Tech Law update

I have been blogging less because I am working on a technology & law related project (more information soon). In the meantime:

Online Defamation

Kiwiblog noted an interesting Canadian defamation case (Baglow v Smith) involving defamation on political blog sites:

On 30 August 2011 the Ontario Superior Court of Justice handed down judgment in the case of Baglow v. Smith, 2011 ONSC 5131. The decision suggests that an allegedly defamatory statement made in a debate on a blog or internet forum may not be found to be defamatory if the plaintiff previously engaged in the debate but did not respond to the statement despite having the opportunity to do so.

Canadian law firm Heenan Blaikie has a summary of the case here:

At the risk of over-simplifying the matter, the court’s decision can be summarized as this: there is something meaningfully different about online statements, particularly those which are made on political blogs and discussion forums, which militates that they be treated differently for purposes of defamation law. Put somewhat differently (and, again, with the qualification that this over-simplifies matters): impugning someone’s name on the broadcast evening news is different from impugning their name on a blog.

New Zealand courts give weight to Canadian judgments, and it will be interesting to see whether this case is raised in a New Zealand defamation proceeding in due course.

Amazon’s “one click” patent reaffirmed in NZ

Amazon’s infamous “one click” patent has been reaffirmed in New Zealand by a decision of the Commissioner of Patents, Amazon.Com, Inc v Patrick Ryan Costigan [2011] NZIPOPAT 12 (21 July 2011). The opposition to the patent does seem to have been somewhat quixotic – the opponent was not represented at the hearing, whereas Amazon had a team headed by a QC appear to defend its patent, as well as evidence from US and Australian patent experts. The Commissioner also noted that the patent had been upheld in Australia.

Google cleared in Australian ad-word case

The Australian Competition and Consumer Commission – the equivalent of NZ’s Commerce Commission (but rather tougher, it has to be said) – has lost a case it brought against Google alleging that Google engaged in misleading and deceptive conduct by mixing ads into its search results. The Court also found Google had not breached trade practices law by using (or allowing the use of) competitors’ names and trademarks in sponsored links. The full 73 page judgment is here.

UK Govt asks for Search Engine De-optimisation

Computerworld reports:

Google and other search engines, including Microsoft Bing and Yahoo, will be asked by the UK government to push copyright-infringing websites down their search results under new plans.

Which sounds like it could open a can of worms… The article also notes:

… it is understood that there could be forthcoming legislation, within the Communications Bill, if an industry-run solution is not found.

Which will certainly be a can of worms.

Watch the UK Supreme Court live

In what is understood to be a first, the UK Supreme Court (which in 2009 replaced the House of Lords as the UK’s highest court) now transmits a live coverage of hearings. This is a good step forward for open justice, because while most court hearings are open to the public, they are usually rather inaccessible. The Supreme Court coverage is available here streamed via Sky UK.

The privacy bargain

Stephen Bell of Computerworld recently outlined his views on the privacy bargain:

Another view, which I find more persuasive, is that when we make use of a service like Facebook, we enter a commercial bargain. Something very useful is provided to us free of charge and in exchange we cede something of our private selves to the providers, to be sold for whatever they can earn.

This is also my view, as I have written about here. Interestingly, Stephen got the view of the Privacy Commissioner:

I put this to Privacy Commissioner Marie Shroff. She suggests the bargain accepters are not as numerous as I believe, and in the wake of the Facebook and Google embarrassments, privacy champions are becoming a majority.

Yet what is happening is that companies such as Facebook and Google – who arguably stand to lose the most from pushing the privacy envelope a bridge too far – are themselves becoming the leading “privacy champions”, and shaping the future of privacy expectations and regulation at the same time. For example, Google has announced it will be undertaking biennial “independent privacy reviews to keep it on the straight and narrow”.

PR stunt? Window-dressing? Possibly, though assuming not then I think it is a very good idea. But the size and reach of Google means any practical changes will affect users around the world, and shift the goalposts of expectations and norms, years in advance of any regulation. And in the meantime, users will continue to flood to social networks and other systems – many of whom will never have known a world with any different processes or expectations of privacy.

How, then, might Government-imposed regulation be seen? Stephen sums it up very well:

There is a risk that the Privacy Commissioner and her staff might then be seen as the villains, keeping us from using new technology to smooth our businesses and lives because of their legalistic obsession with an abstract value.

The evidence to hand shows the privacy bargain has been well and truly been accepted, for better or for worse. The challenge for any regulation is to be seen as adding value (for citizens) to these bargains, not getting in the way of willing parties.

Google cleared of privacy crime

In a victory for common sense, and as I predicted three months ago, the police have cleared Google of committing “privacy crime” during its recent WiFi snooping incident. Detective Senior Sergeant John van den Heuvel makes a good point when he says:

Anyone using Wi-Fi needs to ensure they have appropriate security measures in place. People should not underestimate the risk that information they broadcast might be accessed by others, either inadvertently or for more sinister purposes.

The police (who, by the way, are busy using Google as a crime-fighting tool) have “referred the matter back to the Privacy Commissioner”, who will probably issue a statement rapping Google over the knuckles (again), and sensibly that will be the end of it. Google has faced a barrage of criticism for its actions and is unlikely to attempt a similar exercise in this country any time soon. But there is nothing stopping other, less PR-concerned outfits from doing so – a clear precedent (in prosecutorial practice if not in law) has now been set. And this is likely to cause issues in the future.

As the Law Commission’s recent report highlighted, there are a number of gaps and grey areas in New Zealand’s privacy and “surveillance” laws. Sooner or later these issues will need to be dealt with, but we are not alone in this regard. New Zealand is probably better off adopting a “wait and see” approach and following a principled approach to privacy based on international (particularly EU and US) standards.

Meanwhile, though, other countries are keeping the pressure on Google with Spain recently launching its own criminal investigation into the WiFi incident.

Tech law update 21 June 2010

Copyright in compilations

The Independent has an update on YPG’s legal battles to uphold the copyright in its Yellow Pages listings (see my post earlier this year). The outcome of the latest Court proceedings – expected very soon – could be of interest to all database or “compilation” rightsholders.

One such group may be New Zealand television networks seeking to restrict use of their TV listings by third parties. In Australia, this was the subject of the landmark IceTV case – which confirmed there is no copyright in basic, factual TV listings. Recently, Sky Television’s lawyers sent out cease-and-desist letters to people who had written programs allowing its listings to be “screen-scraped”, on the flimsy grounds that such actions breached its copyright in those listings (assuming such copyright even exists).

Google Street View WiFi drama

Errata Security has a good technical explanation of Google’s WiFi sniffing controversy, which is the subject of a preliminary criminal investigation in New Zealand (see my post here). From the post:

Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for WiFi scanning means it’s easy to inadvertently capture too much information, and be unaware of it… It’s really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data (assuming you haven’t done something stupid like chosen an easily guessed password, or chosen WEP instead of WPA). If you don’t encrypt your traffic, then by implication, you don’t care if people eavesdrop on it.

Meanwhile, details are emerging that the captured data included passwords and emails. This is hardly surprising given that a huge amount of computer activity involves these two things, and it doesn’t change the “case” against Google. As I wrote earlier, intention is a key issue, as is whether the captured data is “reconstructed into a communication that indicates confidentiality” and made use of.

Luke Appleby gave his take on the Google WiFi drama here. While my post looked at the criminal acts, Luke rightly points out that Google could also have run foul of s 133A of the Radiocommunications Act 1989. That is certainly worth a look by the Privacy Commissioner (not the police; and there is still a need for intention which has yet to be established), although substantive privacy issues should be the focus of any investigation, if warranted – a case which has yet to be made.

Copyright Amendment Bill submissions

Internet NZ has published its submission on the Copyright Amendment Bill. It includes a great detailed analysis by lawyer Rick Shera. While I have different views on some aspects, I support a good many parts of the submission. Paragraphs 86 and 87 of Rick’s analysis in particular raise key questions that need to be addressed by the Committee.

The submission also emphasises the range of business and government activities reliant on internet access. This is a point I submitted on earlier, and it will be interesting to see if other business sectors pick up on this. For example, do banks and online shops really want their customers to be disconnected for transgressions against another industry group? I’m sure the recording industry would not want their online customers disconnected because one of their kids is caught shoplifting at the local dairy.

Aussie net filter to be back-burnered

The Australian government’s daft plan to impose mandatory internet filtering, which only recently was being pushed ahead, is now likely to be shelved until after the election.

Google not guilty of privacy crime, your honour

The New Zealand Privacy Commissioner’s office has reportedly met with police to discuss a possible criminal investigation into Google’s controversial WiFi data collection. A civil investigation sure, but a criminal one? Really? I hope the police have rather more pressing matters.

But let’s do a quick judge-and-jury exercise. Two relevant laws are sections 252 and 216B of the Crimes Act 1961.

Section 252, which is often misunderstood and is broader than many people may think, prohibits unauthorised access to computer systems. However, based on the reported information, Google’s collection of WiFi data did not involve any kind of “access”, and prosecution under this section is unlikely.

Section 216B prohibits “intentionally [intercepting] any private communication by means of an interception device”. This crime appears most likely to be the subject for any investigation. The key definition of this section is “private communication”, defined in s 216A (which the Law Commission rightly described as “not straightforward” – NZLC IP14, 10.47):

private communication:

(a) means a communication (whether in oral or written form or otherwise) made under circumstances that may reasonably be taken to indicate that any party to the communication desires it to be confined to the parties to the communication; but

(b) does not include such a communication occurring in circumstances in which any party* ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so.

It seems clear that Google’s activities amounted to “interception” by an “interception device”. Indeed, any cellphone, laptop computer, or even a tape recorder could be used for such activities and meet the Crimes Act definitions. But are WiFi transmissions “private communications”, as required under s 216B?

Let’s look at some known (or presumed) facts:

  1. All of the data was collected from public locations, specifically from public roads.
  2. The data was being actively transmitted into those public locations.
  3. The data collected was unencrypted (if it turns out encrypted data was collected, things might change).

These facts seem to exclude Google’s activities from part (a) of the definition. How was there any indication that “any party to the communication [i.e. the collected WiFi packets] desires it to be confined” when the WiFi data was being broadcast, in unencrypted form, to the public? And how would Google or anyone else be expected to know that? The question whether the users to whom the data belonged knew it was being publicly broadcast is not the issue. The issue is that a publicly broadcast, unencrypted WiFi communication does not (in this juror’s opinion) give a “reasonable indication” that the person making it “desires it to be confined”. If anything, it conveys the opposite.

Of course, if the collected data is able to be reconstructed into a communication that indicates confidentiality, that could raise further questions. However, that is not known, and may well be beyond the intended working of s 216B.

Part (b) of the definition provides another hurdle, although as the Law Commission has noted, it is problematic. It excludes communications that a party “ought reasonably to expect” may be intercepted. Cribbing from the Law Commission’s recent report “Invasions of Privacy: Penalties and Remedies” stage 3:

In Moreton v Police, William Young J noted that while public awareness has developed over time that cellphone communications are not particularly secure, this does not automatically give rise to an expectation that any particular call will be intercepted. While the method of communication used and public awareness of its security levels may not be determinative on their own, they will nevertheless be relevant to whether at least one of the parties has indicated a desire that the communication be confined to the parties, and to whether there is a reasonable expectation (by both parties) that the communication may be intercepted. …

We anticipate that the main areas of enquiry by the courts will be whether the actions of the parties disqualify their communication from being a private one, and whether any particular method of communication disqualifies a communication from being a private one. By “the actions of the parties”, we mean their conduct of the communication itself; for example, whether they are talking in a private room where they expect no one else can hear them, or talking loudly in a public place.

Judge David Harvey has said that listening in to a conversation on CB radio, or using a police scanner, would not be offences because no-one could reasonably expect the communications to be confined.

Putting aside multi-party complexities for now, this reasoning is applicable to WiFi communications. Today, isn’t using unencrypted WiFi like talking loudly in a public place, or using CB radio? Is the “openness” of unencrypted WiFi well known enough to remove an expectation of privacy? Time will tell, but to some extent the Google situation has shown that could well be the case (not that a person is able to benefit from their own wrong, of course).

Another question is whether WiFi data actually constitutes a “communication” within the definition of s 216A. The comments noted above, and the definition, assume a communication between two or more parties using similar technologies, akin to a conversation. It may be arguable that random WiFi packets collected on a drive-by do not constitute a “communication” capable of falling within the definition of s 216A.

“Intention” is another fundamental requirement (both in the definition and for criminal offences). Did Google intentionally intercept the communications? Intention must of course be proved, and this may not be as straight forward as it appears, with Google now blaming a “rogue engineer” for the data collection.

Based on the information to hand, this jury returns a verdict of not guilty, but with a recommendation of a good public flogging nevertheless (ably led by the Privacy Commissioner), to last until Facebook returns to being Privacy Enemy #1.

The debacle could prove timely, given the Law Commission’s recent review of such issues and the possible law changes that may result. But for now, let’s hope the police do not waste valuable resources on what would simply be a pointless witch-hunt.

Tech law update 22 April 2010

IT industry supports ban on software patents

InternetNZ, the New Zealand Computer Society and the New Zealand Open Source Society issued press releases yesterday in support of the ban on software patents:

The Labour Party also issued a press release supporting the decision and Minister Simon Power’s earlier endorsement:

Meanwhile law firm Chapman Tripp issued a press release criticising the decision:

Privacy Commissioner slams Google’s “experiment”

New Zealand’s Privacy Commissioner, Marie Shroff, has criticised Google Buzz as being a “commercial experimentation on New Zealanders and other internet users, involving the release of significant personal information”:

[Google’s actions] violated the fundamental, globally accepted principle that people should be able to control the use of their personal information.

The comments follow Ms Shroff’s signing of a joint letter to Google, stating:

It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.

These comments, including constructive requests that organisaions collects and process “only the minimum amount of personal information necessary” and create “privacy-protective default settings”, are admirable. Ms Shroff does a great job in standing up for New Zealanders’ privacy rights.

The difficulty, as I have written previously, is that people happily trade privacy for functionality. Millions of people willingly pour personal information into different websites every day. To what extent can Google be criticised for finding new, creative uses of information it has been willingly given, in accordance with terms agreed to by users? And to what extent is it necessary or right for governments to intervene?

Open standards in Government procurement

Earlier this year I commented that “the Government must properly mandate open standards and multi-vendor capable solutions for future state-sector IT procurement”.

European Union ministers have now called for “the introduction of open standards and interoperability in government procurement of IT”. This comes as part of an ongoing development of procurement frameworks.

The report states that some groups claim the proposal has been “so watered down due to intense lobbying by the proprietary software makers, to such an extent that the document will have no impact on the market”. Other industry groups have praised the proposals as “well balanced”.