Wednesday, 26 October 2011

Newzbin2 - the order

The High Court has just handed down its order in "Newzbin2".

For those not following the story so far goes like this: newzbin (whose site I will not link to for obvious reasons) describe themselves as a "Hand edited, searchable archive of Usenet binary content from the creators of the NZB Format." USENET is of course the grandparent of most peer-to-peer file sharing networks. People were sharing copyright material via USENET even when I started using the internet over 20 years ago. Newzbin do not host any of the material (which is available via USENET) but their site undoubtedly makes it much easier to find copyright infringing material to be downloaded. Unsurprisingly, many large copyright owners do not like it.

Last year, a group of Hollywood studios persuaded Mr Justice Kitchen that Newzbin were guilty of copyright infringement in three different ways (1) their actions amounted to "authorisation" of copyright infringement; (2) they were also joint infringers with or procurers of the infringement of their subscribers; (3) even though they did not host any of the movies complained about they "made them available to the public" which is an act protected by copyright. The case Twentieth Century Fox v Newzbin [2010] EWHC 608 (Ch) makes interesting reading as it explores just how far a website may (or in that case may not) go without infringing copyright.

Newzbin's reaction was to be expected: their operation moved outside the jurisdiction of the UK courts. Undeterred (one hopes they were sufficiently web-savvy to have anticipated the move) the studios applied to the High Court for an injunction against BT to force BT to block access to Newzbin to its (ISP) customers. The studios made use a statutory power given to the High Court to make injunctions of this kind under section 97A of the Copyright Designs and Patents Act 1988.

At the end of July, Mr Justice Arnold agreed to grant the injunction (Twentieth Century Fox v British Telecommunications [2011] EWHC 1981 (Ch) ). Lillian Edwards wrote a very neat analysis of the decision on the day it appeared. As she explains, Newzbin was an unusually good case for an injunction, not least because there had already been a decision of the High Court finding that the site was involved in copyright infringement. Other cases may be more difficult for rights holders to argue. It will depend.

Mr Justice Arnold postponed deciding on the exact form of the injunction — that is exactly what BT should be ordered to do — until he had heard further submissions from the parties. His decision on the form of order was what was handed down today.

A huge simplifying factor is that BT are already running a system known as Cleanfeed which is used to filter out material on the Internet Watch Foundation's list of suspect IP addresses and blacklisted URL's. This meant the order could require BT to add IP addresses and URL's supplied by the studios to its Cleanfeed list.

Cleanfeed is not used with all BT ISP products. In particular it is not used for what is effectively wholesale supply of internet connectivity, nor to particular customers in certain cases — one example being the police who, one imagines, absolutely do wish to be able to access illegal material for investigatory purposes. The order applies "In respect of its customers to whose internet service the system known as Cleanfeed is applied whether optionally or otherwise". Read literally that would appear to mean that customers who have Cleanfeed as an option but have opted out would still have to be filtered by BT. It is unclear to me whether that is what the judge intends.

The order makes it clear that BT is not required to carry out deep packet inspection. BT need simply rely on the IP addresses and URL's reported to it by the studios, but this, in my view, leads to the most serious defect in the order: it relies entirely on the good faith and judgment of the studios. There is no sanction for mis-reporting of websites. Since there is no requirement to publish the list of sites supplied to BT or to notify site owners that they have been placed on the list, it may be difficult to ensure that the studios act fairly and properly.

BT did try to obtain what is known as a cross-undertaking or an indemnity from the studios which would have compensated BT for any loss it suffered as a result of any mistakes made by the studios. The judge rejected that request on the basis that, as he decided, BT could not be liable for damages (eg by being sued by its customers) because it was acting under a court order. That will no doubt be a useful decision for ISP's and web service providers in other situations, but it did mean there was no basis for imposing any sanction on the studios for supplying incorrect sites in its list.

There was some argument as to how precisely the list should be described. In order to ensure that it would be difficult to circumvent the order, the judge decided that the order would apply to not only the newzbin website itself but also to "any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 website". Here we see one of the weaknesses of section 97A. It gives the High Court the power to grant an injunction but it fails completely to say what kind of an injunction that might be. In particular it does not say that the injunction should be restricted to preventing access to sites where copyright is being infringed (like Newzbin). I am therefore concerned about whether the combination of the wording of the order and lack of sanction on studios may cause problems at a later date.

The other significant issue was costs. While costs (which lawyers get very excited about) may not seem as interesting as arguments about what should be blocked and how, costs are often as expensive to a party as the consequences of losing (or winning) a claim. Costs are a big deal. One positive outcome of the decision is that BT was entitled to be paid its legal costs for the first part of the claim up to 16 December 2010 - in other words the costs that would have to be incurred to obtain a court order. In the future ISP's can be reasonably confident that they can demand a court order before instituting website blocking and not expect to have to pay the costs of that order. The judge found that BT should pay the costs of the contested part of the proceedings, but that each party would bear its own costs for the decision about the final order.

In conclusion, I have two points to make: first, it is now clear that copyright owners are perfectly able to obtain quite favourable court orders to block websites, so that there was really no need for the Digital Economy Act 2010 to introduce more website blocking provisions when the existing ones (in section 97A) had not been properly tried out. Second, other cases may not work out the same way as this one. For example TalkTalk do not run Cleanfeed. One expects that the argument (and subsequent order) in a case against TalkTalk might be a little different for that reason. We will see.

Thursday, 20 October 2011

Can we force facebook to give us its "like" database?

Jim Killock of the Open Rights Group pointed me at an interesting response made by facebook to an Irish student named Max's subject access request under Irish data protection legislation which forms a part of the Europe versus facebook campaign.

The particular point that interests me is that, concerns facebook's tracking of all pages visited which show a "like" button - a practice that can be really intrusive. Although Max did obtain a considerable quantity of information, facebook did not release to him their list of "like" tracked data.

In their response facebook say:

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Unfortunately for facebook, that isn't quite what the relevant Irish legislation appears to say (health warning: I am not an Irish lawyer). What section 4(12) of the Irish Data Protection Act 1988 says, according to a consolidated version of the statute, is:

(12) Subsection (1)(a)(iv) of this section is not to be regarded as requiring the provision of information as to the logic involved in the taking of a decision if and to the extent only that  such provision would adversely affect trade secrets or intellectual property (in particular any  copyright protecting computer software).

Note the phrase "information as to the logic involved in the taking of a decision". What this is all about is that section 4 gives data subject several different rights. One right (in section 4(1)(iii)(I)) is to be supplied with a copy of "the information constituting any personal data of which that individual is the data subject" - a simple right to information. Another, and different right, can be found in section 4(1)(iv) which applies to automatic decision making by the data controller. Here the data subject has a right to be informed of the "logic involve in the processing". Obviously that's quite a different right since it is essentially a right to know about algorithms rather than data.

Quite clearly section 4(12) is a restriction on the right under 4(1)(iv) to know about the logic of automatic decision making and not a restriction on the right of information simplicter. Nice try facebook, but I can't see that working.

Our own legislation is very slightly different. We also have a right (in section 7(1)(d) of the Data Protection Act 1998 to be informed about the logic involved in automatic decision making, but the restriction on that right is limited to trade secrets. Section 8(5) says:

Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.
So that any UK national involved in the Europe v facebook campaign has a much stronger argument.

In any case, at best facebook can claim a database right over the contents of the list of pages visited by Max that they have collected using the "like" button. The database right is a creature of European law (directive 96/9/EC). Recital 48 of the directive states that "the provisions of this Directive are without prejudice to data protection legislation", which seems to me to argue that data protection law ought to trump database right. If you think about it, the contrary would be an impossible situation. Personal data will often be protected by database rights. If you could use database rights to avoid subject access requests they would be of far less use.

Monday, 10 October 2011

Digital Economy Act appeal: more detail

As I said on Saturday, TalkTalk and BT have obtained permission to appeal to the Court of Appeal in their judicial review of the Digital Economy Act 2010 ("the DEA").

Thanks to the counsel for the appellants I now have a little more information. The appeal is going forward on essentially the first four grounds that were put forward at the original judicial review hearing. The appellants did not appeal on the fifth ground: proportionality. I thought it might be useful, at this stage, to give an extremely rough outline of those four grounds.

The first objection concerns the Technical Standards Directive (83/189/EEC), the aim of which is that any laws that impose technical standards on goods or services (known as "technical standards" and "rules on services") are reported to the European Commission in enough time for the impact of the proposed law on intra-community trade to be assessed and any objections to be raised. This is known as the "standstill period". Failure to comply with the procedure renders the relevant law unenforceable.

The appellants say: "The DEA is a technical standard and/or rule on services; it wasn't notified to the Commission before it was passed, therefore it is void. The government responds: "No it isn't! Its not nearly detailed enough to be a technical standard etc at this stage, you have to wait for all the little statutory instruments we are going to make under it before there's enough detail to need notification."

The second ground concerns the E-Commerce Directive. As readers may know, this gives various kinds of immunity to providers of "information society services" and in particular to ISP's who, as "mere conduits", are not liable for the information that they transmit.

The appellants case is that the DEA does impose liability for information transmitted and/or it imposes a requirement to remove or disable access to information. Neither of these, they say, can be imposed on a mere conduit. In the High Court, the appellants also argued that the DEA imposed a "general obligation to monitor" which is forbidden by article 15 of the directive. That argument is no longer live - I think (though I may have misunderstood this) because the Court of Appeal did not give permission on that point.

The third ground is based on the Directive on Privacy and Electronic Communications (2002/58/EC) which (amongst other things) imposes conditions on the processing of traffic data by ISP's. Ordinarily, traffic data must be anonymised or erased when it is no longer needed for the purposes of transmission, except for certain limited exceptions and derogations. The appellants case is that the DEA's purpose does not fall within any of those exceptions or derogations and so keeping the traffic data in order to enforce copyright is not permitted.

The last of the four grounds is built on the Authorisation Directive. The Authorisation Directive was aimed at opening up the electronic communications sector to competition by preventing member states from imposing onerous conditions on prospective comms providers. To that end, a member state may not charge a prospective ISP fees, or impose conditions on them, unless authorised to do so by the directive. The appellants say that is exactly what the DEA does, or will do, and that the DEA therefore offends against the Authorisation Directive. The appellants won a partial victory on this point in the High Court, managing to knock out a requirement that they pay a share of OFCOM's fees for managing the initial obligations code.

I am extremely pleased that permission has been given. Being optimistic, I can hope that light will be thrown - possibly even by the CJEU if the Court of Appeal consults it - on any one of these directives. They are all of some importance in my practice and so I am understandably keen to see as much clarity as possible. With four directives to chose from there's every chance that some useful principles will come out of this case.

In any event, it means that the "graduated response" intended by the DEA is going to be just that farther in the future. In related news, Julian Hupper (Liberal Democrat MP for Cambridge) has tweeted his plan to try to have the web blocking provision (section 17) of the DEA repealed. The government have already indicated that they are unlikely to use section 17 in the foreseeable future, so this may be uncontroversial. I will watch events with interest as they unfold.

Saturday, 8 October 2011

Digital Economy Act to go to the Court of Appeal

Yesterday, the Court of Appeal gave BT and TalkTalk permission to appeal to the Court of Appeal. I do not have any more details - in particular what was the reasoning of the court and what on what grounds will the appeal be argued. I hope to blog about them as soon as they become available.

Earlier this year, the Court of Appeal, in the form of Buxton LJ, had refused permission to appeal, leading to some rather misleading press coverage such as the Guardian's "Court of appeal's decision means long-running battle by UK's biggest ISPs is effectively over". Not so of course.

Unless the Court of Appeal thinks that an application for permission is "totally without merit", a prospective appellant may always renew an application for permission orally, under CPR 52.3. This, is, I understand, what BT and TalkTalk did.

Tuesday, 26 July 2011

Google's name policy is not illegal

This is a quick response to a google+ post suggesting that google's "real name" policy is contrary to the Privacy and Electronic Communications (EC Directive) Regulations 2003.

The post is, I'm afraid, quite wrong. The poster relies on regulation 18 which controls the compilation of any "directory of subscribers". It gives various rights which depend on the nature of the directory (telephone or not) and the nature of the person included (individual or corporation) which might allow opting out or require opting in and so on.

Regulation 18 only applies to a "directory of subscribers". The term "subscriber" is defined in regulation 2 to mean "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". A "public electronic communications service" is defined in section 151 of the Communications Act 2003 to mean "any electronic communications service that is provided so as to be available for use by members of the public" and "electronic communications service" is defined in section 32 of the same act to mean "a service consisting in, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except in so far as it is a content service".

So: google+ is not a public communications provider and hence its members are not subscribers. Regulation 18 does not apply.

As far as I can tell, there is no regulatory reason why google+ should not operate a "real name" policy. They would have to be a little careful about the implementation of the policy within the EU in case they fall foul of European discrimination law. If, for instance, they ended up systematically blocking individuals from one racial group significantly more than those from another because their real names seemed too odd to google employees, that might amount to racial dscrimination. As readers will know, some ethnic groups prefer to have a single name, rather than a forename + surname model.

But that depends on how the policy is implemented, not the policy itself. So I would suggest not contacting the ICO who is already quite busy.

Wednesday, 1 June 2011

Peer to Patent (UK) launched

The UK's Intellectual Property Office has launched a website that allows members of the public to supply prior art (and comment on) for pending patent applications. Peer to Patent is an idea that was piloted in the United States (with a second pilot ongoing). A pilot in Australia also ran for a six month pilot from December 2009. I do not know what plans there are for continuing it. The "prior art" or, strictly speaking, the "state of the art" is a central concept in patent law. In the UK, section 2 of the Patents Act 1977 ("novelty") explains that an invention is only "new" (and therefore patentable) if it is not already part of the state of the art. Section 3 ("inventive step") relies on the state of the art (or at least part of it) in defining whether or not a patent contains an inventive step (again without which it will not be patentable). The problem that peer-to-patent seems to be trying to solve is to give patent examiners access to that prior art. There is no "prior art" database that an examiner can simply search. They can try looking at past patents which certainly contain a great deal of prior art, but an invention may not have been patented — particularly in an area of industry which is new or in which patents were not traditionally sought. Computer software patents are a prime example of this. In Australia one patent examiner commented:
I would say that the [Peer-to-Patent Australia prior art] documents were of greater relevance than those found during the initial search. I think they were somewhat helpful for this particular application, in which the claims were drafted using broad terminology, which was difficult to search.
So, patent examiners do appear to be finding it useful. An earlier blog post by the IPKAT on the subject attracted some negative comments. They seem overly cynical to me. The US and Australian experiences do seem to suggest that patent examiners like it and that more prior art is being exposed at an earlier stage which must be a good thing. Now, I am sceptical that the patent system (either in the UK or the world) does what it is supposed to do. For example, the very high cost of bringing or defending patent proceedings means that practice and theory diverge considerably. There are numerous other criticisms that one might reasonably levy. But, sceptic or not, I welcome anything that tries to make the system better, even if its very modest indeed. I would encourage anyone with specialist knowledge of the patents on offer to engage. Of course, really they need a badge system. Maybe it will come.

Tuesday, 17 May 2011

Restraining cookies: the new privacy rules

On 26th May 2011, a new law — the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 — comes into force which will change fundamentally the legal regime governing cookies and other similar locally stored data. As I will explain, the legal change is a big deal, but the practical effect may, at least in the short term, be small.

The Information Commissioner has published some useful practical guidelines (alas only as a PDF). They are not definitive (so they may not protect you in the unlikely event someone tries to sue you for damages caused by a breach of the regulations) but since the Information Commissioner (or his office at least) has the primary role in enforcing the regulations, complying with his guidelines will go a long way to avoiding any possible legal repercussions. If you have a short attention span and wish to read only one thing about the new cookie law then I'd advise you go there (see you another time and thanks for visiting).

The new rules apply to storing (or accessing information stored) on a public network user's computer. That includes not only cookies and "flash cookies" but any other information that might be stored on a local computer, for example they would certainly apply to the iPhone's storage of location data. For brevity I'll talk about cookies, storing cookies but all that follows applies much wider than that.

Overview

The amended regulation 6 will forbid anyone from storing cookies unless one of the following applies:

  • the user has given their prior, informed, consent (an opt out is no good)
  • it is for the sole purpose of "carrying out the transmission of a communication"
  • it is strictly necessary for the provision of an information society service that was requested by the user

In practice this means that, except in very limited circumstances, prior explicit permission will need to be given by a user before using cookies. The limited circumstances might include situations where the illusion of a session (http being stateless) is needed in order to provide the user with the service they want, for example via a "shopping cart".

Tracking what a user does (eg with a tool like google analytics) or supplying additional services they might want (eg "other users also bought...") would not be for a service "requested by the user" and so would need consent.

Consent may be given by the user explicitly setting their browser to accept cookies. At the moment most browsers will, by default, accept cookies and so it is not, at present, realistic to rely on a user's browser settings to gain the necessary consent. Browser technology may change to make such a reliance tenable and I expect there to be some pressure in that direction.

Clauses in a website's terms and conditions which do not have to be explicitly accepted by a user (for example because they are linked to at the bottom of a page) are, in my view, also not going to be any good.

One small consolation to online service providers is that the ICO has said that in the early stages of this new law all he will look for is a plan to get things right, rather than expect 100% compliance from 26th May. That isn't an excuse to be complacent, but does give some breathing space.

Detail

The origin of the new law is in an amendment to the directive on privacy and electronic communications (directive 2002/58/EC). There doesn't appear to be a consolidated version in html format online, but for the purposes of this post all we care about is replace article 5(3) which was added by directive and reads:

3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

One one analysis it is not the web server (and thus the operator of the server) who stores or gains access to cookies on a user's machine, rather the server returns a "Set-Cookie" response which a web browser has no obligation to honour. It is also the web browser that transmits the value of a cookie back to the web server.

The directive is not intended to be understood in so narrow a sense. Only a small minority of web users understand how http works. The majority will not realise that information is being stored by their web browser on someone else's behalf. It is clearly the risks associated with this lack of knowledge that the directive aims to address. Recital 24 says:

(24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

Recital 25 makes it clear that "cookies" are one such device. It concedes that they can be legitimate and useful but that any use must be with informed consent.

Article 5(3) is very broad in its application. It catches storage on any "terminal equipment" (so mobile devices as well as traditional PC's) and is not restricted to the web or web browsers. The terminal equipment need only belong to a "user" which is defined in article 2(a) as anyone using the network for private or business purposes. So it does not seem to be possible to agree with a subscriber to (say) an ISP or mobile phone service in advance that they consent to the storage of cookies etc on any terminal equipment using their connection if others might use it with different equipment.

The only obvious restrictions to 5(3) are:

  • It only applies to services available over public communication networks and so does not apply to (i) private network services or (ii) to gaining access to a computer without using a network at all.
  • Unsurprisingly, member states are allowed to create their own exceptions where necessary for the purposes of public security, defence and the prevention of crime. Just such an exception was made by the UK in regulation 28 .

Who is responsible? For example, at present I publish this blog using google's blogger service. If google choose (say) to track those reading my blog using cookies without my asking them to, what then? In my view it is the service provider (in this case google) that is carrying out the unlawful activity rather than I, although if I have expressly asked them to do so, then we may both be responsible. If, on the other hand, my blog was made available on a "dumber" hosting service - for example if I installed my own wordpress isntance on a server on which I had shell access and I decided to use cookies, then it would be I, not the provider of my shell access account, who would have to take care of the legalities.

There are two ways that a user (or subscriber)'s rights may be enforced. First by the information commissioner in much the same way as data protection obligations are enforced. Second, regulation 30 permits an individual who has suffered damages as a result of a breach (who might not be the user or subscriber whose equipment was accessed) to bring a claim for damages against the person who committed the breach. There is a defence of reasonable care against such a claim.

So, where cookies are used to illicitly track an individual's preferences and sold to advertisers to allow advertising to be targeted, there is unlikely to be any actual damage and enforcement would have to be by the information commissioner. By contrast, where the use of cookies results in someone's bank details being obtained by a third party (entirely possible with some of the more poorly written systems out there) there may well be financial loss and a right of action. In practice I don't expect to see very many claims, interesting though they would be.

Update

An anonymous commenter asks about other forms of content stored by a web browser. A web browser will almost always store the http response(s) to any request. Some of the information contained in that response may be sent back to the server. A simple example being the value of any fields set in an HTML form, but there are many other, in some cases very sophisticated, mechanisms for doing the same thing. Even the URL in an href attribute can be used to store information — as those with long web memories will recall, one of the earliest example applications using HTML created a noughts and crosses game doing just that.

I suspect that the courts will read the directive as applying only to data stored on a user's computer that can (in principle) be later retrieved by the person storing it or by some other third party. It seems to me that the directive is intended at that kind of mischief which arises where someone or some people track what a user does and keep secret information about them that they can use for their own purposes. Of course there are still risks if information is stored without your knowledge even if it is accessible only to the user of the computer, so the courts may decide to read the directive more widely than that.

Most of these forms of storage will be lawful because they are strictly necessary to provide the service sought by the user. HTML stored by the browser which is displayed to the user is a necessary part of browsing any web page. Ditto where form fields are used for any kind of web transaction such as logging in or purchasing a product. The service can't be supplied without some local state being maintained one way or another. The user will expect it to be so.

On the other hand, keeping a complicated session key that tracks (or allows the tracking) of the user's behaviour without forming part of the functionality the user wanted, would, in my view, fall foul of the directive and need express consent. The fact that cookies aren't used is irrelevant.

Tuesday, 15 March 2011

Colonel Mustard is not in the Library with a copyright claim form

My friend Sym came up with a neat joke:

Playing Big Society Cluedo. It's easier than normal Cluedo because there isn't a library.

and promptly tweeted it. Much retweeted it ended up being used by the BBC's Now Show, without attribution of any kind. Sym is a generous soul and I doubt that worried him too much but he mentioned it on his (private) facebook wall.

As regular readers will know I'm not exactly a copyright maximalist, but I do find it unattractive that large and powerful organisations that would certainly pursue you if you used their intellectual property appear to be quite happy to use other people's so long as those other people are too small to matter very much. I jokingly suggested I'd help draft his claim form and that lead him to wondering whether there could be any copyright in so slight a thing as a tweeted joke.

Unsurprisingly there are lots of answers on the internet, as a cursory google search will show. One site says categorically "no"; an article in the WIPO magazine thinks "it depends" and there's even a site called canyoucopyrightatweet.com written by a US attorney which again comes down on the side of "it depends". Unfortunately all the really detailed discussion relates to US law, not European or English law. While there's some internationally harmonisation of copyright, there are still significant differences.

So, what of English law. Well, English copyright protects, amongst other things any "original literary work". Most tweets are not going to be original - in fact in many cases that is the whole point - but some, like Sym's joke, seem quite capable of being so. Certainly, I am quite sure that he came up with the joke first.

A "literary work" does not have to be high art. Indeed section 3 of the Copyright, Designs and Patents Act 1988 says that a

“literary work” means any work, other than a dramatic or musical work, which is written, spoken or sung

so its really quite a broad term. In a relatively recent case which rejected a claim for copyright in the names of commands for an airline booking system, Mr Justice Pumfrey was quite clear that single words, at least on their own, could not be copyrighted. In the 2009 Infopaq case, the European Court of Justice were prepared to accept that an 11 word textual extract could be the subject of copyright and last year in the case of Meltwater Mrs Justice Proudman agreed that, whatever might have been the position under English law, the decision in Infopaq made it plain that as a matter of European law copyright could exist in newspaper headlines provided they were original enough.

So it seems to me that a tweet, provided it is sufficiently original, can be the subject of copyright.

But as I said in an earlier post the existence of copyright is only half the question. What would or would not infringe a short humorous tweet? I haven't heard the particular episode of the Now Show in question but if they read it out they have certainly infringed (and twitter's terms of service don't appear to let them off the hook). If, on the other hand, they only paraphrased the joke, the question is more difficult. Sym might be able to claim ownership of the particular expression of his joke, but he cannot copyright the idea that lies behind it. That idea is free and open to all.

The difficulty with this neat distinction (called the "idea/expression dichotomy") is that courts recognise that you can infringe by copying something more abstract than the exact words used. This should be obvious when you consider that a translation of a work (which will usually use quite different words, unless its into "pirate") is a potential infringement of the original work. Too close a copy of the plot or characterisation in a play (say) would be an infringement even if there had been a good deal of rewriting and reworking.

How on earth this would apply to something as small and neat as a tweet is anybody's guess. I suspect that it is only a matter of time before someone tries to test the question.

UPDATE

In the comments, Sym has helpfully provided the quote from the Now Show:

Someone amused me no end on twitter the other day, ok, when they answered twitter's question 'what are you doing?' by writing: "I'm playing big society cluedo, it's easier than normal cluedo because there isn't a library"

Clearly, if there is copyright in the tweet, this looks like a potential infringement because the whole tweet has been copied pretty much verbatim. But, could there be a defence. There is, of course, no such thing as "fair use" in English law. But quoting a tweet could be "fair dealing for purposes of criticism or review" which is a defence under section 30 of the Copyright, Designs and Patents Act 1988. This requires that:

  • the use is fair dealing
  • the purpose of the use is criticism or review of a work (not necessarily the work quoted) or works
  • the use is accompanied by sufficient acknowledgement

Normally it would not be "fair dealing" to use the whole of a work, but where the work is as short as a tweet it is likely to be impossible to use it critically in any meaningful way without quoting the whole of it. "Someone amused me" probably counts as "criticism".

What about attribution? Section 178 of the act defines "sufficient acknowledgement" as "an acknowledgement identifying the work in question by its title or other description, and identifying the author". "Someone" doesn't seem like enough to me. Although its just possible to argue that "Someone" means "Someone on twitter" and that it is thereby possible identify the author by searching on twitter for the origin of the tweet. Seems like a long shot to me.

Update: I realise with some embarrassment that I didn't link to Lillian Edward's blogpost on this very question.

Sunday, 13 March 2011

Don't return your census form early

This seems a topic that has generated much discussion, so I thought I'd comment on it.

In the United Kingdom we are having a census on Sunday 27th March 2011. It can be completed online or by sending back a census form that has been delivered to most households by now. The census is being carried out by the Office for National Statistics (ONS). Their website says, under the heading "When to return the questionnaire":

Census day is Sunday 27 March. Your answers should be about your household on this day. Please submit or return your completed questionnaire before, on or after this date.

On any analysis that seems a bit odd. Surely you should only be returning your census form after the date of the census since, though you can have a pretty good guess what the answers to the many questions might be, you can't know for certain.

As far as I can see, the ONS is simply wrong to suggest that early return is OK. This Census is governed by the Census (England) Regulations 2010, regulation 10 of which states:

10.—(1) Every prescribed person to whom a household pack has been delivered or on whose behalf delivery was taken under these Regulations must, on the day after census day or as soon after as is reasonably practicable—

(a)complete the copy of questionnaire H1 included in the pack, place it in the reply-paid envelope provided and send the questionnaire to the Authority by post; or

(b)return the information requested by questionnaire H1 electronically using such an electronic system as the Authority may provide for this purpose and in accordance with the instructions included in the accompanying pack.

Which quite clearly does not allow an early census return. Failure to comply with regulation 10 is made a criminal offence (albeit a very minor one) by section 8 of the Census Act 1920. There doesn't appear to be, in the regulations or the act, any power for the ONS to disapply these provisions or vary when the census returns may be made.

I'm not a census lawyer, so maybe I'm missing something here. What's more I doubt that it would be easy to prosecute someone for doing what the ONS has precisely told them to do. It still seems to me to be an odd way to run a census.

Friday, 4 March 2011

Phone hacking and copyright

Hugo at the 1709 blog asks a question about a recent case involving 2 of those who may have been victims in the News of the World phone hacking affair (as wikipedia calls it). Before I try to answer the question, some background.

From information obtained from the Metropolitan Police, Andrew Gray and Steve Coogan both suspected that their voicemail had been accessed by Glenn Mulcaire, the private investigator at the centre of the affair. They sued him — apparently for breach of confidence.

The claimants felt that the Mr Mulcaire's defence left a lot more questions unanswered. For example who had instructed him to intercept voicemails; to whom had he passed on the information; and who else had he been targeting. In order to press him further they each made a request for information asking him a number of questions which, unsurprisingly, he did not appear to wish to answer. In order to resist answering the claimants' requests, Mr Mulcaire relied on the common law right not to be required to answer questions that might incriminate oneself.

The right, known as the "privilege against self-incrimination" is not an absolute one. There are a number of statutory exceptions to it. For example section 31 of the Theft Act 1968 prevents someone from relying on the privilege in proceedings for recovery of property (where things they say might well implicate them in a charge of theft). In a similar manner, section 72 of the Senior Courts Act 1981, lifts the privilege in "proceedings for infringement of rights pertaining to any intellectual property or for passing off".

The phrase "intellectual property" means different things to different people and is much misused. There is no single statutory definition either. I found it interested to read that the court was shown a sample of 20 different enactments where "intellectual property" is defined in different ways and for different purposes and, in the Income Tax Act 2007, in three different parts of the same act. In section 72 it is defined thus:

"intellectual property" means any patent, trade mark, copyright, design right, registered design, technical or commercial information or other intellectual property;

Now the defendants contended that "commercial information" meant only commercial information which was protectable as intellectual property (for which see the other items in the list). The claimants (correctly in my view) said this didn't make sense — obviously what was meant was an extended definition to include "normal" intellectual property of the kind we are used to talking about such as copyright but extended to cover things that would normally not be treated as intellectual property, such as commercial information.

Mr Justice Vos agreed. The defendant lost his privilege and the claimants were allowed to ask some of their questions. Others, the judge thought, were not strictly relevant and constituted "a fishing expedition" (as lawyers call it). An earlier and very similar case, this time involving Nicola Phillips as the victim, had already been decided in the same way and headed to the Court of Appeal. The hope is that all three cases will be joined on appeal and a decision given.

Given how topical phone hacking has been, and the fact that many readers of this blog are involved in industries where confidential information could be intercepted wrongly, I thought this was an interesting case to talk about.

Now to Hugo's question. He asks the question that may be in some of your lips: why didn't the claimants bring a claim for infringement of copyright? Then there would have been no doubt about the application of section 72 and no need to have the argument in the first place. He asks:

Could the claimants simply have relied on the argument that Mulcaire had in any case infringed copyright in sound recordings by recording and transcribing the voicemails? Copyright in sound recordings is owned by their ‘producer’, who is ‘the person by whom the arrangements necessary for the making of the sound recording are undertaken’. Would this be Steve Coogan and Andrew Gray – or would it be Vodafone?

Note that we aren't interested in copyright in the words that were recorded on the victims' voice mail. Even if they qualified for copyright protection — one assumes that "hi, its me" probably does not, whereas something with more substance probably does — the person who left the message would be the author of the words and therefore the copyright would belong to the caller or their employer.

Copyright does protect sound recordings, though for a shorter period than copyright in literary, musical or dramatic works. As Hugo points out, section 9 of the Copyright Act makes the "producer" of a sound recording its "author" (and therefore potential first owner of the copyright) and section 178 gives us the definition.

The nearest authority I can think of is A&M Records v Video Collection International [1995] EMLR 25 which concerned the ownership of an arrangement of "Let's Face the Music and Dance" created for Torvill and Dean's 1994 competition entry. The skater's agent asked a conductor to do the job. He found an arranger, paid for an arrangement of the work suitable for the skaters and then conducted it in a studio he had hired with an orchestra he had put together. The court found that while the conductor had clearly made the recording, it was the agent who had made the "arrangements necessary for the making of the sound recording". I thin this indicates that the courts take a high level view of "producership" and so it would be Mr Gray and Mr Coogan who made the arrangements and were the "producers" even if everything else was done by their mobile telephone company.

But wait, the story doesn't end there. There's no point asking whether something is protected by copyright, without also asking whether there has been infringement. In this case, if Mr Mulcaire had transcribed the telephone conversations, rather than just listened to them and made notes of the facts contained in them, would he have "copied" them? We are all used to the extended definition that section 17 gives to copying of a literary, dramatic, musical or artistic work, which includes "reproducing the work in any material form", but there is no such extended definition for sound recordings. To transcribe a sound recording is not to "copy" it since no new sound recording is made.

So, Mr Mulcaire might have infringed the copyright in the words recorded but that copyright didn't belong to Messrs Gray and Coogan. They probably did own the sound recording copyright, but that wasn't infringed. Their lawyers obviously did know what they were doing (as we suspected) in only suing for breach of confidence. If there's a moral here its that having multiple copyrights in the same "thing" makes for a more complicated analysis.

Thursday, 27 January 2011

Digital Economy Act Costs - an unlawful Prisoners Dilemma

On 17 January 2010, the draft Online Infringement of Copyright (Initial Obligations) (Sharing of Costs) Order 2011 was laid before parliament. It is the first substantive item of secondary legislation made under the Digital Economy Act 2010 and concerns about the simplest thing possible: how much copyright owners and ISP's will have to pay under the Initial Obligations Code (IOC). Despite its simplicity it has been misdrafted and it may also be unlawful.

Background

In case you haven't been following (and why should you?), the Initial Obligations Code is intended to allow copyright owners to send "copyright infringement reports" or CIR's to ISP's, that allege, roughly speaking, that the copyright owner has reason to believe that there has been some copyright infringement associated with one of the ISP's IP addresses. Some of these reports (which and how many to be determined by later legislation) must then be reported by the ISP to its subscriber. If a subscriber collects enough CIR's over a certain period of time (again to be determined) their IP address will go on a list which the copyright owner can then demand from the ISP which will (in theory at least) allow the copyright owner to match up different CIR's to the same subscriber.

There is no such thing as a free lunch. All this has to be paid for. OFCOM which polices the system will need funds to do so, ISP's will incur costs processing CIR's and there will also be an appeal system for subscribers who believe that a CIR was given wrongly which will have to be paid for. The Order is intended to split the cost 75:25 as between copyright owners and ISP's.

I want to avoid engaging in a discussion as to whether the principle of the act is a useful way to encourage people to stop infringing copyright, or a hopelessly misguided waste of time for everybody. I think my views on that are sufficiently well known. What interests me is whether there is anything technically wrong with the order itself, and I think there may be.

A technical miscalculation

Copyright owners are supposed to pay ISP's 75% of the costs that (OFCOM thinks) they will incur in handling the CIR's. OFCOM sets a rate per CIR that copyright owners must pay, which it can change from time to time. Copyright owners pay in advance, and this is where things come unstuck.

Paragraph 2 of the Order's schedule requires the copyright owner to notify in advance any ISP to which it intends to submit CIR's and give an estimate of the number of CIR's it expects to be submitting. Before the start of each notification period, the copyright owner must submit another estimate for the coming notification period and then pay the rate set by OFCOM multiplied by:

(a)the number of copyright infringement reports which the qualifying copyright owner estimates it will make to the qualifying internet service provider under the Code during the notification period; less
(b)the difference between the number of copyright infringement reports which that qualifying copyright owner estimated it would make to that qualifying internet service provider under the Code in the previous notification period and the number it actually made to that qualifying internet service provider in that period, if lower.
Read that carefully. It means that if the copyright owner systematically under estimates the number of CIR's, it will never have to pay the difference. Indeed there is nothing to stop the copyright owner giving an estimate of "1" in each year and paying the fee for exactly one report.

The proportion of fees payable by any copyright owner (or ISP for that matter) to OFCOM are also based on the copyright owner's estimates. The actual number of CIR's submitted never enters into the calculation. This amounts to a zero-sum game between all copyright owners. Each will have an incentive to submit the lowest estimates possible.

Unless I have completely misread the Order this seems quite mad and must (surely) be the result of a misdraft.

UPDATE:

I have been told that OFCOM stated at a stakeholders' meeting that the initial obligations code would limit the number of CIR's a copyright owner could submit in any notification period to the number it had estimated at the start of that period. This would be a change from the draft code published last year and is as suggested by Malcolm Hutty in the comments below.

This does avoid the strong incentive to underestimate the number of CIR's to be submitted, but it does not leave the scheme in a satisfactory state. It is still the case that fees payable to OFCOM are based on estimates and not reality. While that will penalise a copyright owner that overestimates, it will also penalise any ISP that receives an over-estimate of CIR's. The ISP's have no recourse in such a situation.

There is nothing in the Act that prevents the costs regime from dealing with reality and apportioning costs according to actual use (with balancing payments where necessary). OFCOM's suggestion looks like a quick and dirty bug fix, rather than a well thought through statement of policy.

Is the Order lawful?

According to James Firth, it appears that a different concern has been raised by the European Commission. Does the rule on cost sharing comply with the the "Authorisation Directive" (2002/20/EC).

The Authorisation Directive is, as EU directives go, pretty straightforward. The idea behind it is that regulation of those wishing to offer public communication networks should be extremely lightweight. Member States may regulate, but only within fairly tightly defined limits. In particular they may only impose conditions on the operator of a public communications network that fall within one of a list of type of condition (found in Annex A of the Directive).

The list is fairly long, but much of it is pretty common sense. There are only two which could plausibly allow the UK via OFCOM to make ISP's pay for the operation of the Initial Obligations Code.

First, which is what is being referred to in James's post, the UK (via OFCOM) could require ISP's to pay "administrative charges" in order to be authorised to operate a public communications network. Article 12 of the Directive makes it quite clear that "administrative charges" must be just that — charges for the administration of the general authorisation scheme for public communication networks. That does not include an obligation to pay for an appeals body to hear subscriber appeals or money to OFCOM to monitor and run a scheme for assisting copyright owners enforce their rights.

Second, it is permissible to impose a condition restricting the transmission of "illegal content" (such as content which infringes copyright) and "harmful content" (such as indecent images of children). It seems to me that the CIR/initial obligations scheme of the Digital Economy Act 2010 is not a "restriction" on the transmission of illegal content, but something quite different. What is more, a requirement to pay fees cannot be a "restriction" even on a fairly relaxed reading of the Directive.

In other words I cannot see anything in the Authorisation Directive that could allow the UK to impose a requirement to pay for the initial obligations scheme that is compatible with the Authorisation Directive. Unless I am missing something, the Order, as it stands is unlawful.

Interestingly, the 1709 blog asks whether the Order complies with the Technical Standards Directive and suggests that it does, because the imposition of fees and costs under the Order is a restriction permitted by the Authorisation Directive. Alas, whatever view one might take about technical standards, I don't believe the Order complies with the Authorisation Directive.

Conclusion

The Order isn't really news and I am sure the government believes they are complying with the Authorisation Directive. We disagree and only time (and perhaps the ECJ) will tell, but it does worry me that in this already contentious area the first piece of subordinate legislation is already buggy.

Monday, 3 January 2011

A new kind of copyright? Graphical user interfaces in the ECJ.

A decision of the European Court of Justice published before Christmas concerning whether a graphical user interface is protected by copyright causes me concern. I have not seen any detailed analysis of the decision which may be due to Christmas and New Year stupor. I plead the same excuse for what follows.

The case Bezpečnostní‌ softwarová‌ asociace‌ –‌ Svaz‌·softwarové‌ ochrany v Ministerstvo kultury C-393/09 has a rather involved background an excellent account of which is provided by Martin Husovec on his blog. Very roughly speaking, a Czech organisation called the Security Software Association (BSA) wished to set up a collective licensing scheme for computer software which included the right to transmit works by cable television. The point in issue was whether the broadcast of the graphical user interface of a computer program could infringe copyright (and would therefore require licensing).

Copyright in computer programs was harmonised across the EU under the Software Directive (91/250/EEC). Article 1(2) applies the directive to "the expression in any form of a computer program". The first question referred to the ECJ was whether a graphical user interface could be described as a computer program "in any form". The ECJ said "no". One fact influencing the court was that Article 10(1) of the TRIPS Agreement requires the protection of computer programs "whether in source or object code". Clearly source and object code are examples of forms of expression of a computer program.

Similarly the 7th recital to the directive states that the term "computer program" also includes "preparatory design work leading to the development of a computer program provided that the nature of the preparatory work is such that a computer program can result from it at a later stage". The common element of these examples, thought the court, was that they lead to the reproduction or creation of a computer program. A graphical user interface does not enable the reproduction or recreation of a compute program, therefore it is not the expression of a computer program "in any form".

This all seems reasonable so far. Although a graphical user interface might contain one or more images or graphical works that would attract copyright as an "artistic work" in the normal way; attempts to claim copyright in an abstraction of the user interface — such as its mode of operation — have tended to founder in the English Courts in cases such as Nova Productions v Mazooma Games [2007] EWCA Civ 219 (concerning features of the play of two computer Pool games) and in Navitaire v Easyjet (concerning a clone of a air travel booking system).

However, the court went on to consider — although it had not been asked to do so — whether the graphical user interface of a computer program might be protected by the "ordinary" law of copyright. Here the court appears to have committed the logical fallacy of affirming the consequent. To explain why I need to say a something about earlier developments in European Copyright Law.

The Information Society Directive (Directive 2001/29/EC) ("INFOSOC") has partially harmonised other forms of copyright in the European Union. Article 2 INFOSOC requires that Member States create in their domestic law a "reproduction right" for "authors, of their works". Although described as a "right" it amounts to a prohibition on anyone else reproducing (in whole or part) a work without the author's permission. In other words it is a copyright. Although INFOSOC does not define "works" (or indeed "reproduction" or "reproduction in part"), the European Court of Justice in the earlier case of Infopag v Danske Dagblades Forening C-5/08 held that the directive only applies to a work that is "original in the sense that it is the author's own intellectual creation".

So to the apparent fallacy: in Bezpečnostní‌, the ECJ reasons thus:

The Court has held that copyright within the meaning of Directive 2001/29 is liable to apply only in relation to a subject-matter which is original in the sense that it is its author’s own intellectual creation (see, to that effect, with regard to Article 2(a) of Directive 2001/29, Infopaq International, paragraphs 33 to 37).
Consequently, the graphic user interface can, as a work, be protected by copyright if it is its author’s own intellectual creation.
In other words the court deduces from a statement of the form "P implies Q" a conclusion that "Q implies P". Infopaq establishes that being the author's "own intellectual creation" is a necessary condition. That does not mean it is a sufficient one.

Now the judges of the ECJ are, for the most part, bright and well educated. They will be well aware of the dangers of affirming the consequent. I think it is safe to assume they don't mean quite what they appear to be saying. In particular, the idea that any form of intellectual creation is protected by the general law of copyright would be quite revolutionary.

For example, INFOSOC does not exclude from copyright protection inventions that could form the subject of a patent, or designs that might be protectable under one of the European design rights. Although both might well be some author's "own intellectual creation", I doubt very much that copyright is intended by anyone to extend so far.

In English law merely being creatively original is not enough for a work to obtain copyright protection. For example in Creation Records v News Group Newspapers [1997] EMLR 444, the judge held that it was not even arguable that the scene for the Oasis album cover of Be Here Now could be protected by copyright. It simply did not fit into any existing protected category — and the record company attempted to argue that it was a dramatic work, a work of artistic craftsmanship or even a collage.

So I assume (in hope) that all the ECJ are guilty of is a failure to show working and that they have in mind some other criteria that must be satisfied before a work is protected by copyright. What those criteria might be the ECJ do not say which leaves me with the following questions: if a graphical user interface is protected by copyright, what kind of a work is it and what about it is protected?

It may be possible to gain some inkling as to what is in the ECJ's mind from their answer to the second question posed to them. They were asked if graphical user interfaces were protected by copyright in computer programs (the first question), would television broadcasting of the graphical user interface be an infringement of that copyright (by communication of that work to the public)? Although the ECJ had answered "no" to the first question, ever helpful they considered whether, on the assumption that graphical user interfaces were protected by "ordinary" copyright, TV broadcasting of them could constitute infringement. Again the ECJ thought "no" because the viewers "cannot use the feature of that interface which consists in enabling interaction between the computer program and the user".

It seems from this that the ECJ have in mind not the graphical elements of the user interface, but something about its operational behaviour. A sort of copyright in interactivity, which cannot of course be infringed by TV broadcasting because you cannot interact with the subject of the broadcast. If that is what the ECJ have in mind, then I am troubled.

First, what kind of a copyright is this? Is it an artistic work, a literary work or something else (a work of artistic craftsmanship perhaps)? For the purposes of English law this matters. Different species of work are protected in different ways, even if the differences are sometimes rather subtle. The ECJ do not tell us the answer to this question.

Second, where is the graphical user interface "fixed". In English law a work is only protected if and when it is fixed in some permanent form. If I make a really excellent speech, I will have copyright in the speech when, but only when, it is recorded. Similarly if a group of musicians create an exciting musical work while jamming together in the studio, the work will not be protected until fixed in some form. Is the graphical user interface fixed in the computer program's source code? If so, copying the code may be an infringement of the copyright in the graphical user interface. If it is not fixed in the code, where is it?

Lastly, there are numerous special rules that apply to copyright in computer programs. For example there are rights to make back-up copies, to test and to decompile for certain purposes. If the ECJ is right, these would not apply to a user interface which represented an author's own intellectual creation. In English law, moral rights do not apply to computer programs, but would (presumably) apply to a suitable user interface. Both of these conclusions could be awkward.

Not all is bleak. The ECJ emphasize that when assessing whether a graphical user interface is protected by copyright as its author's "own intellectual creation", a national court should ignore components of an interface that are "differentiated only by their technical character". It will not be every, or every aspect, of a user interface that will be protected. Despite this limitation I suspect that this decision, if taken to its logical conclusion and followed by later cases, will require some careful rethinking about copyright in the computer industry. Just what we need.