Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.

Tuesday, 29 November 2011

A tempting target, but a dubious tactic

A few days ago a friend retweeted a link to a campaign that took an unusual approach to expressing distaste at The Sun's campaign against benefit fraudsters.

Pride's Purge - Help Fight Back Against Murdoch’s Benefit ‘Scroungers’ Hotline

The blog's author, Tom Pride, is encouraging people to report 'fat-cat bankers' to the Sun email hotline. Or, more specifically, he is encouraging people to do this so much that the hotline is overwhelmed:

"Simply by repeatedly sending as many emails as possible with the names of scrounging bankers who have used taxpayers money to pay themselves massive bonuses, the hotline can be crashed."

Now I have no love for the Sun - about the only good thing I can say for it is that it is not quite as revoltingly toxic as the Daily Mail. But I do have a concern about Tom Pride's campaign, because it is encouraging people to break the law. My particular worry is that most people who like the look of this and feel tempted to join in probably won't have any idea that this is, in fact, illegal.

When the Computer Misuse Act 1990 was originally enacted its Section 3 created the offence of 'unauthorised modification of a computer'. The intent was clearly to create an offence of hacking, but as time went on it became clear that a computer might be attacked in a manner that was not obviously 'unauthorised modification'. In particular, Denial-of-Service (DOS) attacks were, some commentators suggested, not caught by s.3. Matters came to a head in 2005 when David Lennon carried out a mail-bombing attack on the email server of Domestic & General plc. At his trial Mr Lennon's defence was that his actions had not been unauthorised, because an email server is specifically intended to receive emails, so he had done nothing to it that he had not implicitly been authorised to do. The judge struck out the case against Mr Lennon on this basis, but the Director of Public Prosecutions appealed and so the Court of Appeal considered the meaning of s.3 CMA 1990. Mr Justice Jack, in giving the Court's judgment that the prosecution should continue, considered that the authorisation had implied limits:

"I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system."

Even before the Court of Appeal had given its ruling though, Parliament was already planning to revise the CMA to close this loophole. The Police and Justice Act 2006 amended s.3 CMA 1990 so that the offence it created was instead one of an unauthorised act impairing a computer's operation. No longer was in necessary to show that there had been some change made to a computer; it is now enough to show that the computer, even if doing what it was intended to do (e.g. receive emails) has been impaired in that function. The amendment also extended the offence to include reckless, as well as deliberate, impairment. So, both by statutory amendment and by case law (Lennon) it is now clear that mail-bombing a mail server to the extent that it is no longer usable is a criminal offence (and other forms of DOS attack, including distributed DOS, are similarly offences.)

What this means, I'm afraid, is that fun though it may be to suggest burying the Sun hotline in irate email, it's actually against the law to do this. It's directly illegal to send such emails, although to be pragmatic the likelihood of prosecution for sending a particular email is pretty low. (I wouldn't be so sanguine if anyone used a mail-bombing app, though.) It's also illegal, under the long-standing rule against 'aiding, abetting, counselling or procuring an indictable offence', to encourage other people to do this - as, it seems, the blog author here has. (In the comments to the post, Tom Pride says this isn't a DDOS attack. With respect, as I've tried to explain here, in the eyes of the law it is.)

As the two young men who tried to organise riots via Facebook found, it's very easy to get into a lot of trouble by saying something online. There's a good argument that it's far too easy, as Paul Chambers found out in the ongoing saga of the Twitter Bomb Joke trial. But as it is, it's worth pausing for thought - and perhaps a check of the law - before seeking to unleash the wrath of the Internet on a target, however deserving it may seem.

Saturday, 15 October 2011

SCL Conference 2011-Day 2

Balancing risk in outscoring contracts -Mark Crichard, Andrew Collyer, Richard Bligh. Interesting comments on and insights into some of the complexities of developing outsourcing contracts. To what extent has the Centrica case made it necessary to clearly specify what will be considered as direct and indirect losses? Do customers understand the difference between losses that are indirect and those that are simply remote? And how do you cater for customers who want to outsource but to host their data and services on their own systems? (A: with carefully worded exclusion clauses, so it seems.)

Social Media: strategy for business - Gillian Cordall, Nina Barakzai, Chris Reed. How to best use social media? Engage with customers by talking not just about yourself but about developments potential clients are interested in. Dangers of getting it wrong, e.g. recent Toyota social marketing lawsuit - over-focussed campaigns may damage your reputation with other customers. And who 'owns' the contact list for successful social media - the front face of the media, or the employer?

Social media strategy can be reactive and responsive, e.g. Dell's 'Global Listening' - engage with commenters and respond. Does work better if you have the resources to monitor, filter and resound to social media, but for a well-known brand can have significant impact!
It's important to have clear policies and codes of conduct (especially re transparency) and to comply with relevant laws. Above akk, you have to engage, not just broadcast.

Litigation: the cancer of disclosure - Ben Rooney, Alexander Carter-Silk, Edward Rippey, Kim Lars Mehrbrey. A US, English and German lawyer walk into a bar discuss discovery/disclosure. US discovery can take years and cost millions, but you go into a case knowing pretty much everything. German civil law barely has disclosure: parties present their case based on what documents they choose. English disclosure is very much based on proportionality, albeit subject to the risk of costs penalties for improper disclosure. Which is 'best'? Modern search tools make it almost impossible for someone to convincingly hide evidence, but can this lead to over-enthusiastic searching and excessive preparation costs. We are also seeing forum-shopping, as litigants look for the jurisdiction with the disclosure regime most favourable to their case.

Friday, 14 October 2011

SCL Conference 2011 - Day 1

I'm at the Society for Computing and Law's 2011 Conference in Bath, with the theme of New Technology v High Risk. I'll aim to blog updates on the sessions as we go along, so refresh for details.

Technology, Risk and Law - Dr Andrew Martin, University of Oxford.
A heartfelt plea for professionalism in the IT industry, in the context of properly understanding what risk is and what technology can and cannot do. Andrew Martin observed how we are increasingly reliant on security entities we have no knowledge of (eg certification authorities) and, with more and more of our household devices not only being connected to the Internet but having multiple sets of our credentials, this poses risks of security failures it is hard to be aware of, let alone properly quantify. He put forward three wishes for the genie that we have let out of the bottle: better technology, in the sense of understanding and removing vulnerabilities; more realism as to what IT can and can't do; and more focus on reliability and robustness in place of pushing the state of the art.

Cyber-crime - Prof Ian Walden (QMUL), Det Sup Charlie McMurdie (Met Police), Neil Hare-Broom (QCC Forensics)
Cyber-crime is getting more sophisticated; we are seeing seized PCs with over a dozen virtual machines, or more than 8TB of data to be examined. Some suspects have literally dozens of online IDs. The problem is made worse by the declining effectiveness of anti-malware protection, the growing pressure (from economy and convenience) for businesses to allow use of employee devices for work, and the jurisdictional challenges of cloud computing. The panel couldn't offer a simple answer, with views from "it can only get worse" to "we have to do what we can to help ordinary users and shouldn't just accept that this happens". Again, the question of how much we accept poor reliability in software came up - should we extend consumer protection law to cover the quality of software security? Ditto for enforcing pervasive use of encryption to protect payment details. Interestingly, the police officer was wary of adding more and more laws, on the basis that threats of prosecution can deter reporting - carrots are better than sticks.

Monday, 4 July 2011

Dropbox Terms of Service not actually that evil

There's an old saying that there's no such thing as bad publicity, but I'm not sure that Dropbox believe that right now.

It was embarrassing enough a couple of months ago when in response to security concerns Dropbox had to concede that their much-vaunted claim for totally secure encrypted hosting of data via the cloud wasn't quite as totally secure as most people assumed. Dropbox's explanation made sense - in order to allow web-based access, they need the ability to decrypt user files - and they reiterated assurances that there were procedural safeguards against their staff snooping such content. But trust in Dropbox took a dent.

Nothing like the dent it took the other week though, when a technical glitch left all Dropbox accounts open to access for several hours. Dropbox management were at least quick to concede fault and to advise users to check their account logs for unexpected activity, but this incident seriously tarnished Dropbox's reputation.

Which is probably why Dropbox are now in the news again, following a recent revision of their Terms of Service. When you've heard two lots of worrying news about a company, it's easy to believe the worst when a third story comes along. Now, ToS of cloud service providers are a particular interest of mine, so as a somewhat concerned Dropbox user myself I was keen to see whether there was genuine cause for concern.

What Dropbox have done is to make a generally admirable attempt to make their ToS as comprehensive, open and at the same time easy to understand as possible. I can well imagine why, in light of recent problems, they'd want to do this, although it's a difficult balancing act to try to achieve at the best of times. As Facebook found out, with its infamously longer-than-the-US-constitution privacy policy, detail and readability don't always go together. But having said that I think Dropbox have made a pretty good attempt at it, and their revised ToS are certainly a lot more concise and accessible than many I've had to review.

The particularly contentious part comes under the heading Your Stuff and Your Privacy. It says:

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

Is this a massive rights-grap by Dropbox? Well, no. This particular term is very common in cloud, blogging and social-networking services. It arises because in any cloud-based service the provider has to copy your data in order to store it and make it available, and indeed has to publish it if you share that data with friends or the world at large. Whilst there are good legal arguments that you are implicitly granting Dropbox (or any other provider) permission to do this by the act of signing up to the service, for entirely understandable reasons Dropbox prefer to make it clear in your user agreement that this is what they're going to do, and that you the user are happy with it. As one of the comments to the Slashdot story I linked to explains, the scary-looking language is actually quite reasonable given how the service is used:

Worldwide = Dropbox provide a globally-available service.
Non-Exclusive = Dropbox can't and don't prevent you from licensing your data in other ways.
Royalty-Free = You won't charge us for this!
Sublicensable = Dropbox need to allow technology partners to copy your data too.

The caveats in the terms make it clear that Dropbox are invoking this licence only for the purposes of providing the service to users. In that respect it's narrower than, say, Facebook's corresponding term (here, clause 2.1), which sets no limits on the use Facebook may make of data that you share online.

What I know has concerned some people though is the rider at the end of Dropbox's clause about 'You must ensure you have the rights you need to grant us that permission.' Does this mean that you can only store content on Dropbox if you either created it or have licensed it on terms that allow you to copy it?

I think that the practical answer to this is that you are probably fine so long as you don't go beyond the implied scope of what you are supposed to do with the material in question. To take an example, I quite often use my Westlaw access to download a case report or journal article. Westlaw give me the option to email it to myself - an activity which necessarily creates transient and, via webmail, not-so-transient copies of the copyright work in question. But nobody else has access to those, and they are incidental to my approved use of the service. I consider that saving such reports or articles to my Dropbox folder is equally legitimate. What would not be legitimate is sharing or publishing links to them - that would be outside the scope of what Westlaw is letting me use the service for.

In a similar vein, just because Dropbox is in a very technical sense 'publishing' your content back to you when you view it via a web interface, that is not what I, or anyone, would normally regard as 'publishing'. If you store the manuscript of your novel on Dropbox, you aren't publishing it by doing so; indeed, you still aren't even if you share it with a circle of test readers. As such, you're not breaking any exclusivity clause with your actual publishers by doing so.

There's a lot of concern about the security of cloud and social networking services and the fine detail of what can be found in their ToS (often with very good reason). However, if you do find a scary-looking clause, look to see if it's a common one, and if so find out what it actually means. It may well be a lot less alarming than you might at first think.

Monday, 24 January 2011

And it's going to be a Trilogy!

I started this blog with a post about Lucasfilm v Ainsworth, and just over a year ago I discussed the appeal, in which Mr Ainsworth - former prop-maker for the original Star Wars and now manufacturer of replica Stormtrooper attire - had not only maintained his victory on the copyright points but had overturned the decision that Lucasfilm's US judgment was enforceable against him. I felt at the time that there was every prospect of the case going all the way to the then-new Supreme Court and it turns out sure enough the Supreme Court website is now listing Star Wars III: The Revenge of the Claimant to begin on 7th March. (In fact the news came out a good fortnight ago, but I will plead the start of pupillage as an excuse for not noticing at the time.)

More details have been supplied by The Lawyer. George Lucas has deployed the big guns this time around, with Jonathan Sumption QC joing Robert Bloch QC, counsel in the original hearing and the appeal. That Sumption - reputedly one of the most expensive members of the Bar - has been instructed is indicative of the seriousness with which Lucasfilm is taking what it will see as a serious threat to its merchandising rights. As this article puts it, "Hollywood believes the outcome will have major implications for the UK film industry and the movie moguls came out in force in support of Lucas’s fight to have the case heard by the Supreme Court."

It would be a mistake though to see this as a case entirely about copyright. Indeed, my own prediction is that the Supreme Court will not disturb the well-reasoned argument of Mr Justice Mann about the definition of sculpture under CDPA 1988, as endorsed by Lord Justice Jacob, the Court of Appeal's leading specialist on IP matters. What the case may by now be focussing more on is the question of jurisdiction and enforceability of judgments, the area where the Court of Appeal reversed the original decision. Writing in the Cambridge Law Journal, Pippa Rogerson has made a cogent argument that the Court of Appeal misapplied the Brussels 1 Regulation in holding that a copyright dispute in the USA is not justiciable in England. (See CLS [2010] 69(2), 245-247.) If the Supreme Court accepts this view, then Ainsworth may well find his case being assessed under the copyright law pertaining in California, under which it is apparently clear that he would have infringed Lucasfilm's rights. Such a decision could have far wider-ranging implications though, potentially making it far easier for US-based rights-holders to sue for copyright infringement in England.

Whatever happens, one firm prediction I'll make is that this case will get even more coverage this time around. Brace ourselves for more Star Wars themed legal humour, we must.