28 August 2008

Good news for YouTube?

CyberPanda has been silent for a few days after taking some much needed holiday!!! But it is back on form and catching up with the various legal developments in cyberspace since last week. And boy are there many!! Cyberspace never stops surprising, evolving and posing new, interesting and controversial questions and this is shown by the flurry of cases that have popped up since last week.

One case that has caught the attention of CyberPanda is the decision by the federal court in California in the case of IO Group Inc v Veoh Networks. The lawsuit was filed by the Plaintiffs on the ground that the Defendant, a online video sharing website, was infringing its copyright as videos of IO Group were being uploaded on the website of the Defendant without the authorisation of the rights owner.

The judge ruled that the Defendant was not infringing the copyright of the Plaintiffs and that the former was protected by the safe harbour provisions contained in the Digital Millennium Copyright Act. The judge also took into account the 'active steps' taken by the Defendant to reduce infringing acts and its 'diligent' work to keep unauthorised works off its website when reaching its decision.

This case is of particular interest as it is very much reminiscent of the ongoing lawsuit between Viacom and YouTube. Although this case can not serve as a precedent in the latter case which will be heard in a federal district court in New York, it may still have some impact on the ensuing ruling in the lawsuit between Viacom and YouTube. It is also important not to over-inflate the impact of this ruling which was very much decided on the precise facts of the case. Viacom`s lawyers will no doubt run an argument along the lines that the Google/Viacom case can be factually distinguished from the IO Group case and as such the courts should not consider the ruling in that case when deciding their case. It will be interesting to see whether this argument will work in court and the impact of this ruling in the Viacom/Google case.

21 August 2008

The dancing baby and Prince

The courts in the US today have delivered the ruling in the case of Lenz v. Universal. The facts of the case are quite simple. The Plaintiff posted a home movie of a toddler dancing in a kitchen to a song by Prince entitled 'Let`s Go Crazy' on YouTube with the aim of sharing the video with her friends and relatives. Universal Music Corporation ('Universal'), the owner of the copyright in the song, sent a DMCA takedown notice to the user in question. The user contended that the use amounted to fair use and sued Universal on the grounds of misrepresentation under s. 512 the Digital Millenium Copyright Act ('DMCA') and tortious interference with her contract with YouTube.

Universal`s defence was that it had no obligation to consider whether or not the use by the use amounted to 'fair use' before sending the notice.

The main question which the Courts had to answer was whether 17 U.S.C. § 512(c)(3)(A)(v) required a copyright owner to consider the fair use doctrine in formulating a good faith belief that 'use of the material in the manner complained of, is not authorized by the copyright owner, its agent, or the law.'

The courts rejected the defence of Universal and ruled that copyright owners need to determine whether or not the use in question is fair use, before sending a take down notice. This is because the DMCA requires copyright owners to act in 'good faith belief that the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.' Hence to do this, the owner must evaluate whether the material makes fair use of the copyright.

This ruling is one that is grounded in logic and correct application of the legal principles as otherwise copyright owners can send takedown notices even in cases where the use in question does not infringe their copyright.

20 August 2008

EBay`s great expectations.

EBay will be launching its new business strategy today which encourages fixed-price selling as opposed to its traditional aunction business model. It will introduce a lot of incentives to promote fixed-price selling including new fee structure, greater financial protection for buyers.

The aim of this new strategy is to attempt to turn EBay into a global shopping mall rather than its current status of global car boot sale. This new strategy has been launched in answer to the growing criticisms of its buyers and sellers in the wake of various lawsuits brought against EBay by various companies as LVMH. It is also an attempt to give EBay an added edge which will enable it to compete with the business models of its online competitors as Amazon and Tesco.

It remains to see whether this new business strategy will truly benefit the individual buyer or whether the current concerns that the corporate sellers will scoop most of the benefits will materialise themselves. These new changes also mean that EBay will be more fully protected against lawsuits by corporate giants but the question of how the sale of counterfeit products will be addressed remains to be seen.
Disclaimer: The image used is subject to copyright. Click here to view the image in its original context.

19 August 2008

Test case on illegal game sharing online.

A test case concerning illegal game sharing online was heard this week in the London Patents County Court. Topware Interactive, the creators of 'Dream Pinball' lodged an action against a user of the game (Ms Barwinska) who shared a copy of the 'Dream Pinball 3D' online.

In the landmark ruling, the Patents Court found in favour of the Plaintiff and the Defendants was ordered to pay in excess of £16,000 in damages. The Court clearly wanted to make a substantial award of damages to deter future acts of illegal sharing. This decision will in most likelihood make users think twice about illegal sharing of games online. It has been reported that a number of users are awaiting trial on a similar issue.

Despite its obvious benefits, the ruling has also opened the floodgates in this area and one has to wonder how individuals can be expected to pay this sum of money. Surely, the host of the platforms used to share the files have a degree of liablity as they enable such acitivities to take place and hence they should share a portion of the blame. The other issue is that some users (e.g. minors) may not be aware of the nature of the activity in question (ie. that it is illegal). In such cases, it seems very harsh indeed to award substantial damages as such a sanction does not meet the requirements of fairness, transparency and proportionality. I think this case casts a strong invitation for educating particular groups of users (e.g. minors) so that they are fully aware of the nature of activity and the penalty if such activities take place. It is only then that such large awards against vulnerable groups will meet the requirements of fairness, transparency and proportionality.
Disclaimer: This image is subject to copyright. Click here to view the image in its original context.

18 August 2008

A case of obvious breach and much more.

The new website Mygazines.com has caught the attention of CyberPanda. The website enables users to upload and copy various current magazines including The Economist and Men`s Health.
The web site is reported to have approximately 16,000 users who are all clearly in breach of copyright laws,

The position of the website is that the copies available on the site is similar to copies of magazines available in the waiting room of a doctor or at a hair salon. However this argument is clearly hogwash as the nature of the use in a doctor`s room and the nature of the use online is completely different. There is no infringing copying involved in the former.

The right owners are currently considering their options. The main problem is one of enforcement as the domain name of the website is registered in Anguilla. Hence US may potentially not have jurisdiction over the matter. This case presents interesting issues including copyright, jurisdiction and enforcement of judgment and it will be interesting to see how this evolves.

This image is subject to copyright. Click here to access original image.

14 August 2008

The sting in the Electronic Communications Data Retention Regulations 2008

The draft version of the Electronic Communications Data Retention (EC Directive) Regulations 2008 ('ECDRR') has been published by the Government this week. The proposed date of its enforcement is the 15th March 2009.

Under the ECDRR, calls, texts, emails and internet records may be kept by specified bodies (all bodies covered by the Regulation
of Investigatory Powers Act (RIPA) for period of 12 months. In addition, an ISP or a telecom company can also be served with a written notice by the Secretary of State to vary the period of storage to a different period between 6 and 24 months.

It is important to be clear about the nature of data that will kept: information concerning the time of call, the instigating number, the email addresses or URLs will be kept. However no information relating to the content of those communications will be kept. However one has to query the process by which such information will be extracted and the extent the extraction will infringe the privacy of the user. For instance, the email address of a user can reveal a lot about the identity of that user given that most of us use our surnames when creating our email addresses. Likewise, information which might seem innocent at first as the time/duration of call can also reveal much more about the user than the latter would like.

The proposed regulations need to be approved by both the House of Lords and Commons before coming into force. The Home Office anticipates that the cost of compliance may be in the region of £50 million over the course of eight years.
CyberPanda is sceptical about any legislative tool which aims at storing information which may seem on the surface to be harmless (as URLs or email addresses) but which in reality raises deeper privacy and security issues. It remains to be seen how much of the draft rules will be amended whilst awaiting assent.
Disclaimer: This image is subject to copyright. Click here to access original image.

Wikipedia`s sigh of relief.

The Superior Court of New Jersey has dimissed the case brought by a literary agent, Barbara Bauer against Wikimedia Foundation, the operator of Wikipedia.

Barbara Bauer brought the case against Wikimedia claiming that the latter was liable for statements posted by users on Wikipedia. Some of the statements included she was the 'dumbest of the twenty worst' agents and that she had "no documented sales at all."

The Defendants argued that operators of 'interactive computer services' such as Wikipedia cannot be held liable for comments of its users under Section 230 of the Communications Decency Act. The latter provision does not give platforms immunity but rather requires litigants to complain against the user rather than the platform.

This is a sound legal decision which protects free speech online and also protects platforms against litigation. However, a balance needs to be achieved between the need to foster online interactive communications and protection of the third parties. Simple technological measures as moderating comments, before they are posted online, may help achieve this balance.
Disclaimer: This image is subject to copyright. Click here to access original image.

Fire Eagle has its eye on you.

Yahoo! has just launched a new service called Fire Eagle which basically is a feature that assists in the management of location information. Yahoo! markets this service as being a feature which enables the net user to take his/her location to web and for each web site to become 'geo-aware' and 'respond to where users are.'

According to the BBC a substantial number of third-party developers (current figure is in excess of 50) have actually signed up to offer this feature to its users. Yahoo! has not applied this feature yet to its applications but might do so depending on its popularity in coming months.
This new feature gives rise to a number of privacy , security and ethical issues as the true impact of the feature has not so far been made clear to the end-user. In effect, the feature enables the generation, collection and storage of location data relating to the end-user.

Yahoo! has defended the new feature and has argued that the user has total control on the type of data stored. The feature will also request reauthorisation from the end-user for sharing of the data every 45 days. However this does not solve the problem of data Yahoo! shares with its partner companies. In relation to the latter, the user can opt-in the sharing scheme but the fact of the matter is that users are currently not sufficiently educated about the impact of opting-in where Fire Eagle is being used. In addition, the 45 day period is quite unsatisfactory as the data of users are shared during this period without the latter being aware of this happening.

CyberPanda thinks that the privacy, security and ethical issues raised by this new feature should have been properly considered and addressed before its launch. The current situation is quite worrying as the end-user might sign up to this service, in the belief that it is the next big thing, without being adequately aware of what they are signing up for.

11 August 2008

Worms, Trojans and Malwares: A Bad Case of Indigestion

Sophos has recently reported that Facebook is under attack by a new malware which targets the all famous Facebook 'Wall.' The post by the hacker (who impersonates a friend of a friend) on the 'Wall' invites Facebook users to click on a link. This leads the user to a webpage which appears to be hosted by Google. In reality, the user is directed to a downloaded trojan.

The head of security at Facebook, Max Kelly, has re-assured users that the company is currently working on a fix for this worm. He goes, as far as saying that the company has 'identified and blocked the ability to link to the malicious websites from anywhere on Facebook.' However, he does not explain how this has been achieved.

Without further explanation, it is difficult to understand how the malware will be effectively blocked. In particular, given that the malware can navigate Facebook in the same way as the user can, detection is very much a tricky business, even for security experts. Currently, Facebook does a number of things to protect its users. Most of its measures are reactive (educating users by posting security notices) and part of the solution could be a more pro-active stance.

Jennifer Legio has made a number of sensible suggestions on how users can be educated to prevent such situations from arising. Some of her suggestions include using instances of compromise of the network as an opportunity to educate users effectively and developing “Secure Social Network Consortium” to increase user awareness.

Increasing user awareness is no doubt a good move but it will not completely answer the issue of hacking on social networks. The response to this should be an organic one: educational, technological and also, perhaps more importantly, regulatory (identification of the hackers, sanctions against the hackers). Effective sanctions include withdrawal of access to internet, withdrawal of access to social networking sites and a strike system (e.g. one strike you are included on a list available to similar websites, two strikes you are out). It will be interesting to see whether the response in this case will be solely technological or a more organic one.

6 August 2008

The outing of the US i-Patriot Act

The media has reported that Lawrence Lessig has outed the i-Patriot Act (an act equivalent to the Patriot Act and which applies to online activities) at a conference yesterday.

Professor Lessig was reporting his conversation with Richard Clark during which the latter revealed that the i-Patriot Act already exists and the Government is waiting for an i 9/11 event (which he latter explained as not meaning a terrorist attack but rather a susbtantial event which would require the government to take definitive and strong action) to deploy it.

The act would change the manner in which cyberspace is regulated in the US and would, in all likelihood, impose tighter controls on online activities. I wonder whether this was an accident outing or a deliberate one. If it was a deliberate one, then one has to wonder whether how imminent the i-9/11 event is.

Link to image

Six degrees of separation between you and the advertisers.

The EU Commissioner, Viviane Reding, as asked the UK Government to clarify whether the use of the Phorm system is in breach of EU data protection laws in May 2008. the Government has to respond by August 2008.

Phorm is a digital technology company which has launched Open Internet Exchange ('OIX') and Webwise, which enable targeted advertising, based on the browsing habits of the users. Phorm has been in talks with some of the biggest ISPs in the UK; namely BT, Virgin Media; and TalkTalk, to this end. The attraction for ISPs and advertisers is clear as the closer the match the better. Advertisers are able to reach their target audience and the platform gets more revenue as the chances of the advertisements being clicked on by the end-user is far greater.

A quick read through the website of Phorm seems to suggest that this is a perfectly harmless activity which will improve the web experience of the user drastically. One has to wonder when an advertisement has improved the experience of its audience. Most of the time, online advertisements (just like their offline counterparts) are unwelcome at worst and informative at its best. But one struggles to see how they can stretch to improve the experience per se. The inflation of the experience as well as the constant use of the phrase 'protection of users` privacy' on the Phorm website, is a clear design by the company to hide the true nature of the surveillance taking place here.

Basically, Phorm will have equipment at ISPs which track the activities of the end user. Thus, it will note down the URL visited, search terms used and other relevant information. The IP address of the user is not captured, but a cookie with a unique number is installed on the browser of the end user.

The data collected is categorised and used to create the profile of the user. Hence, when the user visits a webpage whose adverts emanate from OIX, s/he is directed to adverts targeted to his/her profile.

BT is apparently considering starting a trial of the service in the near future. There have also been rumours of 'secret trials' having been conducted without the consent/knowledge of the end user.The Information Commission ruled in May that no action would be taken against BT as it was difficult to explain to users what was being done. However, it also ruled that any future use should only go ahead, with the consent of the users. The flaw in this ruling is quite apparent: surely the inherent difficult in explaining to the end-user what is being done, is still present: so it is very hard to understand how the nature of the difficulty has evolved so that now an explanation is more feasible.

The dangers inherent in this initiative (breach of privacy, breach of data protection etc) are very much apparent and it is very hard to see how the Government will be able to persuasively rationalise them. In addition, it is also very difficult to see the Commission approving of such a scheme. However, in the meantime, this does not put a stop to the launch of the Phorm initiative by the ISPs in the UK, which of course means that the end-user will be incredibly vulnerable until the Commission reaches a decision. A far better option, would have been to ask the ISPs not to launch this initiative until the Commission`s findings.
Disclaimer: This image is subject to copyright. Click here to access original image.

5 August 2008

Stretching the Computer, Fraud and Abuse Act to its limits.

A recent development has taken place in the case of United States of America v Lori Drew.

The factual matrix of the case has been widely publicised by the media around the world. In 2006, the Defendant allegedly created an account on the social networking site ,MySpace, under a male alias. She communicated with a 13 year old girl through that account on a regular basis. At some point during those communications, the Defendant, said hurtful things to the young girl. Shortly, after those communications, the young girl killed herself.

The Defendant in this case has been charged with infringement of the Computer Fraud and Abuse Act ('CFAA').The Prosection alleges that the use of a fictitious name, registration information and hurtful speech by the Defendant was in breach of the terms of service of MySpace. In particular, the Defendant has failed to provide truthful and accurate registration information, has used the information obtained from MySpace to 'harass, abuse, or harm other people', has solicited 'personal information' under 18s users, has promoted information that she knew was false or misleading, and has posted photographs of other people without their consent.

The case built by the Prosection has been heavily criticised by the EFF, in the United States, who has filed an amicus brief on Friday, arguing that the criminal charge for violation of the terms of service is a 'dramatic misapplication' of the CFAA with 'far-ranging consequences for American computer users.'

The aim of the CFAA is to sanction what are commonly known as computer hackers and it is, indeed, a stretch of legal interpretation as well as logic, to apply this act to the present case which concerns terms of use. It is, of course, undeniable that, if the Courts find that the Defendant`s actions have directly or indirectly led to the death of the young girl, then these actions need to receive an adequate penal sanction. However, stretching the current law so as to impose a criminal sanction under the CFAA for breach of the terms of use is not the right answer.