Data havens and the constitution

Guest posted on the TUANZ blog.

TUANZ CEO Paul Brislen has written a thought-provoking article on the prospects of turning New Zealand into a data haven. There’s a lot going for the idea, but as Paul notes, there are a couple of stumbling blocks, one of which is the legal situation:

The final problem then, is the legal situation. We would need to become the neutral ground, the data Switzerland if we’re to gain their trust. Publicly adhered to rules regarding data collection and retention. Privacy built in, access only under the strictest conditions.

It would indeed require some law changes to become a “data Switzerland” where, as Paul envisages, “we treat bits as bits and that’s that”, and don’t allow the Armed Offenders Squad to swoop in with helicopters if someone uploads the latest series of Mad Men.

Exactly what those laws would be is a huge kettle of fish: privacy rights, intellectual property rights, safe-harbour provisions, search-and-seizure, criminal and civil procedure, etc. But putting aside the content of those laws (and their desirability), it is worth noting that New Zealand is in a somewhat disadvantageous situation in one respect vis-a-vis most other countries. Whilst New Zealand ranks as one of the most politically stable, corruption-free, and rule-of-law-abiding countries – ideal attributes for a data haven – we are in the very rare category of countries that are both:

  • Unicameral, unlike Australia, the UK, the US, Canada, most of the EU, Japan, India, and others; and
  • More importantly, have no written constitution that entrenches rights, limits Government power, and can strike down non-compliant laws. Only a handful of countries (notably including the UK) are in this category (and this is putting aside Treaty of Waitangi complications).

By my quick reckoning, the only other country with both of the above attributes is Israel.

What this means for us, as Sir Geoffrey Palmer wrote many years ago, is that whoever is the current Government of the day has unbridled power. Theoretically, there are little if any limits on what can be passed into law – all it takes is a 1-vote majority in the House of Representatives. This includes major constitutional change and retrospective law. For example, in the past decade-and-a-bit we have seen a Government change New Zealand’s highest Court from the Privy Council to a new domestic Supreme Court on a narrow majority, and retrospectively amend the law (also on a slim majority) to keep a Minister in Parliament – both things that may may well have faced constitutional challenge in other countries, but here were able to be effected with the same legislative ease as amending the Dog Control Act.

What’s this got to do with becoming a data haven? Well, it means that we cannot give the highest level of assurance that a future Government won’t do certain things that might undermine our data haven credentials.

For example, being a true data haven would presumably mean strong freedom of speech laws. You would want a reasonable assurance that a data centre would not be forced to hand over or delete data due to hate speech laws (present or future), except perhaps in the very strongest cases. New Zealand does have its peculiar Bill of Rights Act covering matters such as free speech, but this does not limit parliamentary power – in fact, Parliament regularly tramples various provisions of the Bill of Rights Act, with the only requirement for doing so being that the Attorney-General must inform the house. Nor does it prevail over inconsistent Acts: if another Act removes or abrogates a right, then the Bill of Rights Act doesn’t change that. So Parliament could potentially pass a law, on the slimmest of margins, that limits freedom of speech. This is not as far-fetched as one might think in an “open and free” democracy: the process is well advanced in the UK, where people face arrest and criminal prosecution for making statements considered by the authorities to be “insulting” (such as calling a police horse “gay”). Could this extend to limiting free speech (or content) hosted in data centres? There is nothing that says it can’t, or won’t.

Compare this with the US, where most of the internet’s infrastructure, governance and data centres are located. The federal Consitution provides the highest protection possible against Government limitation of free speech. Now this obviously does not (and is not intended to) stop situations like a US federal agency shutting down Megaupload and seizing data, in that case partly on the basis of alleged intellectual property infringement. But at least the limits on what the US Government can do are constitutionally defined and proscribed.

This issue is obviously much broader than data centres, but it does highlight the question: is it acceptable, in the information age, for there to be no effective limits on Government power over our information?

Accreditation risk

A recent case involved a software firm suing the Government for setting accreditation criteria that allegedly put it out of business.

In Integrated Education Software Limited v Attorney General [2012] NZHC 837. The plaintiff company, IES, had provided school management software since the 1980s. By the 2000s, it was one of a number of software providers to New Zealand schools.

Around this time, the Ministry of Education decided to implement interoperability standards for school management software. As the judgment notes:

The overall market was … very fragmented. There were 37 software vendors providing software to the compulsory education market. Most were small. Some were one-man back shed operations. The school software market had grown organically over the decade since 1989 and, although it was almost entirely state-funded, there were no uniform standards or other controls in place to ensure product quality.

… there was also concern within MoE about the variable quality of software packages and after-purchase support. Lack of technical expertise at school management level meant school leaders were often unable to make good choices. Ultimately it was felt that this represented a risk to government in terms of wasted expenditure where software was not up to spec or the vendor company failed.

So the MoE decided to set an accreditation model whereby software packages that met certain requirements would be accredited. A financial incentive would be put in place for schools that used an accredited package.

After some refinement and teething problems with the accreditation criteria, testing was carried in 2005. Seven vendors received accreditation, but IES did not. Users of IES’s software began to migrate to other, accredited vendors.

As a result, IES claimed that the accreditation process had damaged its business:

Although MoE argues that IES was in fact losing clients before the second accreditation round, there can be no doubt that IES’ failure to achieve accreditation did have a significant impact on that company’s fortunes. This occurred at two levels. First, it made it harder for IES to retain existing clients in the face of monetary incentives to change and MoE’s aggressive change campaign. Second, and for the same reasons, it made it more difficult for IES to attract new clients from the pool of 300 schools hunting for a new provider.

IES brought claims against the Government for:

  • Negligence, on the basis that the accreditation process was misconceived and poorly carried out; and
  • Bias / breach of natural justice (s 27 Bill of Rights Act).

Both of these claims (and another) were rejected.

On the negligence claim, the Court found that MoE’s adoption of an accreditation model was a policy matter, in which Courts are traditionally reluctant to intervene:

 The means by which the government is to fund the provision of SMS services to schools so as to ensure proper interoperability and appropriate standards in an era of widespread computer usage is a policy matter… These are questions for officials and politicians not Judges.

It also found that the MoE had no duty of care to IES in formulating and carrying out the accreditation process (it is worth noting that the Court suggested that the “proper footing” for a claim of this nature would have been misfeasance in public office), and considered that key facts were not made out.

On the bias claim, IES pointed to evidence it said showed that the MoE’s accreditation criteria favoured another vendor. The Court disagreed, saying there was no evidence to support an allegation of bias.

Lessons

The case provides an example of regulatory risk for IT vendors, and confirms that the Government has a broad (though not unlimited) ambit to implement standards, accreditation regimes and other policies without judicial interference. It is logical and sensible for a Government agency such as MoE to implement baseline standards (e.g. interoperability requirements) for state-funded schools, and accredit providers meeting the standard to allow schools to make an informed choice. It is unfortunate that IES, for whatever reason, could not or did not get accredited in time (in 2005).

The case does not explain why IES could not alter its software to meet accreditation. Software development is often an expensive and time-consuming process, and many vendors would face financial or resource constraints to significantly update what may be a “legacy” package to meet new requirements (which they may consider to be flawed or inapplicable).

But if IES had been able to update its software before or during the accreditation process (over a period of some months and years), presumably it could have reduced it alleged losses. Whether this could have been alleviated by a different contracting model or business model is unknown.

Patents Bill 2010 update

With all the other things on Parliament’s plate, it’s not surprising that the new Patents Bill 2010 is way down the Order Paper – at number 44 of 52 (though I see it has overtaken the Dog Control Order).

However, it seems the Government is sticking by the unanimous Commerce Committee recommendation to exclude computer programs from patentability, as confirmed to me last week by Commerce Minister Simon Power:

Software patents to remain excluded

The Government has cleared up the recent uncertainty about software patent reform by confirming that the proposed exclusion of software patents will proceed. A press release from Commerce Minister Simon Power said:

“My decision follows a meeting with the chair of the Commerce Committee where it was agreed that a further amendment to the bill is neither necessary nor desirable.”

During its consideration of the bill, the committee received many submissions opposing the granting of patents for computer programs on the grounds it would stifle innovation and restrict competition… The committee and the Minister accept this position.

Barring any last-minute flip-flop – which is most unlikely given the Minister’s unequivocal statement – s15 of the new Patents Act, once passed, will read:

15(3A) A computer program is not a patentable invention.

Lobbying

It is clear that the lobbying by pro-software patent industry group NZICT was unsuccessful, although Computerworld reports that its CEO apparently still holds out hope that “[IPONZ] will clarify the situation and bring this country’s law into line with the position in Europe and the UK, where software patents have been granted”. Hope does indeed spring eternal: the exclusion is clear and leaves no room for IPONZ to “clarify” it to permit software patents (embedded software is quite different- see below).

As I wrote earlier, it remains a mystery as to why NZICT, a professional and funded body, failed to make a single submission on the Patents Act reform process – they only had 8 years to do so – but instead engaged in private lobbying after the unanimous Select Committee decision had been made. It also did not (and still does not) have a policy paper on the subject, nor did it mention software patents once in its 17 November 2009 submission on “New Zealand’s research, science and technology priorities”. It is not as though the software patent issue had not been signalled – it was raised in the very first document in 2002. Despite this silence, it claims that software patents are actually critical to the IT industry it says it represents.

The New Zealand Computer Society, on the other hand, did put in a submission and has articulated a clear and balanced view representing the broader ICT community. It said today that “we believe this is great news for software innovation in New Zealand”.

Left vs right?

Is there a political angle to this? While some debate has presumed an open-vs-proprietary angle (a false premise) some I have chatted with have seen it as a left-vs-right issue, something Stephen Bell also alluded to (in a different context) in this interesting article.

Thankfully, it appears not. The revised Patents Bill was unanimously supported by the Commerce Committee, comprising members National, Labour, Act, the Greens, and Maori parties. It reported to Commerce Minister Simon Power (National) and Associate Minister Rodney Hide (Act). Unlike the previous Government’s Copyright Act reform, post-committee industry lobbying has not turned the Government.

What about business? NZICT apart, the exclusion of software patents has received the wide support of the New Zealand ICT industry, including (publicly) leading software exporters Orion Health and Jade, which as Paul Matthews notes represent around 50% of New Zealand’s software exports. The overwhelming majority of NZCS members support the change. Internationally, many venture capitalists and other non-bleeding-heart-liberal types have spoken out against software patents, on business grounds.

Some pro-software patent business owners might be miffed at a perceived lack of support from National or Act, perhaps assuming that software patents are a “right” and are valuable for their businesses. The reality is that only a handful of New Zealand companies have New Zealand software patents (I did see a figure quoted somewhere – will try to find it). Yes, they can be valuable if you have them but that is a separate issue (and remember, under the new Act no one loses existing patents). A capitalist, free market economy (and the less restrictive the better) abhors monopolies, and this decision benefits the majority of businesses in New Zealand. Strong IP protection is essential in modern society – including patents – (see my article “Protecting IP in a post-software patent environment“) but the extent of statutory protection when being reviewed will always come down to a perceived balance, not just for the minority holders of a patent (a private monopoly) but for the much larger majority artificially prevented from competing and innovating by that monopoly.

I have always taken pains to note, like NZCS, that there are pros and cons to software patents. And I am a fan of patents generally. Patents are good! But for software patents, the cons outweigh the pros. There are sound business reasons to exclude them. This specific part of the reform targets one specific area, has unanimous political party support (how rare is that?), and wide local business support. The last thing it can be seen as is an anti-business, left-wing policy (if it was, I’d have to oppose it!)

Embedded software

Inventions containing embedded software will remain, rightly, not excluded under the Patents Bill. Minister Power confirmed that IPONZ will develop guidelines for embedded software, which hopefully will set some clear parameters for applicants.

Software is essential to many inventions, and while that software itself will not be patentable, the invention it is a component of still may be. Some difficult conceptual issues can arise, but in most cases I don’t expect difficulties would arise. This “exception” (if it can be described as such) will not undermine the general exclusion for software patents.

Is internet access a human right?

Recent IP-related debates have raised the question of whether internet access should be a legally protected human right. An Australian academic is the latest to weigh in:

Internet use has become so woven into everyday life that some technology experts say online access should be legally protected, even to the point of considering it a human right. “It’s a social inclusion question,” said Cyberspace Law and Policy Centre executive director David Vaile

Much of the debate premises that internet access is already a human right, or soon will be. That view has popular support – a recent survey showed “almost four in five people around the world believe that access to the internet is a fundamental right” (FWIW, New Zealand’s previous Culture Minister also thought so). That result should not be surprising though: the right to do non-proscribed things can usually be considered a human right in some form.

[ Update: current ICT minister Steven Joyce says “declaring that the internet is a human right is not a priority for the government”. ]

The real question is whether internet access – which in the absence of any restriction already is a right – should be elevated to a “legally protected human right”, and what would that mean in practice? Internet access is already legally enshrined in some countries. But should it be? Do we need it to be? We all happily rely on access to water, electricity, sanitation, and food without the need to see these rights written into law. So why internet access?

The fact is, New Zealand already has strong free speech and anti-discrimination laws providing a very high level of protection:

  • Under section 44 of the Human Rights Act, it is illegal for any person or company to refuse to provide service to any person on a wide range of discriminatory grounds, including sex, race, political & religious opinions, etc.
  • Freedom of expression, including the rights to “seek, receive and impart information and opinions of any kind”, is enshrined in the Bill of Rights Act 1990.

In any case, there is no shortage of ISPs happy to provide access to anyone who’s willing to pay. Why would any ISP not want to provide service to a paying customer, unless they themselves were being harmed in some way?

If the right to internet access were “enshrined”, what would the practical result be?

  • If a customer didn’t pay their bill, would the ISP be prevented from stopping their service?
  • Would ISPs be unable to enforce terms of use?
  • Would prisoners be able to surf the net all day?
  • Would parents and schools be unable to prevent children from accessing certain sites?

If the aim is to prevent Government censorship or disconnection of user accounts (such as s92A of the Copyright Act), new legislation is not needed to achieve that. Instead, the repeal of the offending legislation is the answer. New Zealand does not have a constitution capable of striking down laws, so any specific legislation expressly providing the right could be limited by another law. Similarly, all rights protected by the Bill of Rights Act are subject to “reasonable limits“. Whether this is an acceptable state of affairs is another question – especially in our unicameral MMP system with a history (in the prior government at least) of ramming through constitutional changes, without a mandate, on a simple majority.

As regards the disconnection sanction of s92A, this is not about being “banned from the internet” any more than it is about banning free speech. Free speech itself has some limitations (even in the US), and certainly consequences in many cases (e.g. defamation). Does internet access need to be elevated above free speech? Besides, internet disconnection as a preferred strategy of some rights-holder groups is not likely to last long. It is more smoke than fire, and is easily avoidable. When the internet becomes the only means of distributing music, movies and other IP, disconnecting – rather than “reforming” – potential customers will make little sense.

In the end, the internet is simply a (very important) technological invention. It should no more need enshrinement in law as a “fundamental right” than the right to use a telephone. Besides breaking the desirable “technology neutrality” of law, this would also seem to be a case of  “rights inflation“:

Deciding which norms should be counted as human rights is a matter of some difficulty. And there is continuing pressure to expand lists of human rights to include new areas. Many political movements would like to see their main concerns categorized as matters of human rights, since this would publicize, promote, and legitimate their concerns at the international level. A possible result of this is “human rights inflation,” the devaluation of human rights caused by producing too much bad human rights currency (Cranston 1973, Orend 2002, Wellman 1999, Griffin 2001b).

Effort is better spent on protecting existing rights, and limiting the power of government. Upper house anyone?

Open source in government tenders

Computerworld reports:

A requirement that a component of a government IT tender be open-source has sparked debate on whether such a specification is appropriate.

The relevant part of the RFP (for the State Services Commission) puts the requirement as follows:

We are looking for an Open Source solution. By Open Source we mean:

  • Produce standards-compliant output;
  • Be documented and maintainable into the future by suitable developers;
  • Be vendor-independent, able to be migrated if needed;
  • Contain full source code. The right to review and modify this as needed shall be available to the SSC and its appointed contractors.

The controversy is whether this is a mandate of open source licensing (which it isn’t). The government should not mandate open source licensing or proprietary licensing on commercial-line tenders. More precisely, it should not rule solutions in or out based on whether they are offered (to others) under an open source licence. The best options should be on the table.

The four stated requirements are quite sensible. As the SSC spokesman said, there is nothing particularly unusual about them in government procurement. These requirements (or variations on them) are similarly common in private-sector procurement and development contracts. In the public sector in particular though, vendor independence and standards-compliance help avoid farcical situations like the renegotiation of the Ministry of Health’s bulk licensing deal.

Open standards and interoperability in public sector procurement is gaining traction around the world. Recently, the European Union called for “the introduction of open standards and interoperability in government procurement of IT”. And in the recent UK election, all three of the main parties included open source procurement in their manifestos.

So why the controversy in this case? Most likely it’s the perhaps inapt use of the term “open source” in the RFP (even though the intended meaning is clarified immediately afterwards). The term “open source” is a hot-button word that means many things to many people, but today it generally means having code licensed under a recognised open source licence, many of which are copyleft. Many vendors simply could not (or would never want to) licence their code under such a licence, and it would be uncommercial and somewhat capricious for a Government tender to rule out some (or even the majority of) candidates based on such criteria.

However, it is clear that the SSC did not use the term in that context, and does not intend to impose such a requirement. An appropriate source-available licence is as capable of meeting the requirements as an open source licence (see my post on source available vs open source). The requirement for disclosure of code to contractors and future modification can be simply dealt with on standard commercial IP licensing terms.

A level playing field for open and proprietary solutions is the essential starting point, with evaluation – which in most cases should include open standards and interoperability – proceeding from there.