Stross/Doctorow event, May 1 London

This is well worth advertising- wish I could be there!

http://www.boingboing.net/2009/03/27/open-rights-group-be.html

Charlie Stross and I are doing a benefit talk for the Open Rights Group on May 1 in London, entitled "Resisting the all-seeing eye." Hope to see you there -- Stross is a ball, and ORG is a damned worthy cause, especially in this era of ubiquitous surveillance.

From technologies like PGP and Tor to the arguments that will convince people - friends and family as well as media and politicians - to watch out for their digital rights, this event is your anti-surveillance 101.

Cory Doctorow - science fiction novelist, blogger and technology activist - and Charlie Stross - science fiction writer and former programmer and pharmacist - will share how and why to control your data. The event will be moderated by Ian Brown - academic, activist and Blogzilla.

The entry price is either joining Open Rights Group - by handing door staff a completed form (link to PDF) - or making a one-off £10 donation on the door. Please register for tickets here. Drinks will be available, as is The Three Kings - a local pub - to continue the debate.

What: Doctorow and Stross: Resisting the all-seeing eye
When: 1830, Friday 1 May 2009
Where: Crypt on the Green, St James Church, Clerkenwell, Clerkenwell Close, London, EC1R 0EA - Map

Facebook reaches 200 million members

Interesting graphics from the New York Times on the rise and rise of Facebook: which has doubled its global membership from 100 to 200 million in eight months - quite remarkable.

Some interesting comments on FB's recent concessions towards user pressure to roll back some of FB's changes of terms and conditions, and unpopular redesign of the web interface.

" “It’s not a democracy,” Mr. Cox says of his company’s relationship with users. “We are here to build an Internet medium for communicating and we think we have enough perspective to do that and be caretakers of that vision.” "

On privacy settings, where FB continue merely to allow users to protect themselves, FB admit only around 20% users use any privacy settings.

Most interestingly (in an article which is at points inches away from a puff post) are FB's attempts to present itself not as a provider of intrusive advertising in a private space but as a promoter of a new style of "interactive advertising" which will maintain momentum even as advertising revenues dry up forother providers dependent on ad revenue such as free webmail services.

"Facebook’s approach is to invite advertisers to join in the conversation. New “engagement” ads ask users to become fans of products and companies — sometimes with the promise of discounts. If a person gives in, that commercial allegiance is then broadcast to all of the person’s friends on the site.

A new kind of engagement ad, now being tested, will invite people to vote — “what’s your favorite color M&M?” for example — and brands will pay every time a Facebook member participates.

“We are trying to provide the antidote for the consumer rebellion against interruptive advertising,” says Sheryl Sandberg, Facebook’s chief operating officer and Mr. Zuckerberg’s business consigliere."

..Facebook recently introduced advertising tools to let companies focus on users based on the language they use on the site and their geographic location. So, for example, an advertiser can now tailor a message to the Latino community in Los Angeles or French speakers in Montreal." "

Pangloss sez: sounds like an attempt to repackage the much disliked Facebook Beacon, and step away from the bad press around Phorm in particular and targeted advertising in general. But is it more than puff? Even if users get to vote on their favourite M and M flavour, they will still not get to vote on the conditions under which FB pass on their personal data to third party marketers, despite the ra ra of consultation on the FB principles (see previous post).

Notably FB say they will never charge users for part or all of the FB services despite the credit crunch . However they do not say they will never pass on non-anonymised personal data to third parties, something which is currently barred by their own terms but could change in future (and is not barred by proposed FB Principle 3 either).

On the other hand the idea that users might actually be paid for giving their public allegiance to a product is interesting. Only the other week Pangloss vigorously denied the market would ever support paying for personal data (other than in costs-nothing considerations like air miles and loyalty card points) when it already routinely collects it for free. Maybe this is the first glint of a market sea change?

Full article here.

Just has to be quoted

The venerable IPKat has stepped away from his normal utter respectability to nail my also esteemed colleague Geeklawyer:

"The IPKat has a soft spot for the GeekLawyer's Blog. GeekLawyer (left), whose potent combination of outspoken honesty and irredeemably bad taste makes him unquestionably the Jade Goody of the IP blog world, displayed his sensitive side this week with this report and podcast on his friend Bill Patry's SCL talk in memory of the late Sir Hugh Laddie, whose potent combination of pungent wit and guts to deploy it to maximum effect made him ... well, never mind. "

Pangloss is now enriched with Geeklawyer's enormous um ruminations on his blog, Facebook AND Twitter. Shortly he will talk to me in my dreams..

THis has been a Squid Friday production, courtesy of Nat Express Wi Fi and an unexpectedly and gloriously quiet train (hey, credit where's credit due for once. Am I Twittering on Pangloss now? Oh noes!)

Democracy Comes to Facebook?

Facebook is soliciting public comments on proposed new terms and conditions - see


Facebook Principles

Rights and Responsibilities


Pangloss is getting on train to Edinburgh to go to SCRIPT-ed, and will read them then to see if they actually change anything useful. But the sheer act of undertaking such consultation with a 100 million plus userbase, even if it is only PR, is really quite a remarkable landmark in the governance of web 2.0.

Also taking the Database State Report, the Digital Rights Agency consultation and various other reports. There will be blogging!

Finally, I note OUT_Law agrees with me that Google Street View is not illegal though for different reasons. Struan focuses on the recent UK ECHR-based case law on invasion of privacy as "breach of confidence", noting that the JK Rowling case seems to confirm that the UK courts do not recognise a right not to be photographed in a public place unless you, the data subject, are the focus of the camera's attention. Pangloss is less keen on this argument than her own resting on Art 7(f) of the DPD, (surprise), partly because the Art 8 ECHR law is in such flux and partly because it reinforces the data protection equivalent case of Durant which many DP commentators feel was wrongly decided. but it's a good piece : read it.

Google Street View - Up Your Street?

Many of my friends and colleagues have been having fun with Google Street View since it went live in the UK last week. My social networking Friends lists are full of people exclaiming "OH MY GOD that's my house!!!" or happily pointing out their car, their garden and in one case, their boyfriend leaning out of the window. Those who live in cities not yet rolled out, bemoan their luck and count how many yards they are from the Googlezone.

Others are not so happy. Privacy International, a well respected privacy watchdog, have already announced their intention to take Google to court on the grounds that they are breaking data protection law, and have made a formal complaint to the Information Commissioner.

Says the Beeb, "Privacy International wants the ICO to look again at how Street View works.

"The ICO has repeatedly made clear that it believes that in Street View the necessary safeguards are in place to protect people's privacy," said Google.

Privacy International (PI) director Simon Davies said his organisation had filed the complaint given the "clear embarrassment and damage" Street View had caused to many Britons."

So is G. Street View ("manic street features" as another BBC piece gleefully calls it) the greatest free of cost and publcly available innovation to hit online mapping ever, or another piece in the jigsaw of ubiquitous commercial and government surveillance in the UK?

Pangloss admits to have been far more excited than worried when she first got the news. Google have invested a pretty large amount of effort into protecting privacy, having learnt from earlier protests and roll outs in the US as well as accepting the reality of ldata protection law in Europe. Faces and number plates have been, with some fairly low margin of error pixelated out. There are indeed errors: we have already had reports of people asking to have maps taken down because they depicted them being sick outside a pub or visiting a well known brothel. But Google have also provided an extremely easy to use take-down request system. Have they done enough?

My esteemed colleague Ian Brown of the OII doesn't think so (and repeated these feelings during a brisk debate last night at a post privacy conference dinner :) Said Ian to the Beeb:

"They [Google] should have thought more carefully about how they designed the service to avoid exactly this sort of thing."

Dr Brown said Google could have taken images twice, on different days, so offending images could have been easily replaced and protected privacy better.

Google says it has gone to great lengths to ensure privacy, suggesting that the service only shows imagery already visible from public thoroughfares."

There are a number of ways to frame this debate. One is the question of opt in to privacy, versus opt out. In the same way that Google Library has tried to push copyright discourse from opt in - consnt by authors to copying of their work - to opt out - asking to be left out of the scheme if not wanting copies to be made (and failed - given the recent settlement?) - it is arguably trying to do the same with privacy here.

If privacy is indeed a fundamental human right, then it can be argued that in principle no one should have to be exposed to even a low risk of an intrusion of privacy by error (let's leave the debate on what that exactly is, plus the debate on how far your privacy stretches in a public place, aside for the minute) and then have to request take down; instead`they should always be asked to give consent a priori. This is probably in gist PI's argument as to why what Google is doing is illegal.

In strict law, Pangloss is not really sure if this is right: the UK DP Act (and the EC DP Directive) do not always demand consent to processing of personal data - there is a well known exception which allows processing to be undertaken without consent if it is in pursuance of a legitimate aim of the data processor (Google) and does not at the same time unreasonably prejudice human rights (DPD, Art 7(f)).

A "few dozen" requests seem to have been made for take down, according to the BBC. If we knew how many views there are on GSV we could work out what percent have been privacy invading.It is probably a very very low percent. But is this the right way to construct the Art 7(f) balance? or should we be looking only at the degree of privacy invasion suffered by each individual data subject concerned - how much they lost - their wife, their job?

We need a real debate here about whether privacy invasion should be regarded as purely an individual issue or a societal problem; similarly whether GSV brings advantages to society as a whole (surely?) and do these outweigh the privacy loss to the few individuals. If GSV sparks this debate it will in itself have been of value.

Ian's compromise solution above - essentially, get it right the first time so as to minimise privacy intrustions requiring post factum take down - is a pragmatic one but does not in essence meet the above theoretical problem. It raises another pragmatic problem too - Google has already spent vast amounts providing a fantastic service for free to the UK public. Yes, they wil gain from ad revenue - but this is still an enormous free gift to the public as a whole. How much more money would it be reasonable to ask them to spend to meet the needs of the very few?

Taking two pictures of every location would presumably have doubled costs. Would fewer cities then be rolled out? Would there be more social and digital exclusion? Will rural areas ever be included in fact? and would someone living next to a person who had had "his" street view pulled out by justifiably irritated at his social exclusion? Should the invaded privacy rights of a few be allowed to stifle technological innovation for everyone? If we consider the P2P debate where the same issue arises - should theeconomic interests of the few in the entertainment industries be allowed to stifle useful innovation for the rest of us? - then generally the informed answer is no. There are many more societal cost/benefit balances to be thought about here.

In the meantime, Pangloss is going to go off to yet another workshop to talk about privacy and trust in next generation networks. Do we indeed trust Google to know where we live and to respect our privacy? Most do but some don't, it appears. Yet Google cannot automate, and thus provide at reasonable cost, the amazing services it delivers for "free" , unless we all agree on this in adavance, or at least are presumed to agree, subject to later opt out. This may be becoming a key problem of the digital era :)

Great News Euro GikII PHiles!

"GikII 4, Amsterdam 2009

The fourth installment of GikII will take place on 17-18 September 2009 in Amsterdam, hosted by the Institute for Information Law (IViR), University of Amsterdam, in partnership with Creative Commons Netherlands. "

Yes I have been a bit quiet - I have moved house (yet again.) Lots of stuff coming soon :)

Also apologies to any reader who had planned to see me in Aberdeen this week - this had to be cancelled for a combination of ill health and transport problems. we hope to reschedule next academic year.

Facebook U-Turn on New Terms and Conditions

Following Facebook's recent climbdown on their change of terms & conditions to continue claiming a license to use and publish user data even after users delete their profile, here's a few comments from me in New Scientist.

As I said to the interviewer but which failed to get quoted, the real interest in this little storm in a digital tea cup has been in demonstrating what lawyers know but users rarely think of, namely that Facebook can change their terms any time they damn well like, to be more - or usually less - privacy-friendly.

At the moment, FB's privacy policy declares that users only consent to the sharing of their data with advertisers and marketers in anonymised or aggregated form - but there is no reason why that can't change any day to FB selling full details of user's personal data. And given the downturn in the advertising fortunes of web 2.0, and the fact that Facebook anecdotally still makes almost no money despite its huge userbase and is worth far less than was once thought, can that day be far away?

Ownership of personal data and control over user's own generated content are issue that could well be regulated by model clauses in the current boom in Codes of Practice for social networking sites: instead unsurprisingly they tend to concentrate on kiddy safety - see eg the latest EC effort in this direction. THe proposals do however include the useful provision that the profiles of all users under 18 should be set to "friends only" by default. (This ignores the need for protection of adult privacy though.)

In any case, even sales of aggregate anonymised data now pose a danger to privacy which current DP law wholly fails to notice. At the recent Information Security Best Practices conference 2009 run by Wharton College, Pennsylvania, several security expert speakers in te Data Mining and Privacy panel emphasised the improvements in deriving personal data from aggregate data. The bottom line appears to be that anonymised data as a concept is heading for extinction. Interesting times.

(And despite all this Pangloss is still on FB, albeit behind a lot of privacy locks. Do as I say not as I do, kiddoes.)

Schedule update:

24 February , PLC seminar: "Social Networking Sites, Privacy and Other Legal Aspects", sold out but contact Claire.Dine@practicallaw.com for cancellations.

4 March , Aberdeen University Law Faculty, "Phishing In A Cyber Credit Crunch World".

18-20 March, WSRI Web Science Conference, Athens, chairing panel on "“What can Web Science Do for the Privacy of Data Subjects?: Law, Privacy and Data Retention in a Post 9/11 World”

23 March, London, attending Privacy Value Network Advisory Board.

30-31 March: speaking at SCRIPT-ed Governance of New Technologies Conference, Edinburgh

22-23 April: speaking at BILETA 2009 - The 24th Annual Conference, Winchester

That'll do for now:)

When MI5 tell you the state is spying on its citizens too much...

.. they're probably right?

Stella Rimington, our very own real life M, in unlikeliest declaration of support for the forces of light of this or any other week :)

" “It would be better that the Government recognised that there are risks, rather than frightening people in order to be able to pass laws which restrict civil liberties, precisely one of the objects of terrorism: that we live in fear and under a police state.”

It's Sooooooooo GikII!!

I'm very happy to announce that the success of GikII over the last three years has spawned an Australian spin-off, to be known as SoGikII. More details to follow, but here's early warning so you can start saving your pennies:)

Head South, Get Your Geek On - its SoGikII.

SoGikII: Law, Communication Technologies and Culture, is a one day conference to be held on Tuesday 9 June, 2009, in Sydney, Australia, hosted by the Cyberspace Law and Policy Centre, University of New South Wales.

Past GikII presentations have contemplated knitted Daleks , Roman slaves and robots , data privacy and online hamburger games, and the copyright implications of Buffy-inspired avatars .

All your favourite bits from the Northern-flavoured GikIIs will be on the menu - provocative intellectual debate, incisive legal analysis and lolcats - all dished up with a generous serving of pop culture. GikII noobs be warned: this is a conference with the boring bits left out and the level of 'geek' cranked right up.

SoGikII will be chaired by David Vaile and Alana Maurushat, University of New South Wales, with assistance from Lilian Edwards, Professor of Internet Law, University of Southampton.

So if combining cyborgs, post-structuralism, the absurdity of patent law and beach views sounds like your idea of fun, please email your abstract of 500 words or less to Alana (a.maurushat@unsw.edu.au) and David (d.vaile@unsw.edu.au) by March 31, 2009. Notification of acceptance will be by email in April. A prize for the best lolcat will also be awarded.

www.cyberlawcentre.org/gikii/ "

Meanwhile as SoGikII goes Down Under, Original GikII goes European - with arrangements now almost in place to take it to Amsterdam, hosted by the esteemed institute, the IVIR. We hope this will open up GikII to exciting new Continental scholars as well as the old crew! Exact dates in mid September to be announced shortly.

Countdown to the Digital Britain report..

Latest from The Times:

"Internet service providers will not be forced to disconnect users who
repeatedly flout the law by illegally sharing music and video files, The
Times has learnt.

Andy Burnham, the Culture Secretary, said last year that the Government
had "serious legislative intent" to compel internet companies to cut off
customers who ignore warnings not to pirate material.

However, in an interview with The Times, David Lammy, the Intellectual
Property Minister, said that the Government had ruled out legislating to
force ISPs to disconnect such users. "

The official announcement's now been delayed again, and against all rumour was not trailed at last week's Oxford Media conference. Looks like BERR're finding this one a wee bit tricky. Could that have anything to do with the music industry forcing Virgin to abandon its legal P2P offering? Remember the deal the Memorandum of Understanding offered back in July was new sanctions against filesharers, but only in return for new business models and in particular new legal ways to access music online using P2P .. not much sign of that..

Google times are here again

Pangloss has found (via Google, how else!?) a rather interesting blog called http://blogoscoped.com/.

It contains a little gem called Google Robot which certainly makes you wonder just how sensible our current legal interpretations of the Google spider are.

"Frequently Asked Questions

Last update: November 1st, 2030

What are Google Robots?

Google Robots are our human-like machines that walk the earth to record information. They do no harm, and they do not invade your privacy.

What are Google Robots good for?

Our Google Life search website is powered by the Google Robot crawler program. On the Google Life website at life.google.com, you can:

• Find out what menus the local restaurant offers at what prices
• See a perfect 3D shape of all houses in your city
• Know how crowded the bar is you want to go to tonight
• Know what items to find at your local mall
• Find out if your library has a certain book available (Also see: What's a book?)
• Know what you said and who you met 3 weeks ago (this feature is available only to My Public Life™ subscribers)
• Locate your friends (this feature is only available if your friends subscribed to My Public Life™)
• And much more!

I saw a Google Robot entering a library and reading books in it. Is that legal?

Our Google Robots do not record private information. As the books in a library are considered to be public, our Google Robots reserve the right to scan them. However, we do respect the copyright of individual works, and will only show a "fair use" portion on our website." "

Another story off this site is that the German Federal Department for Media Harmful to Young Persons has put a pro anorexia blog hosted on Google’s Blogspot on the index of youth-harming media. It is already well known that Google censors its search in countries like Germany and France according to local laws which prohibit spech often legal in other states (such as the USA). The interest for Pangloss is that this follows on from the news that Germany's Communications Minister is pushing for a UK IWF-style Cleanfeed system. (So is Belgium - bad week for free speech huh - oh and Romania. ) If the German scheme transpires, would URLs like this go on to it? That is pushing censorship past child porn, and an exact example of what I'm worrying about in the upcoming pornography chapter from Law and the Internet (3rd edn ) I quoted earlier.

John Ozimek of the Register whose coverage has lately been excellent, says "Undoubtedly, 2009 is going to be the year of the internet filter." Hmm.

Interesting times: Pope Lambasts Facebook

The Pope, no doubt flushed with the media attention paid to his launching of a new Pope-Channel on You Tube, has also weighed in against Friends whoring onFacebook:

"The key quote, which clearly seems to refer to Facebook friending (or at least to so-called 'friend harvesters'): "If the desire for virtual connectedness becomes obsessive, it may in fact function to isolate individuals from real social interaction."

Here's the full paragraph: "The concept of friendship has enjoyed a renewed prominence in the vocabulary of the new digital social networks that have emerged in the last few years. The concept is one of the noblest achievements of human culture. ... We should be careful, therefore, never to trivialise the concept or the experience of friendship. It would be sad if our desire to sustain and develop on-line friendships were to be at the cost of our availability to engage with our families, our neighbours and those we meet in the daily reality of our places of work, education and recreation. If the desire for virtual connectedness becomes obsessive, it may in fact function to isolate individuals from real social interaction while also disrupting the patterns of rest, silence and reflection that are necessary for healthy human development."
"

Perhaps the Pope has been reading too many articles about the sad but rather silly story of the man who killed his wife for changing her status on Facebook to single.

As anyone who's ever used Facebook much probably knows, FB operates on the "closed universe" assumption that anyone who deletes any preference actually intends to mean the opposite. So various friends of mine have found that if X decides not to keep displaying the fact that she is married to Y (for example), FB sends a note to all your friends (or "friends") saying "X ended her relationship with Y". This tends to create a flurry of emails asking whatever happened, so at least it's a way of connecting with old friends :-)

If that is what happened in this case though, it really would be beyond silly into near tragic.

Connectedly, Pangloss is saying something or other about virtual worlds, social networking and privacy at the rather interesting looking Digital Lives conference run by the British Library in London on Feb 9-11. She may or may not mention the Pope...

While I'm at it, Pangloss (rescheduled from last year when I was ill) is also talking on social networking sites and the law at PLC (Practical law Company) in London on February 24. Details at www.practicallaw.com but I understand it's already full, although there is a waiting list. End advert!

Security: Two factor Authentication Spreads

One for Technollama this :-)

We all know about the physical tokens or dongles you can now get to provide two factor authentication for your online banking services. In fact Pangloss was recently surprised to discover she could now not set up a new online payee without the use of one, on her RBOS account: it arrived in the post this morning by which time she had made the payment by phone:-) Anyway.

Some World of Warcraft players are now apparently so worried at the idea of their account being haXXored (leet spelling not authenticated..) by Chinese gold farmers etc that Blizzard is selling them two factor authentication as well. Interesting..

BERR, the music industry and file sharing: also stupid porn law ideas

Sorry for long silence. A bit of a catch up here of some recent very important stories..

Ray Corrigan helpfully reminds me that the Department for Business Enterprise & Regulatory Reform has published the responses to their P2P filesharing consultation.

"None of the options highlighted in the consultation won widespread support. Rather there was a marked polarisation of views between the rights holder community and consumers and the ISPs over what action should be taken.

A number of key issues were identified by respondents including copyright protection, protections afforded under eCommerce legislation and the impact on the wider economy. Consumers (individuals and consumer organisations) in particular highlighted concerns over data protection and privacy. The role of technology was addressed by most respondents, however there were conflicting views as to whether it could offer all or part of any solution. For almost all the options, questions were raised as to their legality under the existing legal frameworks and again, views varied.

There was a degree of consensus that any solution must involve the provision of new legal sources of attractive content and the need for education on the importance of copyright in the wider economy.

A number of replies suggested alternative models to those options proposed. Copies of all non-confidential responses received have been placed on the BERR website."

Meanwhile documents leaked to the Financial Times apparently show that BERR is planning in the wake of this to introduce an "ISP tax scheme":

"Ministers intend to pass regulations on internet piracy requiring service providers to tell customers they suspect of illegally downloading films and music that they are breaking the law, says the draft report by Lord Carter.

It would also make them collect data on serious and repeated infringers of copyright law, which would then be made available to music companies or other rights-holders who can produce a court order for them to be handed over.

With the creation of a body called the Rights Agency to be paid for by a small levy from the internet service providers and rights-holding organisations, these measures would form the spine of a new code of conduct for the internet industry. The draft report says the code would be overseen by Ofcom, the broadcasting regulator, according to people who have read it.

The guiding philosophy of the report is that the internet and music industries have failed to sort out the problems of illegal downloading between them, and the government sees this as its preferred solution."

As others have commented, that last sentence is posibly accurate :-)

Until we get details it doesn't seem worth commenting much on this. First impression is that it is certainly preferable to either the compulsory filtering of allegedly copyright content out, or the "3 strikes and you're out" type scheme we have feared since March 2008. On the other hand the privacy implications of this scheme are still not good.

Why for heavens sake if we are going to start imposing taxes , can't we simply do the sane thing and install a tax/levy system on broadband use, which would pay for all music to be downloaded "free"? (A: because the music industry don't want it that way. Well, hello.)

According to Becky at ORG,

"The official government response to the consultation will be published as part of the interim Digital Britain report, which is expected at the end of this month."

In other news, DRM is dead. Well for music. I mean if iTunes has decided it isn't worth using, who the hell else is going to?

In still other news, turning from music IP to Net porn, Burnham talks Bollocks. Well, so no change there. I won't address this one in detail here either, because I just have in the (very heavily) revised version of my chapter on pornography, censorship and the Internet which will be appearing in the 3rd edition of Edwards and Waelde Law and the Internet, hopefully soon..

(This bit isn't so bad though. According to the Telegraph " Mr Burnham also wants new industry-wide “take down times”. This means that if websites such as YouTube or Facebook are alerted to offensive or harmful content they will have to remove it within a specified time once it is brought to their attention." The vague definition of "expedient" in the E Commerce Directive Art 14 has long been unhelpful to both hosts and ISPs, so Pangloss approves of this as long as it is practicable.)

Here's a taster of my views , in the new section on the global rise in compulsory top-down invisible Internet content filtering..

"Effectiveness. Web filtering can be easily avoided by those who really want to, and any government wishing to install it must consider the impact of this on effectiveness. Depending on how filtering is achieved, blocking can often be evaded by a proscribed site changing its URL, or merely its underlying IP address. Users in turn can simply use a foreign proxy server site to anonymise their surfing destinations[1]. Steps can be taken to inhibit avoidance, but they are likely to result in serious over-blocking – for example, the EFA paper on the Australian scheme notes that a serious web filtering system would also need to block the Google cache, the Way Back Machine[2], and numerous other Internet archive sites where content is mirrored. It can be argued that child porn web filtering systems merely inhibit the ignorant or lazy or those who stumble on illegal material by accident[3], and do not stop for a minute those who are ostensibly the real targets of the efforts involved – serious paedophiles who may go on to commit actual abuse.

A key anti-avoidance issue is whether filtering is only to be imposed on websites or on other types of digital content, such as Internet newsgroups[4], P2P filesharing systems, instant messaging (IM) and email, as well as mobile phone traffic. As we have discussed above, illegal content is now known to be more commonly swapped in encrypted P2P “darknets” than on the open Web, which begs the question, why bother to filter the Web at all? In response to such criticisms, the Australians have claimed they intend to extend their reach to cover material traded via the P2P protocol BitTorrent and the EC has instructed research into P2P content blocking[5]. Such research is still likely to prove useless in the face of modern evolving encrypted P2P systems. At present such systems (eg Tor and Freenet) are rarely used by the average EU or US citizen because they are user-unfriendly and slow – but in go-ahead Japan, the leading P2P systems, enabled by their fast next generation consumer broadband networks, are both encrypted and consumer-popular. It will not be long before such systems make the leap to Europe and the US as home broadband networks are upgraded here too. At that point only the most foolish pedophile would attempt to access child porn using the open Web.

A slightly easier target is mobile content. In Europe, many mobile operators already provide filtering software and filtered content for children, and UK operators since 2004 have voluntarily signed up to Ofcom-brokered codes of conduct requiring filtering of content to under 18s and labeling of over 18 content on their servers[6]. Reliably imposing these restrictions on children given cheap anonymous pay as you go phones, may however be a harder than foreseen task.

Resources. Even if we only look at filtering the Web, realistically, classifying the
ever-expanding billions of Internet pages manually as “illegal”, “inappropriate”
or whatever will cost billions of dollars and be an
ever moving target[7].This has not however stopped the Culture Minister Andy
Burnham recently suggesting exactly this for the UK[8].)

The IWF avoids this problem by being complaint-driven - which
means its list is,of course, very partial[9] and thus of questionable success. In reality,
blocklists in commercial filters are usually generated partly by automated and partly
by manual means, which as the ONI note, means they are inevitably prone to both
over- and under-blocking.

---

[2] Interestingly, the Register has also reported that the IWF had added images on the Wayback Machine to its block list, which had lead to some ISPs banning the entire 85 million web page archive. Details were not given as to what images had been banned and ISPs involved gave 404 “page not found errors”. See “IWF confirms Wayback machine porn blacklisting” ,The Register, 14 January 2009.

[3] Mike Galvin of BT, one of the creators of the IWF “cleanfeed” system, admitted in an interview with the Guardian on 26 May 2005, that Cleanfeed “won’t stop the hardened pedophile” and went on to say that its main aim was to stop accidental access by users following links such as those in spam emails.

[4] Internet newsgroups have largely fallen out of common use but are still extensively used for porn trafficking: see January 2009 report of USA conviction of 7 paedophiles following the bust of a well organised network that used Internet newgroups to distribute illegal items to its members over a two year period. See “Child porn in the age of teenage “sexting” “, The Register, 16 January 2009.

[7] The EFA pages (supra n XX) estimate that even if a 1000 people were employed full time for a year , they would fail to categorise more than 0.1% of all the pages on the Web , and at the end of that year the list would be hopelessly out of date.

[8] See BBC report, 27 December 2008 , at http://news.bbc.co.uk/1/hi/uk/7800846.stm .

[9] Testing of the IWF Cleanfeed system for use in New Zealand found that their list contains probably only only about 10-15% of offending websites (statistic cited in EFA pages, op cit supra n XX)

BILETA 2009, April 21-23, Winchester

And more!!

BILETA 2009 - The 24th Annual Conference

Tuesday 21 - Thursday 23 April 2009
Hosted by the University of Winchester Law School

"To Infinity and Beyond: Law and Technology in Harmony?"

Technology impacts increasingly on all areas of our lives, from e-commerce to e-learning. This year's annual conference focusses on the ways in which law and technology can move forward operating in harmony across the spectrum. Papers will fall into a wide range of categories including:

• Intellectual property - including copyright, open source etc
• E-learning
• E-commerce
• Virtual worlds / SNS
• Intermediaries - IP providers
• Infrastructure - including regulation and computer misuse
• Privacy and data-protection
• Cybercrime - including criminological aspects
• Legal theory and critical perspectives
• New technologies

The deadline for the call for Papers is 31 January 2009 and we would still like more, particularly from non UK speakers. Pangloss is part of the Programme Committee and will be there, probably giving a paper on (guess what!!) either phishing or suicide websites :-)

More details at http://www.winchester.ac.uk/?page=9871 .

Winchester is a beautiful city , especially in April, and this should be a fun and exhilarating conference. The conference dinner wil take place in the grounds of Winchester Cathedral - not to be missed!

The keynote speakers are :

Jeremy Phillips, Intellectual Property Consultant with Olswang, Solicitors and Research Director of the Intellectual Property Institute, and the well known leader of the IP-KAT team. http://www.jeremyphillips.eu/,

and

Dr Richard Clayton of the Cambridge Computer Laboratory, University of Cambridge 'It’s time to repeal Internet Legislation'
http://www.cl.cam.ac.uk/~rnc1/

SCRIPT-ed conference

Apologies to anyone who has seen this before, but this is a potentially fantastic conference, worthy of re-promotion! The editors of the well-known online SCRIPT-ed journal, which comes out of the AHRC/SCRIPT Centre at Edinburgh University, have decided to put on a conference playing especially to their established strengths in cutting edge IT and IP law and medical/biotechnology law.

Although the CFP is past, there is still room to squeeze one or two more papers into the programme if you hurry - they would like more US and Canadian speakers especially. Pangloss will be there (as an Editor of SCRIPT-ed, no escape) - probably giving a paper on either phishing or suicide websites. (Would readers like to vote for which they would prefer to hear?)

GOVERNANCE OF NEW TECHNOLOGIES:
THE TRANSFORMATION OF MEDICINE, INFORMATION TECHNOLOGY AND INTELLECTUAL PROPERTY

An International Interdisciplinary Conference
March 29-31, 2009
University of Edinburgh

BROAD THEMES

The conference will focus on evolving and emerging technologies and new-technology-driven practices and their impact on the overlapping fields of (1) healthcare, (2) information technology and (3) intellectual property, each of which are increasingly important in the post-genomic and post-AI world, with its heavy reliance on new technologies and their distribution.

The keynote speakers are:

Stream 1 ‘Medicine and Healthcare’:
Professor Bartha Maria Knoppers, University of Montreal, Montreal, Canada
“Population Biobanks: International Collaboration and Access”

Stream 2 ‘Information and Communication Technology’:
Professor Dan Hunter, University of Melbourne, Melbourne, Australia
“Information Monoculture”

Stream 3 ‘Intellectual Property’:
Dr Francis Gurry, Deputy Director World Intellectual Property Organization, Geneva, Switzerland
“The Future Direction of the International Patent System”

More details at http://www.law.ed.ac.uk/ahrc/conference09/index.asp . Particular queries should go to .

IWF v Wikipedia and the Rest of the World (except OUT-LAW)

Ever late to the party, still-bronchitic Pangloss would just like to make a few points about the Great Wikipedia Cleanfeed Debacle, if only for her own aide memoire, as she's still re-writing her porn chapter, and so she can say I told you so before it moves completely off the national radar.

In brief: IWF, allegedly little known (though much written about by Pangloss) non elected, industry based censorship quango, were told about dubiously legal naked picture of pre pubescent child on ancient record sleeve; IWF, after usual behind closed doors consideration, added image to "Cleanfeed" (as it's wrongly known) blocklist of child sexual abuse images distributed to almost every UK ISP; image found on page on Wikipedia, a high traffic site, m'lud, so more cumbersome than usual to block; (some) UK ISPs implemented IWF block requirement by funnelling their entire subscriber traffic to Wikipedia through two proxy servers, making only 2 IP addresses visible ; Wikipedia's systems interpreted this as a vandalism attack and closed down write access from UK servers; meanwhile most UK ISPs except , notably, Demon, configured their servers to return 404 error (site not found) when UK surfers searched for this page, rather than the more honest 403 (site prohibited); Demon however truthfully announced that the site had been bl0cked by the IWF as they believed it to be child porn.

Internet predictably plunged into maelstrom of geek horror at censorship of t'net; image reposted on every virtual frat dorm door; IWF reconsiders ban; and for confused reasons not apparently wholly to do with the law ("in light of the length of time the image has existed and its wide availability"), rescinds ban. Everyone happy, sort of, except OUT-Law, who stick to original guns and back IWF original ban.

Pangloss has no yearning for freedom of access to child porn and no dislike for the IWF, who are individually and collectively a most worthy and unselfish set of individuals, but she has long felt worried about the existence of Cleanfeed ever since the government effectively forced every ISP of any size in the UK to install it as proactive upstream filtering, back in late 2007, by threatening that otherwise legislation would be introduced to impose this.

Why is the IWF blocklist worrying? Not because banning access to child porn is in itself wrong - indeed since possession is a crime, preventing possession of child sexual images is arguably doing those seeking it a favour , as well as prtecting the public - but because the mechanism of censorship here employed is non transparent, covert, undemocratic, non judicial and non accountable. I argued this in a SCRIPT-ed editorial at the original time of government backed imposition of Cleanfeed, and have been glad to see this quoted in a few places lately.

I am also glad this particular incident has arisen, because it exemplifies rather beautifully some of the reasons why, although stopping child porn is a Very Good`Thing, this is not, yet, quite the right way to do it. (I am not concerned here with the isue of incompatibility between Wikipedia's defences and the IWF tactics.)

Non-transparent: it is the essence of accountable censorship in a democracy that we know that something has been censored and why, even if we are, correctly and according to law, not allowed to see it. In this incident, only Demon provided that information (and apparently against their own best legal advice!) Why did no other ISP supply this information?

One problem suggested is that if an ISP says "You cannot see this because it is child porn" and it turns out not to be in law, then an action for libel might fall against the ISP. However this can be easily avoided by wording such as Demon indeed used ("we aren't showing you it because the IWF said it might be unlawful"). As`an even more belt and braces excuse, even draconian English libel law clearly allows for public interest privilege, ie, that sometimes there is a duty to say what you believe to be true for the benefit of the public, even though there may be legal dubiety as to its truth. That would surely apply to a warning that a user could not access an image because it was believed to be child pornography.

As a first step, the IWF must (as ORG has also suggested) issue guidelines to UK ISPs that there must be 403 transparency in cases like this in the future, not 404 obfuscation.

Non-judicial: the IWF has often said, when criticised in the past, that it does not need to be a court, nor composed of lawyers and/or judges to do its job, while its scope is restricted to simple images of child sexual abuse. With child porn, they say, "an elephant is an elephant". Yet the case in point clearly stood at the edge of legal certainty. And this case did not even concern less well defined legal areas the IWF purports to review, such as hate speech (added to its remit relatively recently, and unlilaterally.)

Non-accountable: the IWF`applied their own appeals procedure to the decision, after media pressure, and reversed it. Effectively they changed their mind. This is not how true courts and tribunals work, where an appeal must be heard by a seperate body with an account of what factors lead to a different legal decision. The IWF may have truely reconsidered their opinion as to the law (although their own press release rather speaks against this), but they may equally well have simply bent to public pressure, or practical enforcement problems. For those who truly want an objective system which responsibly cracks down on child porn, this is surely unacceptable. Justice is a system, not an arbitrary private discretion.

Combining the two factors above, we come to a simple conclusion that the IWF to meet basic principles of due process and retain respect and public confidence must consist of judges, or at least be chaired by, a judge.

It is simply historical accident that this is not the case already. The IWF was set up in haste in the early days of the Internet, not as a government agency or tribunal, but as a protective self-regulatory watchdog body, whose aim was to to protect the ISP industry from being prosecuted as distributors of child porn.

In the years since, the IWF has done a great deal to up its"pro bono" profile, eg added members from children's charities, released statistics and minutes, trained its members (though exactly how is not clear); but it remains fundamentally a self appointed quango of non judicial, and non elected membership. This is simply not the right way to deal with as important a decision as the one it makes, which simultaneously label sites as criminal suppliers of child porn, users as criminal possessors, and restricts public freedom of expression.

Having the IWF chaired by a judge would also enable it to resist popular or media - or governmental - pressure to remove - or add - an item to the blocklist. Here we come to the most worrying part of this whole affair; the fact that IWF censorship is covert. Court based, conventional justice is public; proceeding are public, reports are available. With the IWF, however, not only are the decisions taken behind closed doors, arguably understandable in the light of the sensitivity of the matter under concrn, but so is the implementation.

The IWF blocklist is encrypted; arguably so that when it is sent to ISPs, the number of people who can actually read it is minimised. Again, many would agree with this as an aim - a comprehensive list of illegal child porn sites and images (effectively a user's guide to finding child porn) would certainly be worth a great deal to some people, and would not be in the public interest to releease.

But the consequent opacity of the blacklist and the lack of any public vetting of it or access to it, means that in theory almost anything could be added to the list without almost anyone in the country knowing. (And this could be done by the ISP, as well as by the government pressurising the IWF.)

As I wrote in 2007, it is widely rumoured that the IWF has already come under some governmental pressure to add sites containing pro-terrorist images, notably videos of hostage executions. These images may be unpleasant but they are not AFAIK illegal to view. Have we done right to construct a system which provides for secret nationwide blocking of any kind of unwanted online content?

Again I would suggest the presence of a judge as chair of the IWF should restrain these fears, and restore national confidence. As OUT-LAW noted we DO certainly already have censorship in the UK and yes, it is sometimes a good thing; but I want the kind of censorship we already have : acountable, publicised, judicial censorship. Struan says "The government trusts it[the IWF] to do this job." Well, I don't. I trust judges, as any good law student should. Censors should be independent, not just of the state, but of other interest groups, such as the industry itself, and yes, the child protection sector. There is no good reason other than cost (which is not a good reason) why the Internet alone of media should be subject to non judicial yet government imposed censorship.

Finally, what this incident has also revealed is the strangeness of a system where illegal material is successfully and swiftly removed in the UK primarily by means of notice and takedown (the IWF boast, quite rightly, that in their few years of existence they have managed to almost wholly remove child porn from UK servers) but where we apparently make no effort to procure take down abroad, before blocking, even from well known and responsible sites like Wikipedia. (And yes, Wikipedia refused to take down this time - but that does not mean they always would, or that all other sites would act in the same way.)

As Richard Clayton has pointed out in the past, international co-operation now means that foreign phishing sites can usually be taken down in hours , not days; why can we not achieve this for foreign servers hosting child porn? There may be legal dificulties outstanding here I am not aware of, but it seems obvious that more take down means less need for blocking, means less oportunity for covert censorship - unless that is the aim..?

I hope these concerns will be taken forward, perhaps as one of the research projects sponsored by the Safer Internet Programme mentioned below?

Gowers Rides Again

Stunning polemic by Andrew Gowers, author of the eponymous report, in the FT today. Disses term extension of sound recording copyright, and the "moral case" for it, as the lobby-driven, celebrity-star-struck tosh it is, but also says much much more. Bravo.

"First, to music companies: you have moved beyond trying to close the internet down as a distribution channel, but you have still not done enough to exploit the swirl of creative and commercial opportunities unleashed by the world of social networks and web 2.0. Please focus on innovation, not on trying to eke more rent from the successes of yesteryear.

Second, to policymakers: many of you are debating how government can support business in these challenging times, and that is fine. But you would do well to pick the targets for assistance and the instruments you use with care. Get it wrong, and you will end up looking silly and out of touch like Mr Burnham."

Cyber(in)security roundup

Producing the Macafee VCR makes you more than normally aware that every vendor and their (robo)dog , plus apparently most NGOs, produces a report on some aspect of online spam, crime, fraud etc in that vital run up period to Christmas when apparently our minds are focused on fun, festivity and, er, fraud:

My esteeemed co-author Blogzilla helpfully summarises a few from the US and international organisations:

"Securing Cyberspace for the 44th Presidency — the Center for Strategic and International Studies argues that President Obama should create a comprehensive national security strategy for cyberspace, echoing many of [the Macafee] recommendations.

Financial Aspects of Network Security: Malware and Spam — the International Telecommunications Union develops a framework for assessing the financial impact of malware.

The OECD calls for a global partnership against malware, and a move from reactive responses to proactive threat reduction and mitigation."

But there's also been some more local offerings:

The Garlik UK Cybercrime Report 2008 - which, like our report, top-lines the credit crunch and its effect on cyberfraud. Despite the name the figures appear to relate to 2007. For the UK, it is claimed,we have seen

• Overall cybercrime has risen by 9% from 2006
• Online financial fraud is up by 24%
• Online card fraud is up 45%
• 84,700 cases of online identity fraud
• 40% of all identity frauds are facilitated online
• "More than two million victims suffered abusive or threatening emails, false or offensive accusations posted on websites and blackmail perpetrated over the internet, up from 1,944,000 in 2006." Much of this apparently tookplace on social network sites. Pangloss is curious where they got this figure - must go print out the whole report.

ENISA, the EU's security agency, also produced in early December a rather underlooked report ENISA - Photo Sharing, Wikis, Social Networks –Web 2.0 and Malware 2.0.
This has an interesting analysis of risks primarily to *systems* from the hard technical viewpoint, as opposed to the emphasis most the other reports place on risks to *users* (though of course the two are connected.) The risks of cross - scripting exploits in multi-origin environments like SNSs are highlighted, along with typically weak control of authentication and access privileges. The policy recommendation to governments are interesting:

"Policy incentives for secure development practices such as certification-lite, reporting exemptionsand the funding of pilot actions. These incentives are needed to address the large number of, eg,cross-site scripting vulnerabilities caused largely by poor development practice.
• Address/investigate Web 2.0 provider concerns about conflicts between demands for content
intervention and pressure to maintain ‘mere conduit’ or ‘common carrier’ (US) status. This is
considered a very important problem by Web 2.0 providers because of the strong user-generated
content component.
• Encourage public and intergovernmental discussion on policy towards behavioural
marketing (eg, by the Article 29 Working Party)."


Perhaps unsurprisingly in light of all this, the EU has just announced (9/12/08) its plans to continue funding its Safer Internet Programme to the tune of 55 million Euros:

"The EU will have a new Safer Internet Programme as of 1 January 2009 (to 2013) . ..While 75% of children (aged between 6 and 17 years) are already online and 50% of 10-year-olds have a mobile phone, a new Eurobarometer survey published today shows that 60% of European parents are worried that their child might become a victim of online grooming (when an adult befriends a child with the intention of committing sexual abuse) and 54% that their children could be bullied online.. The new Safer Internet Programme will fight grooming and bullying by making online software and mobile technologies more sophisticated and secure."

The money is to go to:

• Ensure awareness of children, parents and teachers, and support contact points that are providing them with advice on how to stay safe online.
• Provide the public with national contact points for reporting illegal and harmful content and conduct, in particular on child sexual abuse material and grooming.
• Foster self-regulatory initiatives in this field and stimulate the involvement of children in creating a safer online environment.
• Establish a knowledge base on the use of new technologies and related risks by bringing together researchers engaged in online child safety at European level.

So more media literacy, more research, more IWF style hotlines, but no apparent endorsement of the ISP or mobile coms sectors being required to impose mandatory "upstream" filtering: either of the IWF-lead UK Cleanfeed inititiative or the disputed new Ozzy variety. Interesting..

Macafee Virtual Criminology Report 2008, and Predictions for 2009 in the IT Law World

Pangloss is back in town (well, Edinburgh) after her jaunts to Israel and London, which culminated in a brief and rather bronchitic appearance on the Today programme talking about cybercrime - the germ (contracted in Israel) was clearly genetically engineered by Mossad to take out the EC's top legal brains. Er, well, or something like that:)

The 2008 Macafee Virtual Criminology Report, which I was plugging on the aforesaid Today prog, is now available free online in a variety of languages, edited by myself and Dr Ian Brown of the OII, with this year an even wider selection of contributing international experts we interviewed - read and comment here should you wish!

Our top level findings this year included:

- the credit crunch will inspire greater investment in cybercrime by criminal gangs etc, especially in the financial phishing area where the confusion of mergers and bankruptcies in the financial sector has left the consumer confused and vulnerable
- difficult financial prioritising may also leave both the conmercial and public sectors vulnerable to further security and personal data breaches, and compliance action must take this into account
- local individuals may be pulled into international phishing as "money mules"; new e-payments and virtual world payments systems are also likely to be utlised to launder the profits of cybercrime
- cyber terrorism continues to be an issue, with more attacks from alleged sources in China and Russia, especially against the likes of Georgia in 2008
- however some excperts also suspect misdirection and obfuscation as to where the true sources of both cybercrime and cyberterrorists attacks are; it is easy to direct Internet traffic via "scapegoat" countries and some cybercrime overlords may be much more local than we think.
- creating "cybercops" is a tough job for nation states, especially in the non Western countries and we may need to look at the creation of a NATO-style transnational "standing cyber-police".


Meanwhile Pangloss was also one of a number of practitioners and academics asked to contribute ideas to the SCL's round up of predictions for what the IT law field may see happening in 2009. The results make interesting if relatively consistent reading (credit crunch will reduce IT and law spending, more out sourcing, more clampdowns on personal data breaches , more powers for ICO, more copyright maximalism by rightsholders, more attempted IP infringement by the bored/unemployed) which probably means something entirely different wil happen instead..

Israel was a remarkable experience, which I hope to write more about at some point. It is quite something for a privacy scholar, even of the non-fundamentalist variety, to see in action a society which so clearly thinks in the majority, that in its unique case, security simply demands substantial inroads into what we would see here as basic personal autonomy and privacy standards. As my niece, studying in Tel Aviv, put it; "It makes me feel safe".

There is a norm of having bags searched on entry to most public places; cars and travellers can be stopped for no reason; security alerts closing public transport and roads down are commonplace. On the other hand Tel Aviv is extremely Western and secular (it reminded me of a cross between LA and Barcelona) and the privacy and technology lawyers at Tel Aviv University who hosted me are as involved as any at Berkeley and Harvard in promoting human rights standards, anti racism, and running pro bono clinics etc. As I visited they had just been involved in condemning e-voting in Tel Aviv local elections which did not meet democratic standards, and they are helping Israel to apply for privacy "adequacy" certification under the EC Data Protection Directive. It was a fascinating time and I hope to go back and discover more in the not too distant future. Thanks to Michael Birnhack and Assaf Jacob especially for inviting me!