specialist judge than a jury.

Note that this was a UK case. The law here is quite different from what it is in the USA - e.g. we don't have "fair use" as a get-out or a constitutional mandate to further science and the arts, we have the much narrower "fair dealing". The US cases like Sony Betamax and indeed Grokster are irrelevant here.

The UK videogames trade body ELSPA (Entertainment and Leisure Software Publishers Association) have, not surprisingly, welcomed the result. I don't know if the conviction is going to be appealed further but I suspect not. Does anyone know?


The defendant was prosecuted and convicted for commercially selling the modchips as "any device, product or component which is primarily designed, produced, or adapted for the purpose of enabling or facilitating the circumvention of effective technological measures" within the meaning of section 296ZB of the UK Copyright, Designs and Patents Act 1988 as amended (CDPA).

That was one of the sections added to implement anti-DRM circumvention laws in the EU under the EU Copyright Directive - European Directive 2001/29/EC of the European Parliament and of the council of May 22, 2001 on the harmonisation of certain aspects of copyright and related rights in the information society.

The mod chips - modification computer chips - that the defendant dealt in were for use with Microsoft Xbox, Nintendo GameCube and Sony Playstation2 games consoles. Microsoft, Nintendo and Sony sell DVDs and CD-ROMs with games for playing on their respective consoles, and they each use protective technological measures to prevent counterfeit or "pirate" copies of games from being played on their consoles (i.e., DRM protection technologies).

To quote the Court of Appeal quoting Jacob LJ in Higgs [2008] EWCA Crim 1324 [note that the link to Higgs in the BAILII Gilham judgment is wrong, I've given the correct link]:

4. The games consoles contain embedded codes and normally will only a llow a game to be played if the CD-ROM contains a corresponding code. The codes on the CD-ROM are not copiable, at least for practical purposes. A principal effect of these measures is to prevent the playing of "pirate" games, that is to say games which have been copied without the permission of the owner or owners of any copyright material contained in the games, including copyright in images, sounds and so on.

In Gilham, the court noted that:

8. The modchips sold by the appellant were the Xecuter for use with the Microsoft Xbox, the ViperGC and Qoob chips for use with the Nintendo Gamecube and the Matrix Infinity for use with the Sony Playstation. The appellant sold the modchips either on their own, or already inserted into games consoles together with the paraphernalia needed to fit them. In some cases the purchaser of the modchip would have to download software from the Internet and install it in the modchip before it could be used. Once correctly installed, the modchips enable counterfeit games to be played on the consoles. It is right to point out that the modchips could be used for other purposes, for example to enable the user of the console to play a game he or she had created, but as will be seen that possibility is irrelevant to the issues on this appeal.

"Devices and services designed to circumvent technological measures" - elements of the offence

Now, to convict someone under section 296ZB(c)(i) in relation to games, the prosecution needs to prove that (para 14 of Gilham):

  1. the game is or includes copyright works (within the meaning of section 1 CDPA)
  2. playing a counterfeit DVD on a game console involves "copying" of a copyright work
  3. such copying is of the whole or a "substantial" part of a copyright work (s.16(3)(a) CDPA)
  4. the game consoles and/or genuine DVDs (i.e. copies of the copyright work or works created by or with the licence of the owner of the copyright) include "effective technological measures" within the meaning of section 296ZF designed to protect those copyright works, and
  5. in the course of a business the defendant sold or let for hire a device, product or component which was primarily designed, produced, or adapted for the purpose of enabling or facilitating the circumvention of those technological measures (here,the intention of a defendant is irrelevant).

The jury in the Crown Court had decided that all these had been proved.

Issue on appeal - "substantial"

The only issue on appeal was whether the playing of a counterfeit DVD involves substantial copying of a copyright work - what does "substantial" mean in this context?

The judge had directed the jury that in this context "substantial has its plain English meaning of 'more than minimal'".

The defendant argued that this direction was wrong.

Having looked at the meaning of "substantial" here in some detail (see paras 20 onwards of the Court of Appeal's judgment), the court did agree that "application of the substantial part test is more complex than was indicated by the judge's direction"

While discussing the "little and often" case, the Court of Appeal concluded it wasn't relevant here because there was copying of images displayed when playing the game, not just copying of the game itself. They said (emphasis added):

24. In the present case, if the only copyright work that is copied is the game as a whole, the "little and often" would be material, and the correctness of Laddie J's judgment and of Jacob LJ's dicta would have to be decided. But the game as a whole is not the sole subject of copyright. The various drawings that result in the images shown on the television screen or monitor are themselves artistic works protected by copyright. The images shown on the screen are copies, and substantial copies, of those works. If the game is the well-known Tomb Raider, for example, the screen displays Lara Croft, a recognisable character who has been created by the labour and skill of the original artist. It matters not that what is seen on screen is not precisely the drawing, because the software may cause her to be seen performing actions that are not an exact copy of any single drawing. It is clear that what is on screen is a substantial copy of an original…

25. It follows that even if the contents of the RAM of a game console at any one time is not a substantial copy, the image displayed on screen is such. As we said in the course of argument, it may help to consider what is shown on screen if the "pause" button on a game console is pressed. There is then displayed a still image, a copy of an artistic work, generated by the digital data in RAM. The fact that players do not normally pause the game is immaterial, since it is sufficient that a transient copy is made. [and "Section 17(6) expressly provides that a transient copy is a copy."]

So they upheld his conviction.

Other points of interest

A few further points of interest. The Court of Appeal gave their decision "with satisfaction" (para 28):

The recitals to Directive 2001/29/EC emphasise the importance of protecting copyright and related rights in multimedia products such as computer games, and if devices such as modchips could be sold with impunity, the UK would not be conferring the protection of those rights required by the Directive. Secondly, it seems to us to accord with common sense that a person who plays a counterfeit DVD on his games console, and sees and hears the visions and sounds that are the subject of copyright, does indeed make a copy of at least a substantial part of the game, even though at any one time there is in the RAM and on the screen and audible only a very small part of that work. In other words, had it been necessary to decide this appeal on the "little and often" point, we should have followed the judgment of Jacob LJ in Higgs. In the event, however, we have not had to base our judgment on that point.

Now on the "little and often" front, the defendant had tried to rely on the decision of Kitchin J in Football Association Premier League Ltd and others v QC Leisure and others [2008] EWHC 1411 Ch, summarised by Stanley Burnton LJ in para 23 of Gilham as follows (emphasis added):

That case concerned the use of foreign decoder cards in the UK to access foreign transmissions of live Premier League football matches. The claimants complained that the dealing in and use of such cards in the UK involved an infringement of their rights under s.298 of the CDPA and of the copyrights in various artistic and musical works, films and sound recordings embodied in the Premier League match coverage. The facts bore certain similarities to the present. The decoder that received the broadcast signal stored fragments of the various film works, the musical work and the sound recording that were broadcast sequentially, and those fragments were replaced as the broadcast continued. Kitchin J held that when considering copying of a film, the few frames that were stored in the decoder at any one time did not constitute a substantial part of a film, and that the fragments of a film that were copied could not be considered on a cumulative basis.

Stanley Burnton LJ in Gilham pointed out (then adding that Laddie LJ was an expert in this field) that:

On the face of it, his decision is inconsistent with the approach of Jacob LJ in Higgs. It is also inconsistent with the decision of the late and much lamented Laddie J in Sony v Ball, to which Jacob LJ referred. That case too was concerned with Sony games consoles, and acts alleged to infringe the copyright in their games.

In Higgs, Jacob LJ had also said in para 23 (emphasis added):

Mr Higgs is a fortunate man in that it may well be that if the legislation had been less complex and/or the Crown had had greater opportunity to consider the details of copyright law the case would have been proved on the basis that merely playing a pirated game involves making a copy in the console and thus involves infringement. He may also be fortunate that, at least this far, he has not been sued in the civil courts. There the procedure is apt to be much faster, technical slip-ups in evidence can generally be readily cured before final judgment and the remedies of damages, an account of profits, injunction and legal costs are readily obtainable. Breach of an injunction, if serious, can of course itself lead to imprisonment.

Finally, in Gilham para 30 the court said (emphasis added):

Lastly, we repeat with emphasis what Jacob LJ said in Higgs about the trial of cases involving recondite issues of copyright law before a jury. Cases that, for example, involve determination of difficult questions whether a copy is of a substantial part of a copyright work, can and should be tried in the Chancery Division before specialist judges. They can be so tried much more efficiently in terms of cost and time than before a jury, and questions of law can if necessary be determined on appeal on the basis of clear findings of fact. In appropriate cases, the Court will grant injunctive relief, and a breach of an injunction will lead to punishment for contempt of court. If the facts proven against a defendant show that he has substantially profited from criminal conduct, proceedings for the civil recovery of the proceeds of his crimes may be brought under Part 5 of the Proceeds of Crime Act 2002.

In other words:

  1. For copyright protection to be effective, the court clearly felt that the ban on the sale of modchips needs to be effective.
  2. The court considered that just playing a counterfeit or pirated DVD, which results in "visions and sounds that are the subject of copyright" being seen and heard, is very clearly a copyright breach - so that must include pirated movies and films too, whether played from a pirated DVD or indeed any downloaded file. The satellite decoder sellers and pub & bar owners prosecuted in the Football Association Premier League case would probably go down in flames today, based on this. And while the court only discussed images in detail but not audio, they obviously have the same attitude towards both - see para 28.
  3. The Court of Appeal have said very strongly, twice now, that cases involving difficult issues of copyright law should be pursued in the civil courts rather than through criminal prosecutions before a jury.

Heard about the case from SCL.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 12 November 2009

Technology law - legal journals with free full text articles

Here are some English law / international law journals I’ve found so far which deal with legal issues relating to technology / computers / internet / communications, and which are available free in full text electronic form (alphabetical order):

  • IFOSSLR – International Free & Open Source Software Law Review – see my overview / review of IFOSSLR written shortly after its launch earlier in 2009
  • IJCLP - International Journal of Communications Law and Policy.
  • JILT – Journal of Information, Law & Technology (from Warwick University, who also have free online electronic law journals on other subjects, see
  • Policy and Internet - "the first multi-disciplinary academic journal to investigate the policy implications of the Internet", edited by the Oxford Internet Institute, added 9 Dec 2009 - free guest access on filling in a form.
  • SCL website – the UK Society for Computers and Law. Their journal’s articles are online; some are accessible to members only, but others are freely available, and podcasts or videos of some of their talks (which I’ve mentioned previously) are released under Creative Commons.
  • SCRIPTed – “a journal of law, technology and society”
  • Surveillance & Society - "the international, interdisciplinary, open access, peer-reviewed journal of Surveillance Studies", added 9 December 2009.

The following e-journal is not specialist, but has occasional coverage of technology / computer law or of related issues:

There’s a very comprehensive listing of fulltext electronic law journals on the Internet covering all sorts of jurisdictions and subject areas, at Cambridge University’s Faculty of Law site (my alma mater!).

That page also mentions another site with a facility for full text search of legal ejournals.

Have I missed anything?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 5 November 2009

Privacy & cloud computing

Microsoft have released a new position paper Privacy in the Cloud Computing Era: A Microsoft Perspective, November 2009, which:

"discusses how Microsoft is approaching privacy as it relates to cloud computing.   We wrote this paper based on our experience over the past decade examining and addressing privacy challenges in the evolving online services realm.  We are also releasing guidance to enterprises and consumers to help them navigate the privacy issues to consider when thinking about cloud-based services…

From a privacy perspective, a key aspect of cloud computing is the remote storage and processing of personal information with a service provider..."

Via Microsoft Privacy & Safety blog.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

EU telecoms package approved - internet access; privacy, data breach notification, cookies; net neutrality

The EU telecoms reform package, including the previously mentioned hotly debated provision on internet access rights, was unanimously approved late last night by a conciliation committee with representatives from the 27 Member States and an equal number of representatives from the European Parliament.

Here's the timetable going forward, from the EU press release of 5 November 2009 Agreement on EU Telecoms Reform paves way for stronger consumer rights, an open internet, a single European telecoms market and high-speed internet connections for all citizens (or see the PDF version with diagrams in full):

  • Vote of the new internet freedom provision agreed between Parliament and Council in a plenary session of the European Parliament and in the Council of Ministers within the next 6 weeks (expected for end November);
  • Entry into force of the whole telecoms reform package with its publication in the EU's Official Journal (by early 2010);
  • Establishment of the European Body of Telecoms Regulators BEREC (spring 2010);
  • Transposition of the telecoms reform package into national legislation in the 27 EU Member States (by May 2011).

1. Internet access & internet freedom

The "internet freedom" provision, article 1(3)(a) of the proposed new Framework Directive, now reads as follows - the bold/underlined text reflects what's shown in the EU press release:

“Measures taken by Member States regarding end-users’ access to or use of services and applications through electronic communications networks shall respect the fundamental rights and freedoms of natural persons, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law.

Any of these measures regarding end-users’ access to or use of services and applications through electronic communications networks liable to restrict those fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law, including effective judicial review and due process. Accordingly, these measures may only be taken with due respect for the principle of presumption of innocence and the right to privacy. A prior fair and impartial procedure shall be guaranteed, including the right to be heard of the person or persons concerned, subject to the need for appropriate conditions and procedural arrangements in duly substantiated cases of urgency in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms . The right to an effective and timely judicial review shall be guaranteed.

It could be worse for citizens, but it could be better. As you can see from the emboldened text, though "adequate procedural safeguards" don't require the involvement of a court, at least they require any "three strikes" or similar measures to be adequate, proportionate and necessary in a democracy, with the presumption of innocence, the right to privacy, the right to due process involving a fair and impartial procedure with the right to be heard, and the right to effective and timely judicial review.

But it still means a user could be cut off without a court order after allegations of copyright breaches e.g. illegal music downloads or filesharing, and then left to challenge it in the courts, which costs money. It will therefore be vital to know exactly the details of whatever "prior fair and impartial procedure" is set up by the individual EU country to allow the user to put forward their position before having their Net connection suspended or cut off. Who manages this "procedure"? Note that "impartial" doesn't mean "independent"!

Arguably if it's in practice too difficult and expensive for consumers to fight the suspension, this goes against the right to an "effective and timely" judicial review?

And how the UK government will implement their proposed UK 3 strikes legislation so as to not breach the new internet freedom provision is of course yet another matter.

For those interested in the text of the draft Directive and the legislative history, see Pre-Lex or the legislative procedure file e.g. the draft Directive (in each case not yet incorporating last night's agreed amendment).

2. Privacy - data breaches, cookies

No change from May, as expected - so there will be new rules on mandatory notifications for personal data breaches. Article 4 of the Directive 2002/58/EC (Directive on privacy and electronic communications) will be amended to insert new provisions.

I wonder though about data breach notification not having to be given if "appropriate technological protection measures" were "applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorized to access the data." How securely must the data have been encrypted, for example, to render the data unintelligible to authorised persons? Or is any encryption good enough? There's no requirement that the protective measures must be "adequately secure", only that they are "appropriate".

On cookies, again no change:

"the rules concerning privacy and data protection are strengthened, e.g. on the use of “cookies” and similar devices. Internet users will be better informed about cookies and about what happens to their personal data, and they will find it easier to exercise control over their personal information in practice. Furthermore, internet service providers will also gain the right to protect their business and their customers through legal action against spammers."

This means the provisions on requiring prior consent to cookies and the like, which so alarmed lawyers such as Out-Law in relation to their practicability for web advertising, will be coming into force as is. The new Article 5(3) of Directive 2002/58/EC (Directive on privacy and electronic communications) will thus read:

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

3. Net neutrality

The only development, from the press release, seems to be:

"The Commission also made a commitment last night to keep the neutrality of the internet under close scrutiny and to use its existing powers as well as new instruments available under the reform package to report regularly on the state of play in net neutrality to the European Parliament and the Council of Ministers."

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 4 November 2009

Outsourcing service level agreements - how to draft (maybe!)

There's a University at Buffalo news release about a (not free) article The Role of Service Level Agreements in Relational Management of Information Technology Outsourcing: An Empirical Study published in MIS Quarterly written by Jahyun Goo, Rajive Kishore, H. R. Rao, and Kichan Nam (based in the USA and Korea), who studied Service Level Agreements (SLAs) between IT outsourcing vendors and their clients.

This study expanded on previous research - "refuting the notion that contracts are antithetical to trust", "They found that the more detailed the SLA, the greater the degree of trust and commitment between the two parties."

According to the news release:

"The very process of crafting detailed SLAs works to build and reinforce trust between clients and vendors, according to the researchers. Also, both parties know what behaviors to expect from each other during the course of delivery on the outsourcing contract.

However, a unique insight of the study is that it is better not to be too specific in the SLA with respect to clauses that deal with anticipating and planning for contractual changes.

"Attempting to specify all potential changes and change processes through complex clauses in the contract only serves to tie the hands of the two parties," says Kishore. "This may reduce the trust of the two parties in each other."

All contracts have an element of uncertainty, according to Kishore. "Contractual changes to deal with uncertainty can be most effectively implemented through an adaptive process of negotiation," he says. "This way, mutual give and take can occur across the table rather than through detailed, standardized clauses specified in the contract.""

In other words, be detailed enough in your documentation to make it very clear what each party expects of the other, but don't be too detailed about what future changes to the contract should be, or how any changes should be made - just negotiate changes to the contractual terms as and when needed.

That seems common sense, even the finding that you shouldn't be too specific about prescribing the details of future changes. As long as you discuss the original details and the proposed changes amicably and constructively based on a win win objective, anyway.

If parties could trust each other absolutely, always, and had no misunderstandings about their mutual expectations, it wouldn't be necessary to have any contracts or legal agreements at all. But of course, life isn't like that.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

UK - identity management - open trust framework?; cloud information card selector

It's interesting that Drummond Reed of the Information Card Foundation says that he when he was in Europe recently he "briefed representatives of the UK government’s DirectGov portal on the U.S. open trust framework initiative".

I wonder if this is a sign of the UK government moving towards an open trust framework for identity management of citizens using government websites?

The US government's Open Identity Initiative -

"seeks to leverage existing industry credentials for Federal use. The Initiative approves credentials for government use through our Trust Framework Providers who assess industry Identity Providers (IDPs)"

- and their Trust Framework Providers are currently described as follows:

I also notice from the Information Card Foundation blog that UK company Avoco Secure are releasing -

"the first commercially available Information Card selector software that operates completely “in the cloud”. Called CloudCard, it is a standard Information Card selector implementation that requires no installation and works from any conventional browser on a desktop, laptop, or mobile device…

it eliminates the need for local client software, which is one of the barriers to widespread adoption of the Information Card digital identity standard. CloudCard uses the standard IMI 1.0 Information Card format and protocol so it works immediately with any Information Card issuer. Websites that wish to accept Information Cards from CloudCard currently need to add some simple custom HTML code to their web page, but according to Ms. Morrow this step is easy compared to the hurdle of requiring users to install a desktop selector, and Avoco plans to standardize this special code so it can be used with any cloud selector."

A potentially important development indeed, and it'll be interesting to see what the uptake is like - pricing will of course be a factor. More info from the Avoco press release, which says

"I-Cloud Card Selector is the world's first fully cloud-based Information Card selector, offering the ability to access your Information Card identities no matter which operating system, browser, computer of mobile device you are using."

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 3 November 2009

Law firms & email encryption

I see from ComputerWeekly that UK law firm Browne Jacobson are to encrypt all their emails using PGP's Universal Gateway EMail (Wikipedia), after reviewing their security strategy, in order to "secure e-mail communication with large groups of customers, partners, experts and witnesses using clientless e-mail encryption."

Good for them. I've always been surprised that so many law firms don't encrypt their emails or attachments - particularly as emails between law firms and their clients (or with other firms) often contain confidential information, including sensitive and indeed price-sensitive information. Surely it's best practice.

At the very least, I think documents attached to emails ought to be password protected as a matter of course.

I'm surprised that, as far as I know, no law firm has come a cropper yet due to lack of encryption. Surely it's only a matter of time before those who scour bins (now hopefully countered by law firms shredding their waste papers) move on to intercepting solicitors' and attorneys' emails to look for juicy inside information on proposed mergers or other confidential business information. Organised crime have done very well with phishing, identity fraud and the like - think how much more money they might make from private business data.

Why aren't the authorities which regulate the legal profession, in whichever countries, more strict about encryption?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 2 November 2009

Commission vs UK - electronic privacy & data protection failure

There have been reports e.g. in the Independent, Out-Law about the European Commission's announcement of 29 October 2009 that they are moving to the second phase of infringement proceedings against the UK for failing:

"to provide its citizens with the full protection of EU rules on privacy and personal data protection when using electronic communications. European laws state that EU countries must ensure the confidentiality of people's electronic communications like email or internet browsing by prohibiting their unlawful interception and surveillance without the user's consent. As these rules have not been fully put in place in the national law of the UK, the Commission today said that it will send the UK a reasoned opinion."

The summary table Electronic Communications - 2002 Regulatory Framework - Infringement procedures opened for incorrect implementation now lists against United Kingdom "Incorrect application of EU rules on confidentiality of communications" with the date of the formal notice being 14/04/2009 and reasoned opinion (date of reasoned opinion) being 29/10/2009.

No copy of the "reasoned opinion" which the Commission are sending to the UK seems to be available.

EU press releases:

All this arose because behavioural advertising company Phorm offered ISPs a way to make money from ads by monitoring all web surfing of the ISP customers, and BT conducted trials of Phorm technology without their customers' knowledge or consent. The UK Home Office had even given "advice" to Phorm about the legalities of their operation.

Lots of people objected to the extremely wide ranging nature of the monitoring, and a concerted campaign e.g. the ORG's letter to some big name sites succeeded in getting a number of major sites like Amazon to opt out of the Phorm system (if you were an e commerce site, would you want some third party tracking what your customers do on your site?).

There were also complaints to the Commission, where, to put it simplistically, if UK laws allow this sort of thing then UK law isn't protecting the privacy of electronic communications adequately as required by EU law (Privacy and Electronic Communications Directive and Data Protection Directive.).

For those interested, some sources:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

UK: three strikes; & copyright strategy paper

So the current UK government are determined to press ahead ASAP with the previously mentioned 3 strikes measures to cut off those who download files illegally via peer to peer filesharing services e.g. music or movies - at great cost to both human rights, justice and the finances of ISPs (and ultimately their customers, i.e. us).

No surprise, but worrying given the defeat of an attempt to enshrine internet access as a fundamental right in the EU (according to Out-Law the European Parliament withdrew their previous insistence on judicial oversight because they were advised they weren't legally entitled to move the amendment concerned). And the planned measure is pointless given that it probably won't be effective, and kids these days are moving to streaming rather than using peer to peer filesharing anyway, etc.

Here are links to the original sources:

And some commentary:

It's not too late to contact  your MP if you disagree with the plans. Other ways to oppose the measures are suggested by the Don'tDisconnect.Us site launched by TalkTalk.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Newspaper website not liable for reader comments

Is a newspaper website or other site (e.g. a blog) liable for comments made by readers, or indeed for other user-generated content (UGC), on their site?

Newsquest, which has several regional newspapers, ran a news story about a struck-off solicitor Imran Karim. He sued Newsquest for allegedly libellous reader comments made on Newsquest websites about the story.

An English court (Eady J) held that:

  1. Hosting defence. The newspaper websites here were simply acting as "hosts" of the reader comments for the purposes of Regulation 19 Electronic Commerce (EC Directive) Regulations 2002 (NB that link is to original unamended version), and so wouldn't be liable in damages even if the comments were unlawful.
  2. Conditions. The judge said that Newsquest had satisfied the conditions for Regulation 19 protection, i.e. that "the comments had been posted directly to the sites by third party contributors without intervention by Newsquest, and that they had acted expeditiously to remove access to the material."

This of course must have been on the basis that the newspaper websites are "information society services". Would blogs be considered "information society services" even if they are personal and don't include any ads?

The point about "without intervention by Newsquest" suggests that if Newsquest had moderated reader comments, i.e. vetted them before allowing them to be published, it would have had a tougher time of it. So it's probably safer not to moderate comments or vet other user-generated content.

I haven't found the full transcript yet. No doubt it will be on Bailii in due course.

Meanwhile, here's one version of the original news item (sans the comments, of course, I'm not sure which specific local newspaper site they were on), from the Croydon Guardian: Crooked solicitor spent client money on 'a Rolex, loose women and drink'.

Source: HoldtheFrontPagevia

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 1 November 2009

EU - digitisation of books - links

The digitisation of books is very topical at the moment.

EU Commissioner Reding is keen - e.g. in a speech on 9 July 2009, she said: "if we do not reform our European copyright rules on orphan works and libraries swiftly, digitisation and the development of attractive content offers will not take place in Europe, but on the other side of the Atlantic".

There have been quite a few developments so I thought I would put together some links relating to recent initiatives or news on this subject, particularly in the EU / UK.

Other links:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

EU - innovation policy priorities and principles - open data, IP market etc

The European Commission's DG for Enterprise and Industry set up a business panel on future European innovation policy to provide input from a business perspective on priorities for future EU innovation policy (see list of members).

From 7 July to 31 August 2009 the panel held an online debate through their Innovation Unlimited site (which will continue) and their final report, which will be "a major input to the proposed new European Innovation Act, is "Reinventing Europe through innovation".

The report recommends 5 innovation policy principles, and measures such as:

  • opening up public data,
  • universal high speed broadband / smart grid access,
  • the Caisse des dépôts intellectual property market (see below), and
  • encouraging collaborative networks e.g. via technology and Web 2.0.

From the report the 5 principles are (emphasis added) -

"1. Broaden the concept of innovation ["From business to social innovation"]: Business innovate mainly for return on investment, society must innovate for social return and transformation. Europe faces unprecedented challenges. This calls for collaborative, cross cutting responses reaching out to business, public policy communities, researchers, educators, public service providers, financiers and NGOs. We propose to base EU action around compelling social challenges; to finance social innovation funds; to incentivise large scale community level innovations; to transform the public sector with a budgetary innovation target; and to engage the young and the old in new types of partnerships.

2. Speed and synchronization ["From fragmented bureaucracies to flexible partnerships, from better regulation to pro-innovation regulation"]: Speed and scale are everything in innovation. More is needed to speed up the uptake of innovative solutions and technologies, especially in the public sector. Funding programmes and innovation support must be synchronised with development of standards, public procurement and regulations. We propose that the EU sets clear innovation targets; launches ambitious European initiatives with synchronised actions around major challenges; ensures EU directives and regulations support innovation; changes public procurement to support innovation; and opens up government owned data to facilitate a knowledge infrastructure, where European citizens can help transform public services.

3. Invest in future infrastructure and unlock its potential ["From bridges to broadband, from control to open access"]: Europe needs to create and unlock the potential of new digital and energy infrastructure. Every household, business and public building should have ultrafast broadband and smart energy grid connections. We propose that the EU commits to universal access to ultrafast broadband and smart grids; implements an integrated, cross-border investment strategy; and combines infrastructure projects with support for innovative services and open access.

4. Innovative financing models ["From incumbents to new entrants, from public vs private to public private partnerships"]: Europe needs a radical new approach to financing innovation with new partnerships to share risk and more intelligent ways to combine funding between instruments. Innovation should be core to financial institutions, with the European Investment Bank (EIB) becoming a European Innovation Bank. We propose a major development of the European Investment Fund (EIF) to create a pan- European Innovation Fund; develop an EU wide market for trading and sharing Intellectual Property; and broker bolder investment readiness initiatives.

  • In this regard the panel "fully support the proposal for the Caisse des
    dépôts... This should be accompanied by bolder investor readiness initiatives that enable creative businesses to reduce their risk profiles to investors and accelerate deal flow… An EU market for Intellectual Property… Caisse des dépôts (CDC) is a state-owned holding company that makes long-term investments in pursuit of public policy objectives and in order to foster economic development…"
  • "An investment Fund for intellectual property rights, dedicated mainly towards public research patents in the first instance. The design of this Fund is predicated on the assumption that by gathering a large number of patents, it will be possible to establish clusters of patents which are increasingly necessary for large companies as well as SMEs to develop innovative products and services. It is expected that this model must demonstrate
    after a few years in operation that it is economically viable and consequently allow the largest transfer of research and inventions in a sustainable manner. It is intended that the Fund will buy patent licences from public universities and research centres, organize patent clusters, and license on a non-exclusive basis these patent clusters to the maximum possible number of industrial users. Royalties/revenues coming from these licences would then be shared between public research and the Fund, with the intention of using proceeds to broaden the Fund’s scope in order to expand the necessary critical mass. CDC decided in June 2009 to launch the first phase of this project with the creation of a pilot company which will begin testing the operation with volunteer universities and research centres…"

5. New places for new types of collaborations ["From closed processes to the
power of networks"]
. Innovation feeds on collaboration, the spark and confrontation of different ideas, perspectives and experiences. Information technologies and web 2.0 tools are transforming how people interact. Open innovation is based on the power of networks and access to knowledge across Europe and globally. We propose to create and network innovation labs; invest in cultural and creative institutions, organisations and networks; reinforce the role of brokers and intermediaries; develop a major prize for innovative localities; and stimulate universities and public research centres to be more open and international."

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.