Good god

Pangloss has just discovered that apparently way back in April she was nominated as one of the best IT law/governance blogs in the Computer Weekly blog awards. Good lord!! However my bet is that Technollama will win - sigh I should never have passed him that Dr Who story:-P

Apparently I'm meant to display this:

VOTE FOR ME!

in Law Blogs

Despite this obviously being a thinly disguised attempt to boost the hit count on CW's website, er, vote me! Or I'll make you read my latest poem, er sorry, 14,000 word data protection chapter..

Actual content coming very shortly actually. With a SCOOP! and FREE GIFT! and NEKKID GIRLS! Well, the first bit was true, actually..

ICANN'T becomes ICANN?

While I'm here a quick comment on the big news of the week, namely ICANN's rather unexpected decision to open up the top level domain name (TLd) space to auction.

"A complete overhaul of the way in which people navigate the internet has been given the go-ahead in Paris. The net's regulator, Icann, voted unanimously to relax the strict rules on so-called "top-level" domain names, such as .com or .uk.

The decision means that companies could turn brands into web addresses, while individuals could use their names. A second proposal, to introduce domain names written in Asian, Arabic or other scripts, was also approved. "

Reaction to this is as ever on the Internet wonderfully polarised. The bloggerverse and the academics have mostly gone "whoopee!". If I want to bid to set up a .pangloss Tld and I can convince ICANN I can make money out of it by subletting the domain to my many fans :) , why not? The same attitude to internationalised domain names can be seen - not surprising as these do seem fantastically sensible given that , as Emily Taylor of Nominet puts it, ""At the moment, there are one-and-a-half billion people online and four-and-a-half billion people for whom the Roman script just means nothing."

However a rather different set of responses can be detected from lawyers responsible for policing company brands online. To them this just means that instead of buying up - say - nike.com, .co.uk, .biz etc etc - and buying it in English, Cyrillic and Mandarin kanji - they now have to think of buying up unlimited nos of possible permutations, with the possibility of more coming along everyday.

Pangloss thinks the corporate lawyers need to adapt to the new world and that ICANN have got it right. We don't live in the world anymore where the fact that someone has got nike.pangloss tarnishes the brand. We do live in a world where people invariably use Google to look up brands rather than merely typing in imagined URLs (and if a brand doesn't have its legit site at the top of the Google search list then it ought to be sacking some of its brand protection team.).
Furthermore mightn't it be easier once Nike has (as they will) set up their own Tld, for the few non-Google users to to guess us.nike rather than nike.com (or .us or .org or .biz??)

Yes cybersquatting, typosquatting etc still will matter in the "established" Tlds, notably .com and the relevant national country codes. But the whole point of massively expanding the "real estate" of the domain name space should be to create more opportunity for everyone - which in itself should diminish the need for "legitimate" domain name overlap, leaving the field free for the URDP to dispose of the unabashed non-legitimate cyber squatters.

Facebook and privacy

You might be interested to know that my chapter on Facebook, social networking sites and privacy (with Ian Brown of the OII) is now available as a pre print on SSRN. This pretty much crystallises many of the talks on SNSs and facebook etc I've done in the last year or so.

See
Edwards, Lilian and Brown, Ian, "Data Control and Social Networking: Irreconcilable Ideas?" (June, 20 2008). Law and the Future of Data Control Available at SSRN: http://ssrn.com/abstract=1148732

THis chapter will appear in Matwyshwn A ed Harboring Data: Information Security, Law and the Corporation (Stanford University Press, 2009).

Apologies for lack of meaty comment - afraid all my efforts are currently going in to the 3rd edition of Law and the Internet which will deo volente be with you in the autumn.

Also, remeber to get in your GikIII 3 submissions!! We've already had some wonderful abstracts involving virtual worlds and games theory, Dr Who and IP rights, autonomous agents as slaves in Roman law etc etc - but we need more!!

The Blip Attention Effect

Is Google making us stupid? Good question, it seems to me..

(Vuia Ray Corrigan)

Stephen Fry on the BC

Cor. Absolutely spiffing essay fromStephen Fry on the future of public sector broadcasting in a digital world.

I do rather love this introductory para on Fry's longtime affection for the BBC.

"The week before we moved, the BBC started a new drama, starring William Hartnell. An old man, whose name appeared to be Grandfather or the Doctor, had a police phone box of the kind we saw in the street all the time in those days. It turned out to be a magical and unimaginably wonderful time machine. My brother and I watched this drama in complete amazement. The first ever episode of Doctor Who. I had never been so excited in all my life. A whole week to wait to watch the next instalment. Never have seven days crawled so slowly by, for all that they involved a complicated house move from Buckinghamshire to Norfolk. A week later, in that new house, my brother and I turned on the good old television set in its new sitting room, ready to watch Episode 2. The TV had been damaged in transit and was never to work again. We missed that episode and nothing that has transpired in my life since has ever, or could ever, make up for that terrible, terrible disappointment. There is an empty space inside me that can never be filled. It is amazing neither of us were turned into psychopathic serial killers from that moment."

Norms for Social Networking :)

Rhodri Marsden of the Independent's CyberClinic has posted his own rather amusing take on Debrett's advice on the etiquette of social networking and where they get it wrong. I agree almost wholly, especially re not mixing business and pleasure (she says, looking ruefully at her Facebook profile which mixes the likes of Lessig and Zittrain with lots of skiffy weirdos and her 21 year old niece currently training to join the Israeli army. Hmmm... )

It's amazing..

.. what you see on TV these days.

The local news just had this story about a shopping mall in Portsmouth where mobile tracking technology by Path Engineering has been installed - which I have tracked to this story from the Register.

"By installing receivers around a shopping centre the company can pick up communication between handsets and base stations, enabling them to track shoppers to within a metre or two - enough to spot the order in which shops are visited. Two UK shopping centres are already using the tech, with three more deploying in the next few months."

As far as one can tell, the tracking is completely non-identifying ; the shopping centre and path both do not know personal mobile phone numbers nor corresponding user names. The TV report showed predictable reactions: why weren't we told; I don't like it; I've got nothing to hide; etc.

So what do people think? Despite the obvious knee jerk reaction, as the info is completely non attributable to identified individuals, I really can't see a problem. You could get exactly the same results (at greater cost) by posting tellers at each shop or destination in the shopping centre to do counts all day, every day - would anyone object to that on privacy grounds?

(Hmm - I suppose yes, if they could identify the shoppers. Technology actually has the privacy advantage here of being blind. Here we're pre supposing CCTV isn't used in some way to identify the mobile shoppers - which despite what El Reg suggests would be extremely difficult to arrange in real time.)

I think it's important here to seperate technophobic squeamishness from real privacy concerns. (This is also not like Phorm where anonymity had been artificially imposed and could easily be "broken". Here the mobile tracking system simply doesn't know your personal phone number or your name.)

Of course you need to seperate it too from a consent-based tracking system which can be abused by forced or mistaken consent to reval significant personal data, like Sniff. Which I'm sure everyone else has blogged enough about by now.


And completely off-topic, in the Guardian today, I nearly choked on my post-swim coffee at the ostensible discovery that gay men and heterosexual women (and straight men and lesbians)apparently have similar shaped brains. If true this could destroy several decades of careful academic work on cultural construction :)

And now Newsnight is trying to tell me that Obama will be made or broken by Internet bloggers. Possibly time to turn off the TV and write some more of the third edition of Law and the Internet instead :)

GikIII 3 is Go!

Via Technollama, I'm very happy to announce..

GIKIII
Oxford Internet Institute
September 24-25, 2008

We are glad to announce the third edition of GikII (appropriately renamed GikIII), which will take place 24-25 September 2008 at the Oxford Internet Institute in, errr... Oxford!

GikII is so cutting edge that it is the nano-blade of workshops, so expect all sorts of challenging papers, tenuous legal connections, l33t powerpoint and keynote skillz, uber-geekery, and a healthy dose of lolcatz. Previous GikIIs explored Facebook privacy settings before privacy had become fashionable; it looked at the legal issues in Harry Potter and the Order of the Phoenix, anime, lolcatz, fandom, virtual property and tattoos.

The call for papers

If you would like to participate, email your abstract of no more than 500 words. This should be sent to either l.edwards@soton.ac.uk or a.guadamuz@ed.ac.uk by July 15 2008. We will confirm acceptances by August 1. Abstracts may be accepted after this date depending on whether the workshop is full. Numbers will be limited so book now!

No n00bs allowed.

The Strange Case of the Moral Panic That Didn't Bark

.. or tae see ourselves as others see us..

Via my colleague Mark Telford, this abstract from Philip Jenkins, a criminologist.


Why Do Some Social Issues Fail to Detonate Moral Panics?
Philip Jenkins*
* Department of History and Religious Studies, Pennsylvania State University, 407 Weaver, University Park, PA 16802, USA; jpj1@psu.edu

Abstract
A ‘moral panic’ is characterized by such themes as the novelty of a particular menace, its sudden explosive growth, and the menace it poses both to accepted moral standards and to vulnerable groups and individuals. Some problems, however, apparently have all the features that would generate a self-feeding media frenzy, and, yet, they do not do so. I will explain this absence of panic by examining the issue of internet child pornography. The failure to construct the problem in ‘panic’ terms reflects the technological shortcomings of law-enforcement agencies, which force them to interpret available data according to familiar forms of knowledge, rather than comprehending or publicizing new forms of deviant organization. This lack of awareness then conditions the nature of political investigation and media coverage.
http://bjc.oxfordjournals.org/cgi/content/abstract/azn016

Does anyone on this list NOT think there has been a moral panic over child pornography? In the US, the Time cover of 96, the CDA, the COPA, et al.... are we and the criminologists on different planets??

Facebook app privacy meltdown deja vu

..or beware! that Facebook app you just downloaded might be stealing your data and all of your friends!

Is this really still news? PG has said it at at least a dozen talks by now (most recently to Ofcom and the OxII).. however the BBC has helpfully written an app to prove the point, and it is a nice clip. Here's their clip.

Lessig 2.0

Pangloss had a highly enjoyable night out last night (indeed she has not totally yet recovered :) to see The Great Lawrence Lessig, who is apparently in Blighty for a few weeks, perform at the IET, giving the annual lecture of the Society for Computers and Law, on "Corruption 2.0". There was a slightly sparser attendance than one might have expected - perhaps because the august members of the SCL weren't too clear what the connection of corruption to cyberlaw, er, was. Neither was Pangloss (though like all true devotees of Larry, she knew of this volte face already because it had been announced on his blog) ; but any opportunity to see Our Greatest Living Forehead perform in his (not patented, but no doubt creative commons licensed) style of matching speech cadences to single word ppts, is too good to miss. Most of London's IT law royalty seem to have agreed, as they were out in force, with everyone to gossip to from Richard Susskind to Chris Reed to blog king Geeklawyer, and Lessig's own anointed heir Jonathan Zittrain (resting for a moment from his own current perpetual whirlwind of booklaunches.)

But enough of the court circular, what of the lecture itself? Well, lo, it turns out that Corruption 2.0 is not that distant a step from Cyberlaw 1.0 after all. Clearly, losing out on the US copyright term extension battle not only to ill informed Congressmen and greenback-handed lobbyists, but also to the presumably (?) better informed and less venal Supreme Court, has irritated Larry more than a little. His thesis is now that whereas Corruption 1.0 - old fashioned bribery - was down to self-interest taking precedence over good policies, Corruption 2.0 is more about ignorance than interest. Today's legislators don't make the right laws, says Lessig, not primarily because of lobbyists and campaign contributions - but because they simply don't understand the technologies well enough to get the law right to govern it. But if there is hope, it must lie, not with the proles as in 1984, but the geeks. Since Corruption 2.0 depends on political ignorance, the answer must be for the geeks - sorry, the digerati? the slashdotii? the technocracy? - to take to the political w0rld.

Now I'm sure this is just the campaigning tip of the iceberg of a much bigger plan, because Pangloss can see a few flaws in this analysis. For a start, in the US election on right now, it is pretty plain that the OTHER great cyberlaw issue of the day (after digital copyright) is indeed likely to be decided by oldfashioned er Patronage 1.0. It doesn't take a political expert to notice that one likely candidate in the election to come is backed financially by the telcos and has no truck with net neutrality - while the other doesn't, and has.

A second problem is that geeks in Pangloss's experience, love yakking about politics but rarely if ever seek office (or even a senior management job.) Nor are they natural baby-kissers and flesh-pressers, especially at the more Aspergers spectrum end of things. Geeks on the whole exercise influence as academics and industry CEOs, rather more than as political animals (in this country, Profs Ross Anderson and Richard Clayton come to mind. ) Perhaps this is really what Lessig actually meant - certainly he was very pleased with the UK Gower Report on IP. which was heavily influenced by academic "friends" and consultees, both before and after the initial consultation was published. The field of law and security - which Lessig also touched on - in the UK, has also recently benefited hugely from academic influence - it is well known the HL Report on Personal Internet Securityof last year owed a great debt to Richard Clayton (but has it actually made it to forming government policy? sadly, not yet). And Richard Susskind's work on courts automation and public sector data reuse has also been, though perhaps less obviously, influential.

At the root of Lessig's fascinating lecture was an unspoken, rather 50s scientificational question - who should rule us, the democratically elected, however foolish or easily lead, or the current meritocratic elite? Of course the situation is never that clear - if the choice is of rule by money, or rule by smarts, Pangloss knows which she takes. Interestingly, Hugh Beale, former English Law Commissioner and now again Prof of Law at Warwick,who gave the Bond Pearce lecture on the Draft European CFR at Southampton I wrote up a week or so back, mentioned in the course of questions, that in his view, an academic article, at just the right time, can make as much policy impact as a Law Commission report. Should we academics stay in our ivory towers and hope for our traditional delivery routes to influence Westminster, or should we storm it ourselves, as advisers if not representatives? So anyway, much food for thought (especially as London votes today on Red Ken vs Boris) and I'm sure the IT law blogosphere is full of consequent buzz today :)-

When all about are losing their's..

This is wonderful. Many moons ago Pangloss gave a paper, loosely on virtual property in online worlds, and used some analogies from personality rights cases featuring unauthorised uses of celebrity images. One fortunate synchronicity was that at the same time, Wendy Grossman, the tech journalist about town, asked her for some advice on the theft of - get this - a life size AI-equipped, animatronic head of Philip K Dick - the reality-bending deceased sf author - which had been programmed with the entirety of PKD's works in the hope it could give answers PKD himself might have while alive. My paper ended up being called, snazzily I thought : "Bring Me the Head of Philip K. Dick: New Forms of Virtual Property"

The head disappeared when its creator, David Hanson, accidentally left it on the overhead rack on an America West plane. Hanson subsequently sued AW for the loss of the head, worth c $350,000. Boing-Boing reports that the suit has just been dismissed in no uncertain manner in a hilarious judgment which is itself intensely self referential.

Am I time travelling, insane or just still in a coma? : ) Reality bites!

Ps this ties up rather well with advertising that I'll be giving an updated version of this talk in Exeter in May at the rather groovy looking Workshop on Virtual Worlds, May 20th, 2008 University of Exeter..
For further information, please contact: A.Harcourt@ex.ac.uk

The European Draft Common Frame of Reference (CFR)

Panloss went to a very interesting lecture yesterday by Hugh Beale of Warwick and formerly the English Law Commission on the publication of the first part of the European CFR project - namely the Draft CFR on Contract (CFRC).

What is the CRC and why should you care? This is a grand plan, which has in various forms been gathering momentum for many years, to distill principles out of the whole of European private law - as derived from the now 27 members of the EU - and create a kind of codified version of those principles. Naturally, given the differences not only between common (England, Ireland) and civil law (everyone else) not to mention linguistic, political and economic differences (the arrival of the Access countries has kind of complicated things:-) this has not been an easy task. One can tell how pleased Hugh Beale and his colleagues (including Eric Clive at Edinburgh, whom Pangloss also saw talking about this a few weeks back - and was very pleased to be given a copy of the Draft CFRC) are to finally show off the first fruit of their labours.

Is this going to impose a European Civil Law Code on you, me and my mum? No, in no uncertain terms. Although aspirational academic work on such a code is ongoing, it is recognised to be politically and probably legally impossible for the EC to take such a supranational stance. Instead the CFR will be used as a "toolbox" which can be explored for stuff like common EU definitions of key legal terms (like "damages" or "termination"); as a kind of model law which EC member states might adopt when reforming their law; and more controversially, as a model the EC might look to when it reforms its law. In many ways, the spur for the completion of this particular part of the CFR has been the EC's ongoing attampts to reform and modernise its consumer law - the so called Acquis, which is currently found in a multitude of Directives.

Still wondering why IT lawyers should be interested? Well one possible thing that might happen next is that the acdemic CFR may be turned into a more limited "political" CFR - espoused officially by the European Commission - which might become available (via an "optional instrument") as a kind of new extra legal system. Rather in the way that a contract cane be governed by, or arbitration can currently be decided under the "the law of the Vienna Convention", say, a business - Amazon say - might sell to all the inhabitants of the EC with the contract, and any dispute arising, governed by the "law of the CFR".

THis is where it gets exciting. At present, one of the big problems about cross border selling is having to worry about the consumer protection laws of every country you sell to. In Europe, Rome 1 (now a Regulation) , on choice of law, dictates that even if Amazon UK (say) dictate that the law of the contract shall be English law, if they're selling to a French (or Finnish or Latvian) person they have to take the risk that if there is a dispute. the "mandatory rules of consumer protection" of France (or Finland or Latvia) will still apply, and over-ride the law they know and had calculated their insurance premiums upon (English).

Sounds a very academic point but businesses , especially SMEs and one-man outfits are highly risk averse. Facing unquantifiable risk, they'll choose to sell at home and not to France or Latvia or Finland. None of this is good for the dream of the low cost, high choice, competitive Single Market for consumers. And in real life the Commission has already noticed that even big players like iTunes (who can afford Finnish and Latvian lawyers) are choosing to sell to some parts of the EU (usually the safer better known Western members) and not to the full 27.

But the "law of the CFR" will be specifically drafted to already include what is seen as at least the minimum EU-wide consumer protection - possibly more than that. So there's no policy reason why Amazon or iTunes shouldn't be able to select "the law of the CFR" as the governing law and NOT have to worry about the law of France, or Finland, or Latvia or whoever next joins the EU.

What about the consumer? Well the idea is also that the consumer will get a choice. When making a contract with Amazon, they'll be presented with the option to accept "the law of the CFR" - or to demand their home consumer law applies. The "CFR" choice will be a Blue Button - so the scheme is the "Blue Button" plan.

Panglos wonders what the point is of presenting the consumer with an option. No consumer she has ever known has rejected a sale because of the governing law - only because it wasn't cheap enough or good enouigh in quality. Consumers will never know enough to make an informed choice about giving up their home law protections. And from the retailer end, the smart money is they won't offer a real choice anyway, but will simply say , if the consumer refuses "the law of the CFR" that they won't accept their order - and we're back to the status quo of partition of markets.

But the "Blue Button" choice apart, the concept of a "law of the EU" as a choice of law seems a brilliant solution to the current Single e-Market impasse - my congratulations to whosever stroke of inspiration this was.

Finally the CFR folks (academic version) very much want feedback on their draft CFRC. It is I believe available at http://www.law-net.eu/ . One piece of feedback Pangloss has already delivered is that she would very much like to see this "toolbox" feed into the review of the Electronic Commerce Directive which has started about now. As every e-commerce lawyer knows, the provisions on when and how an e-contract can be made in the ECD Art 11 are a complete mess, for the simple reason that the ECD drafters were unable politically to harmionise EC basic formation of contract law. The CFRC might provide a way out of this dilemma. Let's hope someone passes the good news on :)

Incitement to terrorism becomes an EU crime?

According to Michael Geist's BNA reports of 21 April 08..

"European Union justice ministers have agreed that using the Internet to publish bomb recipes or call for acts of terrorism to be committed should count as a criminal offence. The 27 member states agreed on Friday to introduce as new offences "public provocation to commit a terrorist offence, recruitment, and training for terrorism" which would be punishable "also when committed through the Internet." [Deutsche Welle]"

The German source adds

"The 27 member states agreed on Friday, April 18, to introduce as new offences "public provocation to commit a terrorist offence, recruitment, and training for terrorism" which would be punishable "also when committed through the Internet."

People found guilty of "disseminating terrorist propaganda and bomb-making expertise through the Internet can therefore be prosecuted and sentenced to prison," the justice ministers said in a joint statement.

The commission's proposal would also allow EU law-enforcement agencies to demand cooperation from Internet providers in order to identify the people making such calls and to ensure that the offending material is taken off-line."

Interesting last para. This echoes what the UK government has already done with The Electronic Commerce Directive (Terrorism Act 2006) Regulations . These apply a 2 day strict notice and take down period under the ECD where the police can ask for take down of pro-terrorist material and ISPs must comply on pain of being seen as endorsing the hosted material.

But the Internet does not stop at the English Channel or even at Turkey. What is the position going to be of an apparently US hosted site like Bombs for Beginners , or this site providing downloads of the Anarchist's Cookbook (which itself recommends instead http://www.pyronfo.com/ for homemade bombmaking, and does not seem to admit where it is hosted?) (And am I committing an offense by linking to either of these??)

The current UK guidance on how the Regulations apply the s 3 notice provisions of the Terroriosm Act 2006 says thusly:

"38. Section 17 [of the 2006 Act] confers extra-territorial jurisdiction in relation to the section
1 offence (encouragement of terrorism), but not to the section 2 offence
(dissemination of terrorist publications). Extra-territoriality is only conferred
in relation to the section 1 offence as it relates to encouragement to
commit Convention offences. These offences are listed in Schedule 1 to
the 2006 Act."

Schedule 1 does not however seem to contain any offences relating to encouragement of terrorism either, by publication of propaganda or educational instructions about bomb making alike. One assumes therefore the UK LEAs cannot issue a take down notice to Wikipedia (or to Le Monde's website in France either.) Is the future new EU legislation intended to allow intra-EU take down notices in the terrorism area? The French may go along with this (zut alors) but one doubts somehow that the US will agree to allow EU police to issue take down notices against their own US-hosted websites though? (What of the First Amendment and the good old Yahoo! case?)

Pangloss is not an expert in the anti-terorism area and would appreciate any helpful comments.
>>>>>>>>>>>>>>>>>>>>>>>>

Pangloss has also been informed about Information Security Week 2008 which runs week from 21st April 2008. Some events look quite interesting for Internet Lawyers -- notably

23rd April Debate on the need for an e-crime unit in the UK with Charlie McMurdie, Detective Superintendent, Police Central e-Crime Unit Project ; Philip Virgo, Secretary General, EURIM; Tony Neate, Managing Director , Get Safe Online; Dr David King, Chair, Information Security Awareness Forum (ISAF).

and

22nd April Launch of the PwC Department for Business, Enterprise and Regulatory Reform Information Security Breaches Survey 2008.

Googleopoly

No particular point to make here except this may certainly enhance a few powerpoints:)

Nation of Daleks

Pangloss is far too much of a geek not to mention the Daleks IP case in the High Court even though she has nothing to add to the excellent write up on the IP Kat here. The IP Kat write up also features a link to an adorable video of a cat completely ignoring a toy dalek :)

Internet Libel (not "liable") or Who's the Daddy(place)?

A story I meant to mention from last week - the Telegraph reported what is being called the largest ever Internet libel settlement in the UK, in relation to allegations on a site called "Dadsplace" about Gentoo, a housing development company.

"Gentoo Ltd, formerly the Sunderland Housing Group, became the subject of an attack by "a seriously defamatory, abusive and scurrilous anonymous website at dadsplace.co.uk", according to a statement read in court by the organisation's counsel, Hugh Tomlinson QC, before Mr Justice Eady today."

Eventually after some two years of malicious attacks downloaded "millions" of times, "John Finn, the owner of rival housing firm Pallion and a former local council candidate in Sunderland ...admitted his involvement, agreeing at the time to pay £125,000 towards Gentoo’s legal costs and a total of £21,000 in compensation.. he and Pallion [then] agreed to pay Mr Walls damages of £100,000 to settle his claim for libel and harassment."

The webmasters of Dadsplace were also made subject to injunctions not to repeat the offending statements but do not seem to have been sued for actual damages.

Now interestingly the solicitors for Gentoo - Olswangs - have commented publicly on why they think the settlement was so high. Factors seem to include:
- the length of the slandering campaign - two years
- the quantity of defamatory allegations - made almost daily
- the "extensive steps to publicise the Web site and their other publications" made by Dadspace - so the damage caused to the reputation was very extensive.

They also indicate how difficult it is to investigate a campaign of anonymous libel eg on a bulletin board or mailing list site, involving "months of painstaking investigation involving a combination of high-tech computer forensic work and old-fashioned evidence gathering".

Finally there are some interesting thoughts on Internet libel from Ashley Hurst the Olswang lawyer involved:

"This raises the question of whether reform is required to give the Internet the same badge of respectability that is enjoyed by other forms of media, including the press (regulated by the PCC) and television companies (regulated by Ofcom). However, the Internet is of course an entirely different medium and the answer is far from straightforward, particularly given the global reach of the Internet and the many different foreign laws that can apply. Would extending the remit of Ofcom or the PCC, or developing a voluntary code of conduct, make any difference?"

Pangloss gets an awful lot of requests to provide advice on Internet libel, though she is uncertain if this is because there is so much of it, or because her article on Net defamation (from 2000!!) comes up first in Google UK if you put in "Internet libel". (Bored students may be glad to know this piece will finally be updated in the 3rd edn of Law and the Internet upcoming.)

But most the people who contact her (unike Olswangs, perhaps, who charge :-) are not the alleged victims of libel, but are websites or hosts of some kind (often charitable or one-man outfits) who suddenly receive take down notices out the blue making vague threats of legal action, and then have no idea what their legal risks are. In an Internet culture where flaming is still fairly prevalent, these hosts often feel they have no alternative but to take down, even where they have no idea what if anything illegal or actionable has been said. This is not good for freedom of speech, democracy or indeed the morale of the voluntary/charitable sector. Sabre rattling and fear of legal risk , it seems, often overwhelms common sense and resilience.

Helpfully, the SCL website as well as providing the Olswang interview, also provides some hints to websites as to when they are liable for content posted on their site by third parties.

Pangloss doesn't disagree that a voluntary code relating to offensive content on websites might be of some use for the victims of malicious allegations (though how would it be policed? the PCC model, both of jurisdiction and sanctions, does not readily transfer, she feels, and that's before we come to the fact that web content is just as likely to be uploaded abroad as in the UK.)

But she also wonders if we do not also need to do more to protect individuals and small unincorporated associations who run or host the websites from random take down notices from anyone who is a wee bit disgruntled or wants to stifle perfectly reasonable criticism or debate.

At the very least it would be good to see a responsible body - the CABxs ? ISPA? BERR? - providing some plain language guidance on line, perhaps an advice hotline, and perhaps even an adaptable form response to takedown notices which do not meet the requirements of regulation 22 of the ECD regulations. Some take down notices do not even sometims specify what ( or where) the alleged libel IS. (The title of this piece comes from one just like this Pangloss saw yesterday - where the aggrieved sender of the take down notice knew so little he had spelt "libel" as "liable".)

As`my gift to the world Pangloss may post her own typical response letter tomorrow. After I've checked it's in no way libellous:)

Stamping out child abuse image websites?

Interesting report on the Beeb about how the IWF have identified how many sites trade such images and concluded there are 2,755 such sites worldwide.

"Of these, 80% are judged to be fully commercial operations.

The IWF said this "manageable" number could be eliminated if net firms, governments and police worked together".

A laudable aim and if achieved, quite amazing. It doesn't of course take into account the anecdotally well known fact that serious organised pedophile rings now mainly obtain and swap their wares via closed P2p nets - "darknets" - and that penetrating these is getting ever harder since the arrival of easily used encrypted P2P.

However perhaps this isn't the time to be too cynical (what me?) and as the IWF imply, closing down commercial websites would at least cut off the feed from those not already inducted into the "inner circles" of darknets.

Then perhaps we could start putting more resources into actual child abuse in this country and less into the shadowy scare figure of the online pedophile :)

E-harmony??

A week or so back I mentioned an interesting report from Bill Dutton and associates at the Oxford Internet Institute on married couples who met online and how they behaved online towards each other. The report was sponsored by e-harmony.com, a dating site who promote making better marriages on line.

I just wonder what they think of this :)

OK back to the dissertation salt mines.

Aha! One last insight into the glories of Pangloss's work life - thanks to the good offices of Cory Doctorow I have now received permission from the godlike Randall Munroe of XKCD so that this - my favourite web cartoon evah - will be the cover of the 3rd edition of Law and Internet, coming to you in autumn 08 :) I am very very pleased :) Thanks to both Randall and Cory!

Stupid Idea of the Month

(Thanks to Ian Sorensen for the tip off.) News from way back on April 4th 2008 -

"Registered child sex offenders will have to provide their email addresses to police in a move to stop them using social networking Web sites, the Home Office announced on Friday

Police will pass the addresses on to the sites which will then be expected to monitor usage or stop offenders logging on. Sex offenders will face up to five years in prison if they fail to hand over the details or provide a false email.

The proposal is one of a series of measures announced by Home Secretary Jacqui Smith to make it harder for child sex offenders to meet children online."

Oh come on, Jeremy. Anyone heard of hotmail, yahoo, gmail, a 1000 other ISPs? Your average pedophile is at least smart enough to realise that even if conscientiously and truthfully hands over (one? all?) of his email address (es), it doesn't take long to get another.

This really is a bad case of "having to be seen to do something, anything". I feel actually embarrassed for our poor polis who'll have to implement this piss-stupid idea.

The wider question again, is how legitimate is it to ban someone from the Internet (all of it? some of it? is tere any realistically any halfway house?) just because their past or future potential crimes might use the Internet. We` routinely allocate ASBOs and domestic injunctions barring certain persons from eg schools, shopping centres or the homes of ex-spouses, but these are in general (a) limited in geographical area (b) proportionate to the crime and (c) enforceable, in that there is very likely someone who has reason to take note if the area restriction is broken.

Arguably, none of these justifications apply to a total Internet ban. But who cares, it's clear`that considerations of civil liberties simply melt away compared to the votes that can be won by name-dropping the "will no one think of the children line". And not mentioning that by far `and away the majority of the sbuse is by someone known to the child and usually resident in their own home, not by stranger online pedophiles. At least in the US there appears to be a debate about the constitutionality of Internet band - Pangloss has seen little or no sign of this in the UK.

Hell, they could simply plant 3 downloads on the pedophile's hard disc and that'll be them banned from the Net for life shortly :)

Future Strategy of the ICO

As the final part of Pangloss's catch up of vital reports on privacy and DP that all seem to have emerged while I was on holiday (sigh), the ICO's own report on its future strategy on DP enforcement needs read. I refer you in the meantime to cogent comments at Naked Law.

Very broadly, the ICO propose that they "will not focus on enforcement, but on reducing the risk to UK residents of misuse of personal information about them. " This may of course however be all subject to change given the expectation that the current Commisioner Richard Thomas will retire in the not too far distant future.

Thanks also to IMPACT blog who (inter alia) drew to my attention to the large ICO survey on attitudes to privacy which preceded the issue of the strategy paper and came out March 19 08. It's all go :) One of the most remarkable and yet not unexpected findings is that after the HMRC data scandal the British public has officially lost faith in the public sector: "The ICO poll of 1,000 people found that 53% of those asked no longer had confidence in the way banks, local authorities and government departments handled personal information." See Beeb summary here.

More on 3 Strikes & Phorm: the ISP Strikes Back, but still true to Phorm

3 Strikes, semper passim :)

Technollama has a good post on Carphone Warehouse's opposition (in its guise as ISP TalkTalk) to the idea of "3 strikes and you're out", and the BPI's response of threatening court action. According to the Telegraph, CW received the following warning by fax from the BPI:

""... unless we receive your agreement in writing that within 14 days Carphone Warehouse will implement procedures set out above [bold added], we reserve our right to apply to court for injunctions and other relief without further notice to protect our members' rights."

Which leaves one wondering: WHAT procedures? Last Pangloss heard, negotiations were going on between the ISPA and the MPA as to a protocol for "progressive" discouragement of filesharing by eventual disconnection, but no agreement had been struck; certainly if the BPI has fomed a binding contract or even voluntary code of practice on similar lines with some or all UK ISPs, this is something the public should know about surely?

If, as seems more likely, no agreement exists, the BPI seem to be making some wrong assumptions about the remedies available to them. As it stand the common consensus is that ISPs are protected from liability for the actionable or illegal activity of their users unless they are shown to have actual or constructive knowledge of material they host fo rnusers (E Commerce Directive, Art 14). If the liability relates to the ISP's role as a mere conduit (Art 12) then ISP's are immune whether or not they receive notice. In all other circumstances, the BPI are limited merely to seeking an injunction against the ISP; although they are of course free to sue the actual users. "Other relief" - which can surely only be construed as implying either the imposotion of a filtering obligation or damages - does not prima facie seem to be available.

Of course in Ireland, also in apparent contradiction to both Arts 14 and 15 of the ECD, the music industry are currently attempting to impose an obligation to filter out pirate tracks on Ireland's biggest ISP, Eircom.Various Irish legal commentators notably TJ Macintyre and the unpronounceable Daithi McSigh have already pointed out the major policy and legal objections to such a claim. But it appears to be saber rattling season on both sides of the Irish Sea, presumably in anticipation of the consultation paper on 3 Strikes we are promised by BERR sometime between now and the autumn.

Phorm

Talk Talk/CW themselves should not be regarded too quickly as heroes of the hour though. Remember Talk Talk is one of the ISPs already signed up for the currently rather controversial Phorm system. Since it seems unlikely UK ISPs are going to go down the 3 Strikes route without legislation, CW/TT have good PR to gain, and nothing much to lose, by speaking out against the BPI :)

On Phorm, matters currently appear to be running against the pioneering or invasive new ISP-level adware system (depending on your side of the fence.) The ICO amended their postition on Phorm yesterday after considerable pressure by inter alia, ORG and FIPR:

"Ad-targeting system Phorm must be "opt in" when it is rolled out, says the Information Commissioner Office (ICO)

European data protection laws demand that users must choose to enrol in the controversial system, said the ICO in an amended statement.

The decision could be a blow to Phorm which before now has said it would operate on an "opt out" basis.

The ICO will monitor the trials and commercial rollout of Phorm to ensure data protection laws are observed."

EDIT: there is a rather sensible comment on the Beeb site about the likely implications of opt-in for Phorm.

This statement, interestingly, still leaves untouched the question of whether Phorm is not only potentially in breach of DP law but an illegal interception of communications under RIPA. The ICO of course has an interest in surveillance, but does not oversee it; interception is technically supervised by the Interception of Communications Commissioner . Home Office communications have indicated they think Phorm legal in this respect, but other commentators such as Nicholas Bohm, differ.

MEPs condemn 3 strikes and you're out

Via Ray Corrigan and Cory Doctorow:

" Danny sez, "Last year, Euro Boing Boing readers wrote and called their MEPs to complain about European Union proposals advocating Internet filtering and blocking on behalf of the music industry. Not only were the amendments voted down, but now ninety MEPs from across the political spectrum have tabled a new text which condemns IFPI's plans to exile from the Net anyone they accuse three times of file-sharing:"

Calls on the Commission and the Member States to recognise that the Internet is a vast platform for cultural expression, access to knowledge, and democratic participation in European creativity, bringing generations together through the information society; calls on the Commission and the Member States, therefore, to avoid adopting measures conflicting with civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness, such as the interruption of Internet access.

(Translations into other EU languages here.)

"Among the advocates of the new language is Michel Rochard, the former Prime Minister of France. That's significant because present French PM Sarkozy is the only Euro leader currently seriously considering implementing IFPI's three strikes plan. With this kind of opposition, it looks like France might remain an anomaly, if it doesn't abandon the plans entirely.""

DP law and search engines

There is a truely remarkable amount happening right now on what one might very loosely call the "Web 2.0" privacy front. On top of the UK Byron report and the Ofcom report dealt with in last two posts to this blog, we also now have the EC Article 29 working party opinion on data protection issues related to search engines.

Very roughly, this report takes the long -expected, but not uncontroversial (especially if you're Google) stance that IP addresses are (mostly) personal data. This follows the view taken previously by the Art 29 WP in its WP 136 that"… unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side". Basically even dynamic IP addresses can be connected to particular users given the cooperation of log-keeping ISPs. As such potentially all IP addresses must be viewed as "personal data".

It also argues that:

- the Data Retention Directive (2006/24/EC) is clearly highlighted as not applicable to search engine providers. This is because Article 2 sub c of the Framework Directive (2002/21/EC), which contains some of
the general definitions for the regulatory framework over "electronic communications services", explicitly excludes services providing or exercising editorial control over content. Notably, earch engines both filter out illegal content, provide safe search, and respect no-robots text tags on sites, all functions search engines should continue to exercise.

Search engine providers must thus delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose they were collected for, and be capable of justifying retention and the longevity of cookies deployed at all times. The DRD is NOT an excuse to retain data for longer (as Google have previously claimed.) The WP recommended retention for no more than 6 months. Similarly, if search engine providers use cookies, their lifetime should be no longer than demonstrably necessary.

- the DPD does however clearly apply to search engines which deposit cookies on the machines of EU resident users, even if the search engine is based economically or physically outside the EU eg the USA. European data
protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals based in the EU.

- on DP law, search engines generally fail to say exactly for what purposes they gather personal data of users. If it is used for purposes users might not reasonably have anticipated eg building profiles of users for advertisers, the search industry may be breaking DP law.

The WP also considered the new so-called "people search engines " such as PIPL and Rapleaf, which draw on data from a wide range of sites, often including blogs and SNSs as well as the general Web, to form indexed profiles of individuals. Such profiling may both reveal unexpected data, and throw up misleading correlations, and some have already drawn adverse comment. The WP emphasised that these sites "must have a legitimate ground for processing, such as consent, and meet all other requirements of the Data Protection Directive, such as the obligation to guarantee the quality of data and fairness of processing."

Pangloss is pleased to see this issue adressed: it provides a compulsory legal basis for what is emerging as good industry practice, namely (a) email the data subject whose profile is published (b) allow them to remove or correct or make private the data published. Of course we still need to make sites not based in the EU take notice of EU law. Eventually, what we desprately need is a technical fix, namely better multiple identity control - roll on the research into distributed identity management.

Updates : OxII Social Networking Conference, and Phorm

Pangloss had an interesting time at the OxII /Ofcom conference on Social Networking on Monday (7 April 08). I believe powerpoints and presentations will shortly be available on that site. The conference launched the Ofcom report on social networking which was partly produced to feed into the Byron report (see previous post on this blog). The report confirms with empirical evidence a number of common regulatory and legal assumptions about social networking - notable that "From Ofcom’s qualitative research it appears that concerns about privacy and safety are not ‘top of mind’ for most users" and "all users, even those who were confident with ICT found the [privacy] settings on most of the major social networking sites difficult to understand and manipulate."

What was slightly less predictable was that almost equal numbers of children and adults would equally fail (or not care enough to) use any privacy settings to safeguard their personal data (41% of children aged 8-17 who had a visible profile had their profile set so that it was visible to anyone, as compared to 44% of adults). Also interestingly, the report admits that while many respondents cited potential for abusive use of data revealed on SNSs, few examples of actual harm were in fact reported.

Pangloss's own view is that the report supports the view that protection of users - especially young users - on SNs s cannot be achieved solely by education of users - or "media literacy" - alone. Too many drivers - popularity, peer pressure, ignorance, inertia, technophobia, lack of incentive for SNS sites themselves to protect privacy, because advertising revenue is derived primarily from disclosure - drive SNS users towards unthinking disclosure, rather than rational protection of their personal data. In Pangloss's view , education of users needs supported by regulation (perhaps co-regulation) of SNS sites, in the form of code regulation that would minimise privacy harms. This will form the subject of a Pangloss paper coming real soon now :)

One of the prevalent themes of the conference (rather than the report) was how people use SNSs to further intimate relationships (oo er vicar). Apparently 6% of married Internet users first met their partners online. This seemed high to Pangloss, but it also includes people who met through chatrooms, IM and presumably, blog sites, although these were not name checked, as well as conventional dating sites. 20% of married Internet users admit to checking their partner's emails and 13% to having checked their browser history. Partners seemed to extrend similar levels of surveillance to each other. Pangloss wonders how many have worked out how to use passwords and Clear History commands.. (indeed how many couples share passwords - almost more intimate than sharing a joint bank account these days..)

Pangloss however had to take a pinch of salt at the persuasive man from Match.com who insisted on line dating was no different from off line dating, merely more effective. I felt forced to point out the clear difference is that there is a great deal more lying at the start of on line relationships than is possible in the real world..

Meanwhile in the world of commercial rather than interpersonal stalking, Simon Davies of 80: 20 passes this info on.

"80/20 Thinking is holding a Town Hall meeting on Phorm this coming Tuesday, 15th April, between 18.30 and 20.30 at the Brunei Gallery lecture theatre, SOAS, University of London.

Details are at http://www.8020thinking.com/events

Please do spread the word as much as possible. The meeting is open and free, but we ask people to notify us if they want to come so we can keep track of numbers. Again, those details are on the 80/20 page."

Sadly I can't go but I look forward to hearing about what emerges.

Someone Has Thought Of the Children, Honest..

Cogent post by Technollama on the insatiable hunger of the UK press for scare stories about the horrors of the Internet, especially re Facebook, MySpace, chatrooms, child porn etcetera.

All this furore has of course been partly whipped up most recently by the publication of the much-awaited Byron Report. Pangloss has not had time to read the Byron Report in full yet but was initially relieved that it seemed to have concentrated on "having a national strategy for child internet safety which involves better self-regulation and better provision of information and education for children and families" and not on further extension of the invisible upstream censorship model pioneered by the IWF and BT Cleanfeed to, eg, sites like Social networking sites SNSs), or online games; or types of content which are arguably harmful to children, but not illegal, such as adult sexual content (although read on for discussion of existing upstream filtering in schools and local libraries, and the consideration of extending a "child-safe" Internet to everyone, children and adults alike).

The main features of the Byron Report , beyond the usual calls for parental involvement, understanding that children know more about the net than parents, integration of e-safety into the school curriculum, and consumer and teacher education, seem to be:

(a) "better" ie more granular, classification of video, console and on-line games;
(b) refinement of our understanding of how offline laws apply to online content eg are suicide websites illegal?, and
(c) the creation of a one-stop shop for regulation child safety on the Internet issues, to be named the (slightly Orwellian) UK Council on Child Internet Safety, and run by Home Office and DCFS with help from DCMS, which will "lead the development of a strategy with two core elements: better regulation – in the form, wherever possible, of voluntary codes of practice that industry can sign up to – and better information and education, where the role of government, law enforcement, schools and children’s services will be key".

Reading further on gives us some idea of the key tasklist the Council is meant to undertake. This is a long and interesting list but these are a few items that stood out to me.

- making sure home computers are sold already loaded up with kitemarked parental control software (but not by default already switched on and fully functional - see 4.72)
- making sure search engines offer clear indications if safe search is on, and that these can be "locked on" by parents
- making sure 100% of schools and local services (computers in libraries and museums eg) to children have Becta accredited filtering services
- working with user generated content hosts (eg Facebook) to establish an independently monitored voluntary code of practice for the moderation of user generated content.

Despite all this the executive summary concludes with the following quote ;

"“Kids don’t need protection we need guidance. If you protect us you are making us
weaker we don’t go through all the trial and error necessary to learn what we need
to survive on our own…don’t fight our battles for us just give us assistance when we
need it.”

I feel, in my slightly confused position as a former specialist in child law and nowadays a specialist in Internet law, that we are getting mixed messages here. How are children going to go through "trial and error to learn" when they inhabit a world where parents can defer any parenting discussions on adult content to a kitemarked filter they don't understand enough to alter? Where school , library and museum access is 100% filtered? (And I have an acquaintance who runs the filters for a certain Scottish local authority 's schools - and I was mildly appalled by how far it filters beyond what is legally proscribed content.) Where their own version of their own real life on their own UGC sites is potentially censored? (As if they need to go to the Internet anyway to see teens engaged in nudity, sex, drugs and unsafe behaviour - they can just watch Skins .)

Less controversially, there is an interesting suggestion at 4.19 about how UGC or social networking sites might handle the tricky issue of moderation of content and legal liability. Many SNSs, hosts and ISPs have long argued that they cannot monitor/moderate illegal content and remove some, because they are then "on notice" for the whole site's contents, and will be liable for any illegal content they have let slip past (see Art 14 of the Electronic Commerce Directive and the ghost of the Prodigy doctrine.) Byron rather smartly observes that such risks might be minimised if a third party was used to audit the site and give notice to the host site only about material which definitely breaches the law, and which could then be removed, and adds a recommendation that "the Council explores the possibility of developing such arrangements to minimise the risks of liability for companies that take steps to make their products safer for children". Who PAYS for such third party auditing is not discussed :)

Byron also recommends that sites be encouraged to sign up to specific public commitments on take down times, which sites currently tend to avoid for fear of being deemed in breach of contract if they do not take down in time ; Facebook, eg, has already publicly guaranteed to take down on complaint, content containing "nudity, pornography,harassment or unwelcome contact" within 24 hours. This Pangloss approves of, having seen in her own empirical research, the very wide variation in take down times from hosts and ISPs according to variables such as size of organisation, type of content and type of organisation, and the uncertainty this can cause both hosts and users (MumsNet were reportedly forced into settlment re liability for allegedly libellous UGC , by not being sure if they had taken down "expeditiously").

Overall though, despite the odd mention (and I emphasise again my not having read whole report fully yet) there is a definite air about the report , as Jonathan Zittrain once put it, of it being "so 2005". What use will filtering requirements on schools , and parental control software be, when as will be true in about 5 Internet minutes, every child routinely accesses Facebook or Bebo on their way to school via their smart mobile phone?. The report itself admits that 37% of 11-16 year-olds already have access to the internet via a mobile (ChildWise 2008). Even if mobile phone operators are corralled as upstream supervisors as well (a voluntary code of concuce for mobile operators has existed since 2004, but Byron admits "it is difficult to establish the effectiveness of work in this area" - 4.109) what about wi fi accessed via their smartphones, IPod Touch or equivalent, on the school bus, in cafes, at friends' houses and at clubs? These issues are actually, praiseworthily, raised, with research commissioned to examine access outside the home (4.69) but in the end there is no solid recommendation of any serious way of how to deal with these impossibly difficult problems (4.106, 4.116,4.117).

There also seems to be a rather worrying supposition that SNSs are the domain solely of children. Bebo may be, but many are not. Recent research showed, rather amazingly, that in the UK as of September 07, the median age of a Facebook user was 34! (Pangloss herself is an FB user and er rather over that age :( Should a 34 year old be subject to a UGC moderation code which refuses to let him publish a tasteful non-illegal erotica picture of his girlfriend? I am not really sure. We are getting dangerously close to the famous ACLU v Reno No 1 case which asserted that , even in the interests of children, the whole of the Internet should not be reduced to the level of a "children's reading room".

Putting the job of censorship on to ISPs, host and SNSs rather than directly exercised by the state, does not make it any less censorship - it just makes it less transparent and less accountable. There is a slightly chilling discussion at 4.54ff of the idea of network (ISP) level blocking of all unwelcome content - ie blocking non illegal but non child friendly content to ALL USERS , by all UK ISPs - with the onus on, or choice by, over-18s to opt out of this blocking. The Report chooses to not go down this route for large numbers of very sensible reasons, but adds somewhat worryingly "this may need to be reviewed if the other measures recommended in this report fail to have an impact on the number and frequency of children coming across harmful or inappropriate content online." (4.60) This puts Technollama's suggestion that next we will see regulation of social networking sites positively in the shade..

In short, the Byron Report is a brave and largely non-tabloid-scare-oriented attempt to deal with a difficult problem. Much of the child developmental information in the first two chapters is excellent and it is very valuable to have it in one place in front of policy makers and lawyers' noses. But as far as as solutions go, one does have a feeling that it is perhaps not looking far enough ahead; because "far" on the Internet is usually not that far at all.

How Soon is Now?

.. as The Smiths once said.

I was reminded over the weekend about this post by sf writer Charlie Stross. It's a very interesting read on future gazing and why you're even less likely to predict accurately the near future than ever before. Stross argues that once it took 125 years for world wide acceptance of a technology - now it takes 16 or less. Such speed of change makes attempts by the always-catching-up law to regulate technology in any degree of specificity look ever more doomed. Another vote for Chris Reed's doctrine of creative inertia?

3 Strikes And You're Out talk from LSE conference

Ray Corrigan, one of the finest IT law bloggers on the block, has, incredibly helpfully, while I frolicked for the long Easter weekend, written up an account of my talk on the dubious legality of the posited "3 strikes and you're out" legislation which, if passed, would mandate disconnection of repeat filesharers in the UK from the Internet.

See http://b2fxxx.blogspot.com/2008/03/3-strikes-copyright.html (thanks Ray.)

There is also a third ground of possible illegality of any proposed "notice and disconnection" regime, , other than its transgression of due process and lack of propartionality with respect to human rights. I did not have time to get to this at the conference so Ray has not mentioned it - namely that in order to prevent an "it wasnae me" defense (as we say in Glasgow), legislation might also require the mandating of secured wi-fi for every user who maintains a wireless router. Without such a rule, every uploader could theoreticaly claim it was not them but a wi-fi piggy-backer who committed the "offence".

Currently, users are usually advised to make their wi-fi network secure, and most ISP T & Cs theoretically demand it, but many prominent security experts, notably including Bruce Schneier, deliberately keep their networks open (while maintaining high quality virus checking ware and firewalls for the security of their own data). they do son mainly on the grounds that the mobile Internet ought to be a public resource for those in transit or in public areas, like toilets or water fountains. Breach of a term imposing secure wi-fi only by an ISP may currently be a breach of contract which might conceivably lead the particular ISP in question to , legitimately, disconnect the user; but it would not, as "3 strikes" would, mean that user is then sent to Internet Coventry by every ISP in the country.

Cutting off the choice of providing public wi-fi to the user on pain of banishment from the Internet, raises obvious issues itself of infringement of freedom of expression and association. Avaiability of unsecured wi-fi in public areas, say, in parks or on streets or at emergencies, is also arguably , as Schneier and co believe, a public good. Given that, it should be asked whether a proper balance is being maintained if we legislate to ban an asset of general public interest, in order to protect the legitimate property interests of one narrow commercial sector. It also raises the question of whether a wi-fi operator might be a "mere conduit" under the E-Commerce Directive, Art 12, and if so whether, in effect, strict liability for other people's misdeeds can be imposed on such operators without infringing EC law.

This point is dealt with in my powerpoint which I believe will be soon up on the relevant website along with other slides from the day. Will add URL shortly.

I think the best point raised during the day which I had not really considered at all before, was how long a general ban or disconnection after notice would last. (I think this came from Michelle Childs, but I am not totally sure.) Does a foolish upload or two by a teenager in your house mean that dad and/or mum is banned from the Internet forever? Even when we talk of true criminal sanctions (and copyright is at root a civil matter), jail terms (bar "life means life" for murder) have to be of defined length. Do we want a world where ISPs are ordered by the content industry to patrol indefinite lifetime bans from the Internet? Would legislation include provisions for appeals after a certain time and has anyone thought through the due process ramifications? The more you think about it, the more damningly flawed the whole idea is.

In France, at least, the whole process is going to be under the supervision of an independent tribunal given directions by a judge. If we do end up going down this route in legislation, the French system should be the minimum starting point for transparency and due process. I hope instead however that the UK government and BERR will, after due consideration, decide this approach, with all its capacity for disproportionate human right infringement and errors in proof and process, is not a suitable way to police filesharing, when so many other routes exist.

Phorm an orderly queue

It might easily be said that the British just love creating problens with Phorms..

Here is the press release for the FIPR official letter to the ICO on the current Phorm controversy. It has my full support as a lucid and explanatory response to a pressingly potential worrying incursion into consumer privacy (disclaimer: I am member of FIPR advisory board.)

FIPR Press Release

For Immediate Release: Monday 17th March 2008

Open Letter to the IC on the legality of Phorm's advertising system
-------------------------------------------------------------------

The Foundation for Information Policy Research (FIPR) has today released
the text of an open letter to Richard Thomas, the Information
Commissioner (IC) on the legality of Phorm Inc's proposal to provide
targeted advertising by snooping on Internet users' web browsing.

The controversial Phorm system is to be deployed by three of Britain's
largest ISPs, BT, Talk Talk and Virgin Media. However, in FIPR's view
the system will be processing data illegally:

* It will involve the processing of sensitive personal data: political
opinions, sexual proclivities, religious views, and health -- but it
will not be operated by all of the ISPs on an "opt-in" basis, as is
required by European Data Protection Law.

* Despite the attempts at anonymisation within the system, some people
will remain identifiable because of the nature of their searches and
the sites they choose to visit.

* The system will inevitably be looking at the content of some
people's email, into chat rooms and at social networking activity.
Although well-known sites are said to be excluded, there are tens or
hundreds of thousands of other low volume or semi-private systems.

More significantly, the Phorm system will be "intercepting" traffic
within the meaning of s1 of the Regulation of Investigatory Powers Act
2000 (RIPA). In order for this to be lawful then permission is needed
from not only the person making the web request BUT ALSO from the
operator of the web site involved (and if it is a web-mail system, the
sender of the email as well).

FIPR believes that although in some cases this permission can be
assumed, in many other cases, it is explicitly NOT given -- making the
Phorm system illegal to operate in the UK:

* Many websites require registration, and only make their contents
available to specific people.

* Many websites or particular pages within a website are part of the
"unconnected web" -- their existence is only made known to a small
number of trusted people.

The full text of the open letter can be viewed at:

http://www.fipr.org/080317icoletter.html

QUOTES

Said Nicholas Bohm, General Counsel, FIPR:

"The need for both parties to consent to interception in order for
it to be lawful is an extremely basic principle within the
legislation, and it cannot be lightly ignored or treated as a
technicality. Even when the police are investigating as serious a
crime as kidnapping, for example, and need to listen in to
conversations between a family and the criminals, they must first
obtain an authorisation under the relevant Act of Parliament: the
consent of the family is not by itself sufficient to make their
monitoring lawful."

Said Richard Clayton, Treasurer, FIPR:

"The Phorm system is highly intrusive -- it's like the Post Office
opening all my letters to see what I'm interested in, merely so that
I can be sent a better class of junk mail. Not surprisingly, when
you look closely, this activity turns out to be illegal. We hope
that the Information Commissioner will take careful note of our
analysis when he expresses his opinion upon the scheme."

CONTACTS

Nicholas Bohm
General Counsel, FIPR
01279 870285
nbohm@ernest.net

Richard Clayton
Treasurer, FIPR
01223 763570
07887 794090

NOTES FOR EDITORS

1. The Foundation for Information Policy Research (http://www.fipr.org)
is an independent body that studies the interaction between
information technology and society. Its goal is to identify
technical developments with significant social impact, commission
and undertaken research into public policy alternatives, and promote
public understanding and dialogue between technologists and policy-
makers in the UK and Europe.

2. Phorm (http://www.phorm.com/) claims that their "proprietary,
patent-pending technology revolutionises both audience segmenting
techniques and online user data privacy" and has recently announced
that it has signed agreements with UK Internet service providers BT,
TalkTalk and Virgin Media to offer its new online advertising
platform Open Internet Exchange (OIX) and free consumer Internet
feature Webwise.

3. In a statement released on 3rd March the Information Commissioner's
Office (ICO) said:

"The Information Commissioner's Office has spoken with the
advertising technology company, Phorm, regarding its agreement
with some UK internet service providers. Phorm has informed us
about the product and how it works to provide targeted online
advertising content.

"At our request, Phorm has provided written information to us
about the way in which the company intends to meet privacy
standards. We are currently reviewing this information. We are
also in contact with the ISPs who are working with Phorm and we
are discussing this issue with them.

"We will be in a position to comment further in due course."

-

Reminder of March 19th filesharing conference

From Ian Brown:

Hi all - a reminder that this Wednesday afternoon we have a great
selection of speakers for our free OII/LSE event on music and copyright
(including from the ORG posse Becky Hogge, Richard Clayton, Lilian
Edwards and Wendy Grossman). Come along to find out what the government,
music industry, publishers and independent experts are thinking about
ideas like 3-strikes-and-you're-disconnected; scanning ISP traffic for
copyright works; and notice and takedown regimes.

Full programme at:
http://www.oii.ox.ac.uk/events/details.cfm?id=186

From Pangloss: apologies for radio silence. Giving 6 talks in a month while also teaching and trying to edit a book not best recipe for Constant Blogger :( I have lots to say, believe me..

More March madness , sorry, talks

Wednesday 5 March brings a joint event with the European Law Forum and ILAWS, both centres at the Law School, University of Southampton.

Professors Gerrit Betlem and Lilian Edwards will speak on “Promusicae: Fundamental Rights of File Sharers and the Enforcement of Intellectual Property - EU and IT Perspectives.”

Staff Common Room of the Law Building on Highfield Campus, University of Southampton, 1-2pm. Contact me if you want details. This is an informal seminar but all welcome.

Materials: the ECJ’s judgement in Case C-275/06 of 29 January 2008 and the Opinion of A-G Kokott of 18 July 2007.

Fun, file sharers and the law

Pangloss is off speaking again :

2pm-5.30pm 19 March 2008
The Old Theatre, London School of Economics, Houghton Street, London WC2

Is home downloading killing music? Should Internet Service Providers monitor customers to try and spot copyright infringement, and disconnect downloaders? Do musicians need new laws to benefit from the opportunities of the Internet?

Join us at this FREE event to debate these questions and more with leading copyright thinkers from the music world, government, consumer groups and universities. Confirmed speakers include John Kennedy (CEO of IFPI), Becky Hogge (Open Rights Group), Lilian Edwards (Southampton University), Rufus Pollock (Cambridge University) and Michelle Childs (Knowledge Ecology International). Find out more and register here.

Pangloss is talking about the role of ISPs and other intermediaries in enforcing rules against filesharing and the impact this may have on citizens, users and consumers. THis is rather fun timing given both the Promusicae case discussed here recently and this much-blogged announcement yesterday - so I will save my commentary till March :)

Facebook

Just to document the press's continuing fascination that people are indeed monitoring Facebook, Bebo etc, and that despite this, other people are still stupid enough to leave confidential information there, this piece from the Indy ...

"Just ask the 27 workers at the Automobile Club of Southern California fired for messages about colleagues on their MySpace sites; the Florida sheriff's deputy whose MySpace page revealed his heavy drinking and fascination with female breasts – and swiftly found himself handing in his badge; the Argos worker in Wokingham fired for saying on Facebook that working at the firm was "shit"; the Las Vegas teacher at a Catholic school fired after he declared himself gay on his MySpace page; the staff of an Ottawa grocery chain fired for their "negative comments" on Facebook; the 19 Northampton police officers investigated for Facebook comments; and Kevin Colvin, an intern at Anglo Irish Bank, who told his employers he had a family emergency, but whose Facebook page revealed he had, in reality, been cavorting in drag at a Hallowe'en party."

However the piece does have a new(ish) point, that worries about social network sites may shift from the obvious paedophiles, stalkers and ID thieves t more "civil" observers:

"That something as ubiquitous as social network sites (they have 13.7 million UK users) are exploited by paedophiles and other serious criminals is not surprising. Happily, the numbers affected are small. But the use of personal page content in civil disputes, divorces, employment and legal actions will affect far more of the millions now innocently sharing their thoughts and intimate moments with the online world. "

Pangloss is, as usual, almost finished an article on all this :) Send donations of spare time to allow her to complete it!!

Ps while we're at it, two interesting recent comments on the ongoing facebook/SCrabulous affair - Jonathan Zittrain here and the irrepressible Daithi Mac Sithigh here.

Stokes Law Stokes Trouble for the National ID database

I love this:

"I propose new law, to go alongside Moore's Law and Reed's Law and all of our other useful tools for doing back-of-the-envelope projections of where things will be going in the short- to medium-term. I propose Stoke's Law, which is that

as the amount of data that the government collects grows, so will the number of people who are victims of crimes that were made possible by unauthorised access to government databases.
[From Analysis: Metcalfe's Law + Real ID = more crime, less safety "

So obvious yet so profound!

Also in today's mail - FIPR report an ICM survey that 25% of the UK population now "strongly" opposed to the national ID database - up from 17% last September.

EBay to ban negative feedback by sellers..

.. but not from buyers.

This is an interesting one. A small UK study Ashley Theunissen and I did in 2005/6 seemed to reveal that both sellers and buyers found leaving feedback by far the most useful and widely-used instrument they had at their disposal for resolving and avoiding disputes on eBay. Other options such as eBay's own on line mediation and negotiation procedures or Payer Protection Schemes were by contrast barely used, and both credit card and PayPal guarantee systems were often inappropriate to the dispute in question, either because a credit card was not used or in the case of PayPal, because the many qualifications for the scheme were not met or the account had been emptied.

However much game theory work since has also shown that feedback is highly unreliable as an index of trustworthiness of sellers, at least partly because negative feedback was very rarely given by buyers who were than one time eBay users for fear of retaliation. Feedback can also be gamed by sellers by a multitude of small value transations to build a shiney feedback profile, after which a large value no-delivery fraud is undertaken. Hence the preponderance of both sellers and buyers with 99.99% satisfaction ratings on eBay. eBay has been trying to address the second problem with its "Feedback 2.0" , which allowed a more granular breakdown of how an eBay seller had acquired a certain feedback score over multiple transactions, but clearly this has not been felt to be enough to provide trustworthy guidance to buyers.

Given also the growth of eBay as a site for Power Sellers, quasi professional sellers and the like, trying to turn feedback back into a true index of the trustworthiness of a seller by restricting retaliation tactics seems like a smart move. Sellers however are of course not best pleased, according to the Beeb report. In our small survey, 60% of sellers had left negative feedback, as opposed to 40% of buyers, so this looks like a big change in practice for UK sellers. It will be ve-ry interesting to see how this pans out. is eBay trying to forestall buyers leaving for other auction sites where they feel they are more likely to get good service from buyers, or at least have a better chance of picking a trustworthy merchant?? Or is it truely as reports say trying to provide a better "customer environment"? Pangloss would love to know if anyone has more info.

In the meantime, what we continue to need is a "true" non-gameable index of cross-site reputation - something from the distributed identity stable, perhaps. So far we are at the very early attempts stage in this field - see eg QDOS from the garlik folk, where Pangloss mysteriously finds herself compared to authors, footballers and Eastenders bit actors from time to time. Still, at least it's a start..

Promusicae in the ECJ

Pangloss has just grabbed a few minutes to consider this rather important new decision from the ECJ. Basically, the European court was asked to consider if it was legal for Spanish law to require telecoms providers, ISPs etc to retain traffic data relating to users for security or crime related purposes, but not to allow the use of that law for retrieval of evidence for OTHER (civil law) purposes, most obviously their use by IP rightsholders to uncover the identities of P2P filesharers.

The key provision here is Article 5(1) of Directive 2002/58 (the Privacy and Electronic Communications Directive, amending the Data Protection Directive 1995), which requires states to pass laws to ensure the confidentiality of traffic data. There can be exceptions to this obligation under Art 15(1) , but only where necessary to safeguard national security , defence, public security, or for the prevention, investigation, detection and prosecution of criminal offences - and to prevent "unauthorised use" of the electronic communications system, as referred to in Article 13(1) of Directive 95/46.

There was some dubiety in the ECJ that this last exception covered traffic data collection to get evidence for *civil* litigation - but the court were willing to more or less go along with that one. What they weren't willing to say was that this implied laws MUST be passed requiring disclosure of personal data to safeguard the rights of litigants in civil proceedings - ie, the PECD did NOT require automatic disclosure of P2P traffic data to help out the music industry, though such laws would not violate EC law.(para 56).

Several other IP-related Directives cited generally required states to provide for procedures for disclosure of information relating to pirate goods, after "justified and proportionate" applications by aggrieved rightsholders; however these did not take precedence over the specific obligation in the DPD and PECD to protect personal data.

And most importantly, as Cedric Manara has already mentioned elsewhere, the Court finally held that, turning to fundamental rights in the EC Charter, if the fundamental rights to property, and to privacy (which appear therein, as well as in the ECHR) appear to come into conflict when EC Directived are implemented in national laws , well, then , IP does not take precedence over privacy (or vice versa): instead, national courts must "make sure that they do not rely on an interpretation of [national laws] which which would be in conflict with these rights." (para 68) Put it plainly: IP rights do not trump DP rights, says the ECJ.

In other words also - my interpretation purely, now - although the ECJ have not said that laws requiring automatic disclosure of personal data to rights holders to protect IP rights would be illegal under the PECD, a serious warning has been issued to national legislatures not to be pushed into passing such laws, without considering first if rights of protection of personal data are being taken properly into account.

In the UK, this is serious stuff. The government is currently basically trying to shove through (as per Gower recommendation no 39) a model borrowed from France under which ISPs will disconnect and bar repeat P2P infringers via BCP codes, without ever going near a court. But this is probably only the tip of the iceberg. It is no surprise that the industry would far rather have automatic disclosure via industry codes of practice than, as currently, have to go for Norwich Pharmacal disclosure. This will be a very useful opinion for lobby groups fighting such a legal or "soft law" progression.

I'll be saying more about this at a conference in March :)More details when I have them.