Newzbin2 - the order

The High Court has just handed down its order in "Newzbin2".

For those not following the story so far goes like this: newzbin (whose site I will not link to for obvious reasons) describe themselves as a "Hand edited, searchable archive of Usenet binary content from the creators of the NZB Format." USENET is of course the grandparent of most peer-to-peer file sharing networks. People were sharing copyright material via USENET even when I started using the internet over 20 years ago. Newzbin do not host any of the material (which is available via USENET) but their site undoubtedly makes it much easier to find copyright infringing material to be downloaded. Unsurprisingly, many large copyright owners do not like it.

Last year, a group of Hollywood studios persuaded Mr Justice Kitchen that Newzbin were guilty of copyright infringement in three different ways (1) their actions amounted to "authorisation" of copyright infringement; (2) they were also joint infringers with or procurers of the infringement of their subscribers; (3) even though they did not host any of the movies complained about they "made them available to the public" which is an act protected by copyright. The case Twentieth Century Fox v Newzbin [2010] EWHC 608 (Ch) makes interesting reading as it explores just how far a website may (or in that case may not) go without infringing copyright.

Newzbin's reaction was to be expected: their operation moved outside the jurisdiction of the UK courts. Undeterred (one hopes they were sufficiently web-savvy to have anticipated the move) the studios applied to the High Court for an injunction against BT to force BT to block access to Newzbin to its (ISP) customers. The studios made use a statutory power given to the High Court to make injunctions of this kind under section 97A of the Copyright Designs and Patents Act 1988.

At the end of July, Mr Justice Arnold agreed to grant the injunction (Twentieth Century Fox v British Telecommunications [2011] EWHC 1981 (Ch) ). Lillian Edwards wrote a very neat analysis of the decision on the day it appeared. As she explains, Newzbin was an unusually good case for an injunction, not least because there had already been a decision of the High Court finding that the site was involved in copyright infringement. Other cases may be more difficult for rights holders to argue. It will depend.

Mr Justice Arnold postponed deciding on the exact form of the injunction — that is exactly what BT should be ordered to do — until he had heard further submissions from the parties. His decision on the form of order was what was handed down today.

A huge simplifying factor is that BT are already running a system known as Cleanfeed which is used to filter out material on the Internet Watch Foundation's list of suspect IP addresses and blacklisted URL's. This meant the order could require BT to add IP addresses and URL's supplied by the studios to its Cleanfeed list.

Cleanfeed is not used with all BT ISP products. In particular it is not used for what is effectively wholesale supply of internet connectivity, nor to particular customers in certain cases — one example being the police who, one imagines, absolutely do wish to be able to access illegal material for investigatory purposes. The order applies "In respect of its customers to whose internet service the system known as Cleanfeed is applied whether optionally or otherwise". Read literally that would appear to mean that customers who have Cleanfeed as an option but have opted out would still have to be filtered by BT. It is unclear to me whether that is what the judge intends.

The order makes it clear that BT is not required to carry out deep packet inspection. BT need simply rely on the IP addresses and URL's reported to it by the studios, but this, in my view, leads to the most serious defect in the order: it relies entirely on the good faith and judgment of the studios. There is no sanction for mis-reporting of websites. Since there is no requirement to publish the list of sites supplied to BT or to notify site owners that they have been placed on the list, it may be difficult to ensure that the studios act fairly and properly.

BT did try to obtain what is known as a cross-undertaking or an indemnity from the studios which would have compensated BT for any loss it suffered as a result of any mistakes made by the studios. The judge rejected that request on the basis that, as he decided, BT could not be liable for damages (eg by being sued by its customers) because it was acting under a court order. That will no doubt be a useful decision for ISP's and web service providers in other situations, but it did mean there was no basis for imposing any sanction on the studios for supplying incorrect sites in its list.

There was some argument as to how precisely the list should be described. In order to ensure that it would be difficult to circumvent the order, the judge decided that the order would apply to not only the newzbin website itself but also to "any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 website". Here we see one of the weaknesses of section 97A. It gives the High Court the power to grant an injunction but it fails completely to say what kind of an injunction that might be. In particular it does not say that the injunction should be restricted to preventing access to sites where copyright is being infringed (like Newzbin). I am therefore concerned about whether the combination of the wording of the order and lack of sanction on studios may cause problems at a later date.

The other significant issue was costs. While costs (which lawyers get very excited about) may not seem as interesting as arguments about what should be blocked and how, costs are often as expensive to a party as the consequences of losing (or winning) a claim. Costs are a big deal. One positive outcome of the decision is that BT was entitled to be paid its legal costs for the first part of the claim up to 16 December 2010 - in other words the costs that would have to be incurred to obtain a court order. In the future ISP's can be reasonably confident that they can demand a court order before instituting website blocking and not expect to have to pay the costs of that order. The judge found that BT should pay the costs of the contested part of the proceedings, but that each party would bear its own costs for the decision about the final order.

In conclusion, I have two points to make: first, it is now clear that copyright owners are perfectly able to obtain quite favourable court orders to block websites, so that there was really no need for the Digital Economy Act 2010 to introduce more website blocking provisions when the existing ones (in section 97A) had not been properly tried out. Second, other cases may not work out the same way as this one. For example TalkTalk do not run Cleanfeed. One expects that the argument (and subsequent order) in a case against TalkTalk might be a little different for that reason. We will see.

Can we force facebook to give us its "like" database?

Jim Killock of the Open Rights Group pointed me at an interesting response made by facebook to an Irish student named Max's subject access request under Irish data protection legislation which forms a part of the Europe versus facebook campaign.

The particular point that interests me is that, concerns facebook's tracking of all pages visited which show a "like" button - a practice that can be really intrusive. Although Max did obtain a considerable quantity of information, facebook did not release to him their list of "like" tracked data.

In their response facebook say:

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Unfortunately for facebook, that isn't quite what the relevant Irish legislation appears to say (health warning: I am not an Irish lawyer). What section 4(12) of the Irish Data Protection Act 1988 says, according to a consolidated version of the statute, is:

(12) Subsection (1)(a)(iv) of this section is not to be regarded as requiring the provision of information as to the logic involved in the taking of a decision if and to the extent only that  such provision would adversely affect trade secrets or intellectual property (in particular any  copyright protecting computer software).

Note the phrase "information as to the logic involved in the taking of a decision". What this is all about is that section 4 gives data subject several different rights. One right (in section 4(1)(iii)(I)) is to be supplied with a copy of "the information constituting any personal data of which that individual is the data subject" - a simple right to information. Another, and different right, can be found in section 4(1)(iv) which applies to automatic decision making by the data controller. Here the data subject has a right to be informed of the "logic involve in the processing". Obviously that's quite a different right since it is essentially a right to know about algorithms rather than data.

Quite clearly section 4(12) is a restriction on the right under 4(1)(iv) to know about the logic of automatic decision making and not a restriction on the right of information simplicter. Nice try facebook, but I can't see that working.

Our own legislation is very slightly different. We also have a right (in section 7(1)(d) of the Data Protection Act 1998 to be informed about the logic involved in automatic decision making, but the restriction on that right is limited to trade secrets. Section 8(5) says:

Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.

So that any UK national involved in the Europe v facebook campaign has a much stronger argument.

In any case, at best facebook can claim a database right over the contents of the list of pages visited by Max that they have collected using the "like" button. The database right is a creature of European law (directive 96/9/EC). Recital 48 of the directive states that "the provisions of this Directive are without prejudice to data protection legislation", which seems to me to argue that data protection law ought to trump database right. If you think about it, the contrary would be an impossible situation. Personal data will often be protected by database rights. If you could use database rights to avoid subject access requests they would be of far less use.

Digital Economy Act appeal: more detail

As I said on Saturday, TalkTalk and BT have obtained permission to appeal to the Court of Appeal in their judicial review of the Digital Economy Act 2010 ("the DEA").

Thanks to the counsel for the appellants I now have a little more information. The appeal is going forward on essentially the first four grounds that were put forward at the original judicial review hearing. The appellants did not appeal on the fifth ground: proportionality. I thought it might be useful, at this stage, to give an extremely rough outline of those four grounds.

The first objection concerns the Technical Standards Directive (83/189/EEC), the aim of which is that any laws that impose technical standards on goods or services (known as "technical standards" and "rules on services") are reported to the European Commission in enough time for the impact of the proposed law on intra-community trade to be assessed and any objections to be raised. This is known as the "standstill period". Failure to comply with the procedure renders the relevant law unenforceable.

The appellants say: "The DEA is a technical standard and/or rule on services; it wasn't notified to the Commission before it was passed, therefore it is void. The government responds: "No it isn't! Its not nearly detailed enough to be a technical standard etc at this stage, you have to wait for all the little statutory instruments we are going to make under it before there's enough detail to need notification."

The second ground concerns the E-Commerce Directive. As readers may know, this gives various kinds of immunity to providers of "information society services" and in particular to ISP's who, as "mere conduits", are not liable for the information that they transmit.

The appellants case is that the DEA does impose liability for information transmitted and/or it imposes a requirement to remove or disable access to information. Neither of these, they say, can be imposed on a mere conduit. In the High Court, the appellants also argued that the DEA imposed a "general obligation to monitor" which is forbidden by article 15 of the directive. That argument is no longer live - I think (though I may have misunderstood this) because the Court of Appeal did not give permission on that point.

The third ground is based on the Directive on Privacy and Electronic Communications (2002/58/EC) which (amongst other things) imposes conditions on the processing of traffic data by ISP's. Ordinarily, traffic data must be anonymised or erased when it is no longer needed for the purposes of transmission, except for certain limited exceptions and derogations. The appellants case is that the DEA's purpose does not fall within any of those exceptions or derogations and so keeping the traffic data in order to enforce copyright is not permitted.

The last of the four grounds is built on the Authorisation Directive. The Authorisation Directive was aimed at opening up the electronic communications sector to competition by preventing member states from imposing onerous conditions on prospective comms providers. To that end, a member state may not charge a prospective ISP fees, or impose conditions on them, unless authorised to do so by the directive. The appellants say that is exactly what the DEA does, or will do, and that the DEA therefore offends against the Authorisation Directive. The appellants won a partial victory on this point in the High Court, managing to knock out a requirement that they pay a share of OFCOM's fees for managing the initial obligations code.

I am extremely pleased that permission has been given. Being optimistic, I can hope that light will be thrown - possibly even by the CJEU if the Court of Appeal consults it - on any one of these directives. They are all of some importance in my practice and so I am understandably keen to see as much clarity as possible. With four directives to chose from there's every chance that some useful principles will come out of this case.

In any event, it means that the "graduated response" intended by the DEA is going to be just that farther in the future. In related news, Julian Hupper (Liberal Democrat MP for Cambridge) has tweeted his plan to try to have the web blocking provision (section 17) of the DEA repealed. The government have already indicated that they are unlikely to use section 17 in the foreseeable future, so this may be uncontroversial. I will watch events with interest as they unfold.

Digital Economy Act to go to the Court of Appeal

Yesterday, the Court of Appeal gave BT and TalkTalk permission to appeal to the Court of Appeal. I do not have any more details - in particular what was the reasoning of the court and what on what grounds will the appeal be argued. I hope to blog about them as soon as they become available.

Earlier this year, the Court of Appeal, in the form of Buxton LJ, had refused permission to appeal, leading to some rather misleading press coverage such as the Guardian's "Court of appeal's decision means long-running battle by UK's biggest ISPs is effectively over". Not so of course.

Unless the Court of Appeal thinks that an application for permission is "totally without merit", a prospective appellant may always renew an application for permission orally, under CPR 52.3. This, is, I understand, what BT and TalkTalk did.

Google's name policy is not illegal

This is a quick response to a google+ post suggesting that google's "real name" policy is contrary to the Privacy and Electronic Communications (EC Directive) Regulations 2003.

The post is, I'm afraid, quite wrong. The poster relies on regulation 18 which controls the compilation of any "directory of subscribers". It gives various rights which depend on the nature of the directory (telephone or not) and the nature of the person included (individual or corporation) which might allow opting out or require opting in and so on.

Regulation 18 only applies to a "directory of subscribers". The term "subscriber" is defined in regulation 2 to mean "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". A "public electronic communications service" is defined in section 151 of the Communications Act 2003 to mean "any electronic communications service that is provided so as to be available for use by members of the public" and "electronic communications service" is defined in section 32 of the same act to mean "a service consisting in, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except in so far as it is a content service".

So: google+ is not a public communications provider and hence its members are not subscribers. Regulation 18 does not apply.

As far as I can tell, there is no regulatory reason why google+ should not operate a "real name" policy. They would have to be a little careful about the implementation of the policy within the EU in case they fall foul of European discrimination law. If, for instance, they ended up systematically blocking individuals from one racial group significantly more than those from another because their real names seemed too odd to google employees, that might amount to racial dscrimination. As readers will know, some ethnic groups prefer to have a single name, rather than a forename + surname model.

But that depends on how the policy is implemented, not the policy itself. So I would suggest not contacting the ICO who is already quite busy.

Peer to Patent (UK) launched

The UK's Intellectual Property Office has launched a website that allows members of the public to supply prior art (and comment on) for pending patent applications. Peer to Patent is an idea that was piloted in the United States (with a second pilot ongoing). A pilot in Australia also ran for a six month pilot from December 2009. I do not know what plans there are for continuing it. The "prior art" or, strictly speaking, the "state of the art" is a central concept in patent law. In the UK, section 2 of the Patents Act 1977 ("novelty") explains that an invention is only "new" (and therefore patentable) if it is not already part of the state of the art. Section 3 ("inventive step") relies on the state of the art (or at least part of it) in defining whether or not a patent contains an inventive step (again without which it will not be patentable). The problem that peer-to-patent seems to be trying to solve is to give patent examiners access to that prior art. There is no "prior art" database that an examiner can simply search. They can try looking at past patents which certainly contain a great deal of prior art, but an invention may not have been patented — particularly in an area of industry which is new or in which patents were not traditionally sought. Computer software patents are a prime example of this. In Australia one patent examiner commented:

I would say that the [Peer-to-Patent Australia prior art] documents were of greater relevance than those found during the initial search. I think they were somewhat helpful for this particular application, in which the claims were drafted using broad terminology, which was difficult to search.

So, patent examiners do appear to be finding it useful. An earlier blog post by the IPKAT on the subject attracted some negative comments. They seem overly cynical to me. The US and Australian experiences do seem to suggest that patent examiners like it and that more prior art is being exposed at an earlier stage which must be a good thing. Now, I am sceptical that the patent system (either in the UK or the world) does what it is supposed to do. For example, the very high cost of bringing or defending patent proceedings means that practice and theory diverge considerably. There are numerous other criticisms that one might reasonably levy. But, sceptic or not, I welcome anything that tries to make the system better, even if its very modest indeed. I would encourage anyone with specialist knowledge of the patents on offer to engage. Of course, really they need a badge system. Maybe it will come.

Restraining cookies: the new privacy rules

On 26th May 2011, a new law — the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 — comes into force which will change fundamentally the legal regime governing cookies and other similar locally stored data. As I will explain, the legal change is a big deal, but the practical effect may, at least in the short term, be small.

The Information Commissioner has published some useful practical guidelines (alas only as a PDF). They are not definitive (so they may not protect you in the unlikely event someone tries to sue you for damages caused by a breach of the regulations) but since the Information Commissioner (or his office at least) has the primary role in enforcing the regulations, complying with his guidelines will go a long way to avoiding any possible legal repercussions. If you have a short attention span and wish to read only one thing about the new cookie law then I'd advise you go there (see you another time and thanks for visiting).

The new rules apply to storing (or accessing information stored) on a public network user's computer. That includes not only cookies and "flash cookies" but any other information that might be stored on a local computer, for example they would certainly apply to the iPhone's storage of location data. For brevity I'll talk about cookies, storing cookies but all that follows applies much wider than that.

Overview

The amended regulation 6 will forbid anyone from storing cookies unless one of the following applies:

• the user has given their prior, informed, consent (an opt out is no good)
• it is for the sole purpose of "carrying out the transmission of a communication"
• it is strictly necessary for the provision of an information society service that was requested by the user

In practice this means that, except in very limited circumstances, prior explicit permission will need to be given by a user before using cookies. The limited circumstances might include situations where the illusion of a session (http being stateless) is needed in order to provide the user with the service they want, for example via a "shopping cart".

Tracking what a user does (eg with a tool like google analytics) or supplying additional services they might want (eg "other users also bought...") would not be for a service "requested by the user" and so would need consent.

Consent may be given by the user explicitly setting their browser to accept cookies. At the moment most browsers will, by default, accept cookies and so it is not, at present, realistic to rely on a user's browser settings to gain the necessary consent. Browser technology may change to make such a reliance tenable and I expect there to be some pressure in that direction.

Clauses in a website's terms and conditions which do not have to be explicitly accepted by a user (for example because they are linked to at the bottom of a page) are, in my view, also not going to be any good.

One small consolation to online service providers is that the ICO has said that in the early stages of this new law all he will look for is a plan to get things right, rather than expect 100% compliance from 26th May. That isn't an excuse to be complacent, but does give some breathing space.

Detail

The origin of the new law is in an amendment to the directive on privacy and electronic communications (directive 2002/58/EC). There doesn't appear to be a consolidated version in html format online, but for the purposes of this post all we care about is replace article 5(3) which was added by directive and reads:

3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

One one analysis it is not the web server (and thus the operator of the server) who stores or gains access to cookies on a user's machine, rather the server returns a "Set-Cookie" response which a web browser has no obligation to honour. It is also the web browser that transmits the value of a cookie back to the web server.

The directive is not intended to be understood in so narrow a sense. Only a small minority of web users understand how http works. The majority will not realise that information is being stored by their web browser on someone else's behalf. It is clearly the risks associated with this lack of knowledge that the directive aims to address. Recital 24 says:

(24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

Recital 25 makes it clear that "cookies" are one such device. It concedes that they can be legitimate and useful but that any use must be with informed consent.

Article 5(3) is very broad in its application. It catches storage on any "terminal equipment" (so mobile devices as well as traditional PC's) and is not restricted to the web or web browsers. The terminal equipment need only belong to a "user" which is defined in article 2(a) as anyone using the network for private or business purposes. So it does not seem to be possible to agree with a subscriber to (say) an ISP or mobile phone service in advance that they consent to the storage of cookies etc on any terminal equipment using their connection if others might use it with different equipment.

The only obvious restrictions to 5(3) are:

• It only applies to services available over public communication networks and so does not apply to (i) private network services or (ii) to gaining access to a computer without using a network at all.
• Unsurprisingly, member states are allowed to create their own exceptions where necessary for the purposes of public security, defence and the prevention of crime. Just such an exception was made by the UK in regulation 28 .

Who is responsible? For example, at present I publish this blog using google's blogger service. If google choose (say) to track those reading my blog using cookies without my asking them to, what then? In my view it is the service provider (in this case google) that is carrying out the unlawful activity rather than I, although if I have expressly asked them to do so, then we may both be responsible. If, on the other hand, my blog was made available on a "dumber" hosting service - for example if I installed my own wordpress isntance on a server on which I had shell access and I decided to use cookies, then it would be I, not the provider of my shell access account, who would have to take care of the legalities.

There are two ways that a user (or subscriber)'s rights may be enforced. First by the information commissioner in much the same way as data protection obligations are enforced. Second, regulation 30 permits an individual who has suffered damages as a result of a breach (who might not be the user or subscriber whose equipment was accessed) to bring a claim for damages against the person who committed the breach. There is a defence of reasonable care against such a claim.

So, where cookies are used to illicitly track an individual's preferences and sold to advertisers to allow advertising to be targeted, there is unlikely to be any actual damage and enforcement would have to be by the information commissioner. By contrast, where the use of cookies results in someone's bank details being obtained by a third party (entirely possible with some of the more poorly written systems out there) there may well be financial loss and a right of action. In practice I don't expect to see very many claims, interesting though they would be.

Update

An anonymous commenter asks about other forms of content stored by a web browser. A web browser will almost always store the http response(s) to any request. Some of the information contained in that response may be sent back to the server. A simple example being the value of any fields set in an HTML form, but there are many other, in some cases very sophisticated, mechanisms for doing the same thing. Even the URL in an href attribute can be used to store information — as those with long web memories will recall, one of the earliest example applications using HTML created a noughts and crosses game doing just that.

I suspect that the courts will read the directive as applying only to data stored on a user's computer that can (in principle) be later retrieved by the person storing it or by some other third party. It seems to me that the directive is intended at that kind of mischief which arises where someone or some people track what a user does and keep secret information about them that they can use for their own purposes. Of course there are still risks if information is stored without your knowledge even if it is accessible only to the user of the computer, so the courts may decide to read the directive more widely than that.

Most of these forms of storage will be lawful because they are strictly necessary to provide the service sought by the user. HTML stored by the browser which is displayed to the user is a necessary part of browsing any web page. Ditto where form fields are used for any kind of web transaction such as logging in or purchasing a product. The service can't be supplied without some local state being maintained one way or another. The user will expect it to be so.

On the other hand, keeping a complicated session key that tracks (or allows the tracking) of the user's behaviour without forming part of the functionality the user wanted, would, in my view, fall foul of the directive and need express consent. The fact that cookies aren't used is irrelevant.