Showing posts with label three strikes. Show all posts
Showing posts with label three strikes. Show all posts

Wednesday, February 17, 2010

Filtering round up: French filtering, Ireland backs off, UK sidesteps?

Bit of a round up here on some interesting stories of last few weeks on aspects of filtering that I've been accumulating.

Increasingly, stories as to filtering out illegal content such as child porn; blocking infringing downloads of copyright material by deep packet inspection and disconnection; and filtering to fight the "war on terror" are converging. For all of these, the same issues come up again and again: privacy; proof, transparency and other aspects of due process; and scope creep. These 3 stories illustrate this well. For my own recent take on the issue of Net filtering, as I said before, see my Internet pornograohy chapter on SSRN, which suggests the need for a Free Speech Impact Assessment before non transparent stateNet filtering schemes are introduced, for whatever purpose.

Filtering of illegal content in France

Thanks to @clarinette on Twitter (whose real name I am not absolutely sure of!!) for pointing me to another important European move towards non transparent Internet filtering - this time in France. From La Quadrature de Net:

Paris, February 11th, 2010 - During the debate over the French security bill (LOPPSI), the government opposed all the amendments seeking to minimize the risks attached to filtering Internet sites. The refusal to make this measure experimental and temporary shows that the executive could not care less about its effectivity to tackle online child pornography or about its disastrous consequences. This measure will allow the French government to take control of the Internet, as the door is now open to the extension of Net filtering.

The refusal to enact Net filtering as an experimental measure is a proof of the ill-intended objective of the government. Making Net filtering a temporary measure would have shown that it is uneffective to fight child pornography.

As the recent move1 of the German government shows, only measures tackling the problem at its roots (by deleting the incriminated content from the servers; by attacking financial flows) and the reinforcement of the means of police investigators can combat child pornography.

Moreover, whereas the effectivity of the Net filtering provision cannot be proven, the French government refuses to take into account the fact that over-blocking - i.e the "collateral censorship" of perfectly lawful websites - is inevitable2. Net filtering can now be extended to other areas, as President Sarkozy promised to the pro-HADOPI ("Three-Strikes" law) industries3."

LQN are never exactly ones to mince their words:-) so the strong nature of this statement should perhas be taken with some care - but Pangloss intends to go investigate this story further.

Ireland, Eirecom, disconnection and DP

Meanwhile in a surprising twist, Eirecom have apparently pulled out of the negotiated settlement they reached in January 2009 to disconnect subscribers "repeatedly" using P2P for (alleged) illicit downloading. This was the result of the Irish court case brought against them by various parts of the music industry for hosting illegal downloads, and appeared to open up a route to "voluntary" notice and disconnection schemes on the part of the ISP industry; a worrying trend both for advocates of free speech, privacy, due process, ISP immunity and net neutrality.

Now however according to the Times:

As part of the agreement, Irma said it would use piracy-tracking software to trace IP addresses, which can identify the location of an internet user, and pass this information to Eircom. The company would then use the details to identify its customer, and take action.

But the office of the Data Protection Commissioner (DPC) has indicated that using customers’ IP addresses to cut off their internet connection as a punishment for illegal downloading does not constitute “fair use” of personal information. Irma and Eircom have asked the High Court to rule on whether these data-protection concerns mean the 2009 settlement cannot be enforced.

This is very, very interesting. A court case on this might settle a number of outstanding DP legal issues: whether IP addresses are "always" personal data (on which see also a recent EU study demonstarting the disharmny across Europe on this) and if not, when; what the scope of the exemmptions for preventing and investigating crime are; and what"fair" means in the whole context of the DP principles, purpose limitation and notice for processing.

Not only that but as the Times indicate, the human rights issues which have been repeatedly aired in debate around "three strikes" generally, would also come into play as well, as the straight DP law. Is use of a customer's personal data to cut them off from the Internet a proportionate response to a minor civil infringement? Does it breach a fundamantal right of freedom of expression or association? Does it breach due process? This could be the DP case of the decade. Pangloss is geekily excited. If anyone out there is involved in this case, do let me know.

UK cops don't terrorise the IWF?

Finally , as widely reported, the UK Home Office has introduced a website hotline for the public to report suspected terrorist or hate speech sites. Reports are then vetted by ACPO, the Association of Chief Police Officers, who it appears can then take action, not only by investigating in normal way, but also by asking the relevant host site to take down. The official press release notes : "If a website meets the threshold for illegal content, officers can exercise powers under section 3 of the Terrorism Act 2006 to take it down." Indeed on serving such a notice, the host only has 2 days to take down or loss immunity under the UK ECD Regs.

As TJ McIntyre also notes, this is a rather significant development, not just in itself but for sidestepping use of the Internet Watch Foundation (IWF). There have been persistent rumours since and before then-Home Sec Jacqui Smith's famous speech in Jan 2008, that theUK government was attempting to pressurise the IWF into adding reports of hate speech/terror to its block- or black-list; and that the IWF was as strongly resisting this, hate speech being a somewhat more ambiguous and controversial matter than adjudicating on child sexual imagery.

It seems then that the IWF has held fast and the Home Office have backed off and created their own scheme, which embraces only take down in the UK, not access blocking to sites abroad (?). Whether this is ideal remains to be seen. The IWF, at least until recently had the services of esteemed law prof Ian Walden as well as a lot of accumulated experience, and may have been a better informal legal tribunal, than a bunch of chief constables, to decide on the illegality of sites under terror legislation. Who knows. On the other hand , adding alleged terror URLs to an invisible, encrypted, non public blocklist defeats every concept of transparency and public debate regarding restrictions on freedom of political speech, and Pangloss is glad to see it avoided.

Pangloss's view remains that such difficult non-objective issues are best decided by the body long set up to deal with questions of hazy legal interpretation: namely, the courts. The definition of "terrorist" material for the urposes of s 3 of the 2006 Act is as follows (s 3(7)):

"(a) something that is likely to be understood, by any one or more of the persons to whom it has or may become available, as a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism or Convention offences; or

(b) information which—

(i) is likely to be useful to any one or more of those persons in the commission or preparation of such acts; and

(ii) is in a form or context in which it is likely to be understood by any one or more of those persons as being wholly or mainly for the purpose of being so useful."

Well I hope that clears everything up :-) Still confused? Try s 3(8)).
"(8) The reference in subsection (7) to something that is likely to be understood as an indirect encouragement to the commission or preparation of acts of terrorism or Convention offences includes anything which is likely to be understood as—

(a) the glorification of the commission or preparation (whether in the past, in the future or generally) of such acts or such offences; and

(b) a suggestion that what is being glorified is being glorified as conduct that should be emulated in existing circumstances."

Er give me that last line again?

As with previous contested IWF rulings, the same questions come up again: what is the appeal from a take down notice under s 3 to the regular courts? What notice if any is given to the site owner and the public of therfact of and reasons for take down? What safeguards are there for freedom of speech? None of these are mentioned in ss 1-4 of the 2006 Act. Nor does there seem to be a general provision in the Act for Part 1 or the whole of the 2006 Act for appeals or review. Since the police are a public body however, one imagines that judicial review might be competent. EDIT However I am helpfully informed that ACPO is a company limited by giuarantee and regards itself as not a public body at least for the purpose of FOI requests. Clarity on this would be very desirable. And as noted above record keeping of take down for terror reasons seems to be poor due to voluntary compliance by ISPs.

Finally why introduce these powers if they are to be circumvented anyway? The Register reported on 12 November 2009 that so far no notices had been issued under s 3 anyway, because the UK ISPs involved had agreed to take down voluntarily, and no record has been kept of how many sites this involved. Furthermore if a site is taken down in the UK it won't be hard to resurrect it in a foreign country, where most extremist sites will be based anyway: El Reg reports that one site the police allegedly have their eye on, al-Fateh, a Hamas anti-Jewish kids site, is in fact hosted in Russia. One imagines this will continue to increase pressure on the IWF to expand the block list despite the latest moves.


Thursday, November 26, 2009

OK I said I'd stop but..

.. then OUT-Law asked me to comment on the implications of the Digital Economy Bill, especially for organisations and businesses that provide wi fi networks; and this made me think a bit more about how unworkable this whole scheme is.

As I said to OUT-LAW, among the proposed new sections of the Bill is s 124A(1)(b) , which says that action can be taken not just against someone suspected of infringing copyright, but also against "a subscriber to an internet access service [who] has allowed another person to use the service, and that other person has infringed the owner’s copyright by means of the service". This might well be interpreted to mean that anyone who operated unsecured wi fi was "allowing" others to download using it; and be held responsible for it. BIS has indeed so indicated in previous press statements.

One solution to this , as I discussed with OUT-LAW would be an unfortunate one; to effectively prohibit unsecured wi fi networks. But actually, even locking down its network (wi fi or fixed) is not a solution for businesses and the like. A domestic user with a secure wi fi network knows the small number of people who might have infringed using that network, so perhaps responsibility is not so draconian an assumption. But what of corporate networks of thousands of employees, or "public" places like McDonalds Hamburgers , where thousands are currently attracted by the use of free wi fi? Giving a wi fi or network login and password (as McDonalds do, as required by their hotdpot provider, The Cloud) is still, it seems to me, "allowing" that person to access the network.

The network operator might well try to defend itself by proof it was not the person at fault; but the opportunity to put that case would not, in the current skeleton scheme, perhaps come until after disconnection - at which point there is an appeal to a tribunal and thence to the courts. This could take years - after which time evidence of IP addresses, logins, timestamps, and the like might be hard to reconstruct. There is an appeal of kinds available to a "named person" immediately after the "warnings" ; but the detail, grounds and scope of that appeal are vague in the extreme and it is clearly only a very interim process. It might, eg, prove to be an opportunity only to dispute the exact factual details of the IP address collected, or the timestamp.

So are businesses like McDonalds to be held responsible for the copyright infringements of all their customers? Are universities to be held liable for all their students? At the moment it looks like it. Even if the result was only temporary disconnection, this could have a crippling effect on many businesses.

BIS apparently suggest that " the problem be solved by Wi-Fi operators policing their networks. "Many premises that offer public Wi-Fi access already disallow access to unlawful file-sharing sites," said the BIS statement. "Software which limits or prevents access is freely available and easy to install and we would anticipate any responsible organisation offering Wi-Fi access would take action if it appears their connection is being misused." [from OUT-LAW]

Such software solutions do indeed exist, but anyone running a large, fast network will tell you they are far from a complete solution. McDonalds' free wi fi may be far to slow for practical downloading of MP3s (I haven't tried it, but I suspect so) but I bet IBM's or my own university's network isn't - because these networks get used by real employees for serious legitimate purposes. Even in cafes, it takes more to stop P2P than just blocking the URL of the Pirate Bay site. Universities have been trying to stamp out illegal P2P filesharing on their networks for years, if only because they overload the bandwidth(their Acceptable Use Policies nearly always make illegal dowloading a disciplinary offence), and have still generally failed. Blocking the P2P protocol entirely is also counter productive; as is now well known many legal products such as BBC iPLayer now use this protocol. Will I find one day I cannot show a BBC programme to my students because the university has had to block iPlayer?

The only apparent get out for businesses and public bodies may lie in the definitions section of the Digital Economy Bill (cl 16, amending the Communications Act 2003) which says that a "subscriber" (who receives warnings) does *not* include someone who received Internet access as a "communications provider" (CP) themselves. This is intended, I think to protect ISPs who themselves merely retail bandwidth wholesaled by larger ISPs , on the grounds they should be regarded as ISPs giving access to infringers, not infringers themselves. But can it apply further?

The definition of a CP already within the Communications Act 2003 is someone who provides (as per s 32 of that Act) either an "electronic communications network" or an "electronic communications service". Both definitions are quite complex, but without going into more detail. they seem intended to cover those who offer telecommunications services as their main or sole business - ISPs, phone companies, etc - not other kinds of businesses or premises which merely, as a "side order", offer a wi fi or fixed line network.

But even if the definition of a "communications provider" could be stretched to cover the likes of businesses likeMcDonalds, or universities, it would seem likely it could then also be stretched to cover any domestic consumer who offered his household or area wi fi access. This would contradict statements from BIS as above, which have seemed quite clearly to say that domestic wi fi is one of the targets of the legislation.

Also, to make a bad matter worse, if BIS did agree that a business (say) was to be regarded as a "communications provider" not a "subscriber", and thus be free of the risk of disconnection, it would also mean that business was to be subject to all the obligations placed on CPs by OFCOM under the Communications Act 2003; and even worse , if they qualified as a PUBLIC "electronic communications service" or "network" provider (see s 151 of the Comms Act 2003 - also somewhat controversial but very likely to apply at least to any open wi fi network), they would be caught under under the recent Data Retention Directive Regs , and required in principle to retain emails, traffic data and texts sent using their facilities, for later possible police access. I can't see this going down well with small businesses, or even small families.*

Can BIS simply stick in an exception, avoiding the whole CP farrago, that eg, "public and educational institutions providing not for profit wireless networks services to the public, or some section of the public" shall not be regarded as "allowing " access under s 124A(1)(b)? Well not without abandoning the whole point of the Bill. Because then, in essence, the Bill will only cover domestic users and domestic wi fi. Any infringing downloading at work, university, cafes, hotels etc will not be covered. Is there really much point in such legislation?

Alternately, BIS can stick to its guns and declare that businesses etc are covered by the Bill just as much as domestic subscribers , which will mean businesses, to defend themselves from disconnection, will have to (a) lock down all networks and (b) even then, spend their own money when they start to receive warnings, on internally allocating blame, by ascertaining who was using that login at that time etc etc : fiddly, expensive, fun in open plan offices with hot desking :-) and quite likely, sometimes simply impossible.

Tricky, isn't it? I welcome further responses from BIS.

*Reg 8 of the DRD Regs 2009 may be a get out for SMEs and individuals here - since it says these obligations only fall on PECS or PECN providers by notice : but (a) thus leaves room forlots of FUD and (b) the legality of thus rule in respect of the UK's obligations under the original Directive is more than dubious.

EDITED after comments : 27/11/09.

Wednesday, October 28, 2009

Mandelson ploughs on

Pangloss feels compelled to report on yesterday's doings at the C&binet meeting (stupid name..)

The Beeb reports Mandelson as follows:

"

I have no expectation of mass suspensions. People will receive two notifications and if it reaches the point [of cutting them off] they will have the opportunity to appeal," he told the audience at the C&binet Forum, a talking shop set up by government to debate the issues facing the creative industries.

The pay-off for tough penalties against persistent file-sharers would be a more relaxed copyright regime, Mr Mandelson said.

The details of it would need to be hammered out at European level but it would take account of the use of copyright material "at home and between friends", he said."


So to state the bleeding-edge obvious:

- 3 strikes will be rubber stamped quickly by Parliament (it'll need to to avoid the end of the Labour regime); getting changes through the EC on fair use/fair dealing will take 2-6 years - if it happens at all. Some trade off.
- Still no detail on whether disconnection will require judicial oversight let alone a court order. Silence plus the enforced clamp down in the European Parliament on Amendment 138 would rather indicate not. It will be administarative fiat to cut off, with the onus placed on consumers, probably without legal aid, to appeal to the courts. This is so not natural justice.

As`Jim Killock of ORG noted:

"Even MI5 disagree with Mr Mandelson - they are convinced we will see a rise of a 'Dark Net' of infringers. Nobody at C&binet from an online music service, as opposed to an old media company, thought that peer-to-peer [file-sharing] was a threat to their businesses."


Same old same old..

Interesting thought from Twitter: "if my business was cut off for allegedly downloading illegally I'd be looking for someone to sue". Will any legislation have an immunity in it for ISPs a la the US DMCA? If not, start lobbying NOW, ISPs..

Pangloss has a lodger who for all she knows downloads night and day on the house wi fi. Will it become my responsibility to interrogate her and if necessary demand access to her computer? Hello DDR..





Tuesday, August 25, 2009

Harry Mandelson and the 3 Strikes of Doom

As numerous bloggers are reporting today, first the Guardian and now the Beeb have reported that the Dept for Business under the proud thrusting leadership of Peter Mandelson, has done a volte face and done exactly what they stated in the Digital Britain consultation in June they would not do - added the possibility of 3 Strikes - disconnection as sanction for filesharing - into the melting pot of the UK's endless file-sharing consultations. This notwithstanding that without substantial judicial control of disconections, about which we have zero detail, both the the European Parliament and the French Constitutional Court have indicated that such a policy would probably contravene human rights.

Best of all, this change of heart is not even vaguely democratic or considered. Instead, as the Guardian put it, "The surprise move will intensify speculation that Lord Mandelson reached a secret deal to protect the film and music industries with Hollywood mogul David Geffen earlier this month." Ho bloody ho for public "consultation".

There had also been whispers for some time that the industry was unhappy with the speed at which the Digital Britain consultation was moving, ie, would anything get done before the current government was voted out and the whole farce had to start again. So now we have proposals for a fast track procedure for 3 strikes which will not only breach European law but have arrived mid-consultation, when many organisations and individuals may already have responded, making a simple mockery of consultative democracy and exposing the government's business leaders as mere lackeys to the dying throes of the music industry's last attempts to protect anti-competitive and antiquated business models.

As ORG point out:

"Yet again, we see knee-jerk reactions and policy swerves, this time in direct contravention of the government’s own consultation guidelines. Those guidelines are there for a reason: to make sure government policy is balanced and considered. We will be making a formal complaint."

Some regular readers may wonder why Pangloss has focused so much on this issue over the last few years, and sometimes I do too. I am not primarily an IP expert. I have no great love for filesharers and my own life is reasonably complete without free access to the complete works of Michael Jackson. The reason I have become so involved in this single issue is because throughout, a single industry sector has shown complete contempt both for democratic procedures, the public interest and for basic and fundamental human rights, all in the name of extracting the last cent of their own, still not inconsiderable, profits.

Ok, companies exist to make profits. But worst of all, our own elected democratic governments, though very well aware of all these points, have gone along like sheep, far more willing to disproportionately criminalise a generation and remove access from students, the unemployed et al to the most essential facility we have ever developed, for minor civil infringements (no one is talking about commercial criminal piracy here) than consider the public balance of interests.

Is this because rock and film stars are sexy? or because the content industry has spent so much on lobbyists there must now be one per MP at least? - I do not know. And of course it is mid August , the height of the sleepy season when many influential newsmakers and commentators might be hoped to be somewhere near Tuscany or at least the Edinburgh Fringe rather than a keyboard:) Perhaps when the first UK Pirate Party MP or MEP is elected the government will wake up to the startling wrongheadedness of the current approach.

So this is why I continue to care about this topic, and why you should too. Read the ORG blog; write to your MP and MEP; complain.