I had the pleasure of attending ICANN 50 a few weeks ago. I’ll be writing a few short articles over the next couple of weeks for Digilaw, but in the meantime Continue reading »
A quick note to mark the passing of 2011 and the start of 2012. Thank you all for reading and commenting here (and on Twitter) on the stories that have been reported on these pages. I’m looking forward to posting much more in 2012.
There has been plenty to contemplate in the last 12 months and we look forward to new challenges and opportunities in the months that lie ahead. Several big IP cases look likely to make their mark next year, including Viacom v. YouTube, The Authors’ Guild v. Google and NLA v. Meltwater, and we may begin to see the fallout of the (UK) Supreme Court’s ruling that foreign copyright claims can be adjudicated in the English courts.
Whatever plans you have for next year, I hope they will be realized, that you enjoy the chase, and that you will be challenged by the work that you do.
I couldn’t let today pass without wishing you all a very happy World IP Day. This year, the focus of the day is “Designing the Future”, which you can read about here. You can also ‘Like’ World IP Day on Facebook here, and can read the IPKat’s salute here.
No doubt the next year will be an interesting one for IP. Perhaps sometime in the next 366 days we will know whether YouTube is exempt from copyright liability under the DMCA in the States and/or the E-Commerce Directive across Europe, and whether Google (and now Microsoft) is liable for or automatically exempt from unfair competition claims for their sale of trademarks as keywords in Europe.
We’ll probably see some rise in cyber attacks, for political as well as miscreant purposes, and hopefully there will be a few more cases on the Internet and jurisdiction issues. Any bets on where the Google Books litigation will be?
Most readers of this blog will be aware that the recent 4Chan / Anonymous attacks against various websites associated with the enforcement of copyrights have been followed by ISPs claiming, in some cases hypocritically, that the current process for investigating intellectual property infringement claims does not adequately protect their customers.
By way of recap, the process used for the last several years has been that rights holders: identify IP addresses that they contend are the digital fingerprint of an Internet connection that has been used to unlawfully copy media files across the Internet or to make those files available; request from the ISPs responsible for those IP addresses the names and contact details of the customers to whom they were allocated at a particular time; and, if the ISP does not provide the information requested (as they usually would not), apply for a court order obliging the ISP to disclose the information sought, in contemplation of future litigation (a Norwich Pharmacal Order (“NPO”)). ISPs were not in the habit of contesting these applications, meaning that if the potential litigant met the threshold for the NPO, the ISP would be ordered to supply the details. Ancillary issues, such as the format of the data, including whether it should be encrypted, would also be included in the order.
That was the case until a few months ago.
Claiming to be perturbed by the way in which some rights holders were aggressively using the system to identify potential infringers and threaten them with legal action unless they paid some money to settle the claim (which, in itself, is no more than the everyday cut and thrust of the real world of litigation), but never actually following unsettled claims through to litigation, a group of cyber terrorists / freedom fighters (take your pick) began organising and recruiting massive computing power to issue DDoS attacks against lawyers, rights holders and even the UK IPO (which was a strange choice given how copyright works in the UK). Anyone suggesting that those responsible for these torts (and possibly crimes) are as unable to engage in human interaction as any other bully, and who believe that the real motivation behind this is the stubborn belief that once a digital item has been acquired once it can be copied indefinitely, would not be alone. But it’s beside the point.
After one particular set of attacks, customer details were leaked online and were distributed around the globe, in some cases by the same people who laud themselves as privacy champions. Go figure. Anyway, the PR for ISPs was not good, and BT’s response to the increasing scrutiny of the existing system was an 11th hour request for the court to defer hearing an NPO application on behalf of the Ministry of Sound until January 2011, so that they could respond to the application in their customers’ interests. The court granted their request.
(It should be mentioned that the leaked customer data included information that BT was ordered by the court to send only in encrypted form, and that BT failed to encrypt it. Accordingly, they are potentially in contempt of court for failing to comply with a court order. It should also be noted that no ISP, so far as I am aware, has been targeted by a DDoS attack.)
Then came the news last night that the Ministry of Sound has withdrawn its application, for an unexpected reason: having asked for a stay to allow it to consider the application, it turns out that BT has deleted 80% of the data covered by the application. According to the BBC, BT:
“said 20,000 of the 25,000 requested details had been deleted to comply with data retention policies. BT said it held data for 90 days before deleting it.
‘The Ministry of Sound and its solicitors are well aware of this,’ said a spokesperson for BT.
‘Upon request from Ministry of Sound, we saved as much of the specific data sought as we reasonably could and any not preserved must have been too old.’
But Ministry of Sound CEO Lohan Presencer said that it was ‘very disappointing that BT decided not to preserve the identities’ of the alleged file-sharers.”
The last point is of particular interest to a litigator. Once litigation is contemplated, parties are immediately placed under an obligation to preserve all information likely to have to be disclosed in the course of the litigation. In the UK, the Civil Procedure Rules make this point explicit in Practice Direction 31B Para. 7:
“7 Preservation of documents
As soon as litigation is contemplated, the parties’ legal representatives must notify their clients of the need to preserve disclosable documents. The documents to be preserved include Electronic Documents which would otherwise be deleted in accordance with a document retention policy or otherwise deleted in the ordinary course of business.”
If it turns out that BT has deleted this data after receiving notice of the potential litigation, they could not only face contempt proceedings for the sending of data in unencrypted form, as well as enforcement proceedings by the Information Commissioner for failing to safeguard personal data (although both of those are very unlikely), they might also have breached their preservation obligations under the CPR. If their lawyers failed to advise BT of those obligations, then they too may have breached the obligations they owe to the Court.
I think it is more likely that what BT actually means is that 80% of the data requested had already been deleted when their preservation obligations kicked in, which would mean they haven’t done anything wrong. But the story provides two good reminders:
1. Firms must move quickly when dealing with personal data. Depending on the industry and the jurisdiction, personal data may (have to) be deleted after being held for no more that 90 days.
2. Lawyers on both sides of a dispute must inform their clients of their preservation obligations, particularly where electronic documents (or a likely counter-claim) are concerned. I recall working on a case where the other side’s lawyers had not adequately informed them of their obligations, with the result that all copies of the software at issue had been over-writtten by subsequent versions. Even if this happens due to a genuine mistake, you can guess how it will look to a court.
Ministry of Sound has said it has no plans to stop enforcing their copyrights, and we await to see the first test case to come before the courts.
If you like to share, why not share this?
How would it feel to know that people were listening in on your private conversations and were selling the stories they heard so that you could be targeted with junk mail? Would it make a difference if those conversations, discussing an illness or trying to find comfort after a tragedy, took place remotely, rather than in person?
Well, surprise, surprise, it’s already happening online. The Wall Street Journal has a good article on companies that are collating all the data you are posting online, even the private stuff you put up in password protected areas and thought no-one else but your friends could see, and are selling it to marketing companies. One company has even applied for a patent on a method of uncovering who you really are and linking all of your data, including your “private” posts, together so that the information can fetch a higher price.
The WSJ article looks at some high profile examples of how this is happening. But, scary as it is, the practice itself is old news. Screen-scraping, a way of collating the data on a webpage via a robot, is pervasive and so easy to do. Search engines do it. Price comparison sites do it. I do it (with my own pages). But not everyone is a fan: recently, Ryanair caused controversy by canceling all tickets booked via websites that had “scraped” pricing data from the Ryanair website (see my article here).
Two things about the article struck me. First, there is no mention of copyright infringement, which is surprising given that screen-scraping usually involves the unauthorized copying of protected works. There is only a passing reference to “anti-scraping” laws which exist in some jurisdictions but not others. Second, there is my constant refrain: other people are doing this. Think of all the information that Google has about you, spread across its more than 1,000,000 servers. How does it make you feel to hear the head of Google say: “If you have something you don’t want anyone to know, maybe you shouldn’t be doing it in the first place”?
The truth is, many people have unreasonable expectations of privacy when it comes to the Internet. When you post something online, you put it onto a third party server which can be accessed both legitimately and, sadly, illegitimately. As to the legitimate uses, when was the last time you looked at the terms and conditions of any site you uploaded photos, comments, videos or anything else to? Chances are, the site will have taken a right to use your work and to share your data. And with regards to illegitimate access, there’s very little you can do if someone breaks the rules and misuses your content. Do you know, and can you trust, every person who has the ability to access that content?
So when doing anything online you should always bear in mind what sort of information about yourself and others have are putting up for grabs, because some people can make a lot of money by making sure they find it.
It’s uncommon for stories to keep going for much longer after they’ve hit the front pages, but the recent Google wifi-spying story looks like it’s got the legs to run and run and that it’s nowhere near over yet.
In the most recent development, Google has apparently decided not to hand over all the data to European privacy and information commissioners. Their reasons? They’re blaming “privacy concerns”…
The full story is available from the New York Times.
Seems like there’s a bit of a catch-22 going on here: can Google find a way to say that a private company collecting and storing data is lawful, but handing it over to comply with a government’s request is not? Apparently Google have even been given assurances from the state prosecutor, so can a German lawyer help explain what the (legal) problem is?
- a criminal investigation into all of this has now begun in Hamburg;
- Hong Kong has upped the ante by threatening “sanctions” against Google if they fail to allow their privacy commissioner to inspect the data, referring to Google’s “apparent lack of sincerity”;
- the “relatively small amount” of data Google has collected was 600 gigabytes (i.e. over a billion (1,073,741,824) characters of data);
- Google has offered to destroy the data, but without allowing data officers to verify their account of what was stored and how “inadvertent” it was.
This looks like it’s going to rumble on for a long time to come and you have to wonder what’s going to come next. One commentator has even gone on record to say that if Google refuses to hand over the data “it will be seen as an act of war” against European data regulators.
By the end of April, it was begining to look like Google was turning a corner on what had started out as a potentially difficult year. In Europe, Google was in a high-profile dispute with LVMH, the owner of famous brands such as Moët, Hennessy, Louis Vuitton, Fendi and Christian Dior. If the result went the wrong way for Google it would threaten their AdWords cash cow across the entire European Community. At the same time, Google was facing AdWords proceedings in both the Northern District of New York and the Eastern District of Virginia. Add to that the privacy complaints and rumors of government investigations that greeted the launch of its “Buzz” social networking project, and comments from Eric Schmidt, Google’s CEO, that if you don’t want Google to publicize and profit from something, “maybe you shouldn’t be doing it“, and you can see why things looked a bit ominous for Google.
But then it all started going right. First of all, Rescuecom surprised everyone in early March by dropping its (New York) trademark infringement action, declaring victory but not gaining any of the relief it had been seeking from the lawsuit.
Then the AdWords program survived the ruling of the Court of Justice of the European Union (video here, additional comments here). Their judgment was hardly a ringing endorsement of the service, and there are various doors left wide-open to challenge it on other grounds, but at the very least it lives to fight another day.
Following this, Google’s motion for summary judgment in the (Virginia) Rosetta Stone action was granted (although Rosetta may yet decide to appeal once they see the Judge’s reasons for his decision).
And, to top it all off, the German Federal Supreme Court held that a photographer must be deemed to have impliedly consented to Google copying images from her website because she had not prevented it from doing so. (I wonder how many other Courts in Europe would reach the same result or adopt that reasoning: it appears to put a barrier between the artist and the automatic copyright protection to which she is supposed to be entitled, and to turn the idea of “exclusive rights” on its head.)
But then, possibly feeling a bit too relaxed after such a roll of good results, and in a scene reminiscent of President Obama’s comments on the Cambridge police after dealing with the last of a tough evening’s questions on healthcare, Google responded to the news that it had been spying on ordinary people’s wifi networks with its Street View cars for three years, that it was storing the data it had collected (including emails), and that it was refusing to delete it until ordered to do so, with two particularly patronizing comments: “No harm, no foul“, said Eric Schmidt (a principle which J Briggs says, in the comments, is the Peeping Tom’s charter); and “You can’t prove any harm“, said Larry Page. This article indicates that the UK’s Information Commissioner believes the Data Protection Act had been breached, and that the FTC is launching an inquiry, but here The Times (London) makes out that Google has been forced into the admission after not being completely honest with regulators:
“Google made the admission after German authorities began to examine why Google was using the cars to collect wi-fi data at all. A month ago Google said it was collecting only the name and location of local wi-fi networks — information, it argued, that was publicly available and was useful to help it improve its location services. Its data collection was much more invasive.
Internet activity such as e-mails, photos and which websites a user was looking at could have been collected by the cars.”
As does the New York Times:
“European privacy regulators and advocates reacted angrily Saturday to the disclosure by Google, the world’s largest search engine, that it had systematically collected private data since 2006 while compiling its Street View photo archive. After being pressed by European officials about the kind of data the company compiled in creating the archive — and what it did with that information — Google acknowledged on Friday that it had collected snippets of private data around the world.
Mr. Caspar [data protection supervisor for Hamburg, in Germany] said he had inspected one of Google’s Street View recording vehicles at the company’s invitation this month and had noticed that the recording device’s hard drive had been removed. When he asked to view the drive, he said he was told he couldn’t read the information anyway because it was encoded. He said he pressed Google to disclose what type of information was being collected, which prompted the company to examine the storage unit.
Germany’s federal commissioner for data protection and freedom of information, Peter Schaar … questioned whether Google’s collection of the data was a simple oversight, as the company has maintained.”
Bad news all round, particularly for Google if it turns out that no damage has been done nor any data unlawfully used. It’s a stark reminder, though, of the importance of perception when discussing your own shortcomings: no-one (except the New York Times) appears to be paying any attention to the mea culpa offered by Google’s Kay Obermeck: “This was obviously a mistake, and we are profoundly sorry.”
No doubt you are.
I just watched an interesting video about Google and the various markets they have (and/or might have) a finger in. According to the video, Andy Graves, CEO of Intel, says Google is a company “on steroids” with “a finger in every industry”. I’m not sure that the “steroid” analogy is a good one, and the video seems to embellish the facts to make its point, but there is some interesting stuff in here. For example, it was news to me that Google has a venture capital arm and that some of its earliest investments were in biotech and healthcare. I also didn’t know that they are trying to get into generating the electricity needed to power their broadband plans.
I often discuss with others what the privacy implications are of a single company doing all they can to obtain as much information as possible about the “real” me, not just the “me” that I allow into the public domain. According to the video, Eric Schmidt, CEO of Google, recently said:
“If you have something you don’t want anyone to know, maybe you shouldn’t be doing it in the first place” – Eric Schmidt, CEO, Google
This appears to suggest that the default position is that by doing something at all you make your actions public, shareable, sellable and exploitable.
But that is not the way governments treat information, so why should a private, profit-driven company? For example, in the UK the Data Protection Act 1998 places heavy restrictions on how personal data can be used. “Personal data” is defined widely, as “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller [etc]” (section 1(1)). This is a really broad definition and there is nothing to say that the information has to be private in order to be protected; in fact, before information can identify an individual it will usually have to have at least some element of publicity about it.
But even aside from any legislative regime, you don’t need to think too hard to see that the “maybe” in Mr. Schmidt’s statement has to be a very big “maybe”: the person photographed on Google’s Street View entering a clinic to be treated for a condition of which no-one else is aware; the person who has GMail correspondence with their legal adviser; the friends who exchange messages of support on Buzz over a partner’s infidelity; the desire to let courtship flourish between the two of you alone.
With something like 97% of Google’s revenue coming from the sale of adverts for use within their products, they have a strong financial incentive to finding out not just what our peers and social groups like, but who each of us really is as an individual. And they have plenty of means by which they can start building a profile: cell phones (Android); web browers (Chrome); social networking (Buzz, YouTube, Picasa); and email (GMail), to name their most popular products. Privacy issues have been raised with various governmental bodies about Google’s activities and what they do with the data they hold (never mind the implications of simply holding that much data when it could be hacked by an outsider or sold by a rogue employee). In some cases these enquiries are ongoing, and sometimes they go nowhere (and it’s helpful to always keep an open mind when any public entity is the subject of criticism).
The video (which, ironically, is hosted on YouTube) is below. Have a look and see what you think. I’ll post some concluding comments underneath.
As I mentioned above, I do think much of this is exaggerated. But even from a theoretical point of view, two things might be of interest. The first is such a large company, with the power to lobby government (as Google has been increasingly doing), adopting the attitude put forward by Eric Schmidt in relation to the things which I simply “do”. That’s not to say that they are doing anything illegal; it’s just an attitude that I’m not at all comfortable with (and, in case you’re wondering, I don’t have an Android phone and I don’t use Chrome).
The second thing is, actually, a bigger deal, and it’s this: Google’s not the only company with an interest in finding out who we are. They make the headlines as the poster / whipping boy for the search world, but other companies do the same thing (albeit perhaps not in so many areas all at once) and no-one seems to notice that…
So where does that leave ordinary people like you and me? For a start it leaves us with a lot to think about. But one thing is certain: we must acknowledge that whether or not we use a paricular technology, others do, so that everything we say and do and every interaction we have with others has the potential, within a very short space of time, to become information accessible to anyone anywhere in the world.