In the Club

Internet technology influences our lives in unexpected ways, as Wendy Grossman finds out to her surprise.

Sometime around noon on October 8, 2011 I will no longer be a car owner. This is no small thing: like many Americans I started dreaming about my own car when I was 13 and got my license at 16. I have owned a car almost continuously since January 1975. What makes this a suitable topic for net.wars is that without the Internet it wouldn't have happened.

Since 1995, online retailing has progressively removed the need to drive to shops. By now, almost everything I buy is either within a few minutes' walk or online. I can no longer remember the last time I was in a physical supermarket in the UK.

The advent in 2005 of London's technology-reliant congestion charge (number plate recognition, Internet payment) meant a load of Londoners found it convenient to take advantage of the free parking in my area. I don't know what goes on in the heads of people who resent looking down their formerly empty street and seeing some strange cars parked for the day, but they promptly demanded controlled parking zones, even on my street, where daytime parking has never been an issue but the restaurants clog it up from 7pm to midnight. The CPZ made that worse. Result: escalating paranoia about taking the car anywhere in case I couldn't park when I got back.

But the biggest factor is a viable alternative. Car clubs and car-sharing were newspaper stories for some years until earlier this year, while walking a different route to the tube station, I spotted a parking space marked "CAR CLUB ONLY". It turns out that within a few minutes' walk of my house are five or six Streetcars (merging with Zipcar).

For £60 a year I can rent one of these by the hour, including maintenance, insurance, tax, emergency breakdown service, congestion charge and, most important, its parking space. At £5.25 an hour it will take nearly 100 hours a year to match the base cost of car ownership – insurance, road tax, test, parking, AA membership, before maintenance. (There is no depreciation on a 24-year-old car!)

The viability of car clubs depends on the existence of both the Internet and mobile phone networks. Sharing expensive resources, even cars, is nothing new, but they would have relied on personal connections. The Internet is enabling sharing among strangers: you book via their Web site or mobile phone up to a few minutes before you want the car, and if necessary extend it by sending an SMS.

And so it was that about a month and a half ago it occurred to me that one day soon I would begin presiding over my well-loved car's slow march to scrap metal. How much should you spend on maintaining a car you hardly ever drive? If I sold it now, some other Nissan Prairie-obsessive could love it to death. A month later it passed its MOT for the cost of a replacement light bulb and promptly went up on eBay.

In journalism, they say one is a story, three is a trend. I am the second person on my street to sell their car and join the club in the last two months. The Liberal Democrat council that created the car club spaces can smirk over this: though some residents have complained in the local paper about the loss of parking for the car-owning public, the upshot will be less congestion overall.

The Internet is not going to kill the car industry, but it is going to reshape the pattern of distribution of car ownership among the population. Until now it's been a binary matter: you owned a car or you didn't. Most likely, the car industry will come out about even or a little ahead: some people who would have bought cars won't, some who wouldn't have bought cars will join a club, the clubs themselves will buy cars. City-dwellers have long been a poor market for car sales – lifelong Manhattanites often never learn how to drive – and today's teens are as likely to derive their feelings of freedom and independence from their mobile phones as from a car. The people who should feel threatened are probably local taxi drivers.

Nonetheless, removing the need to own a car to have quick access to one will remove a lot of excess capacity (as airlines would call it). What just-in-time manufacturing has done for companies like Dell and Wal-Mart, just-in-time ownership can now do for consumers: why have streets full of cars just sitting around all day?

To make it work, of course, consumers will have to defy decades of careful marketing designed to make them self-identify with particular brands and models (the car club cars are not beautiful Nissan Prairies but silly silver lozenges). Also, the club must keep its promise to provide a favorable member:car ratio, and the council must continue to allocate parking spaces.

Still, it's all in how you think about it. Membership in Zipcar in one location gives you access to the cars in all the rest. So instead of owning one car, I now have cars all over the world. Is that cool or what?

Image: CC BY-NC-ND 2.0@Rakka

How much do you trust your GP?

The implications of the NHS Health Bill proposals may impact negatively on the use of personal data, Milena Popova writes.

As the NHS Bill moves to the House of Lords, cuts to frontline services are already beginning to bite. New concerns have emerged over how fit for purpose the new arrangements will be. The Bill proposes a major reorganisation of the NHS, abolishing Primary Care Trusts [PCTs] and putting the bulk of the NHS budget in the hands of GP Consortia which will be able to commission services from a variety of providers, including private companies. Of course, nothing stops enterprising GPs from forming private companies to provide said services, which leads to some interesting questions about conflicts of interest.


One such conflict that comes to mind is the news that a Yorkshire-based practice has been offering private treatment to some of their patients for procedures allegedly no longer covered on the NHS, using patient data acquired through their work for the NHS for direct marketing purposes for their private businesses.


There are many issues surrounding this case, especially over GP conduct. How accurate (or truthful) are the GPs' claims that these procedures are no longer covered on the NHS - is this a blanket decision or does it only cover particular PCTs? What are the exact regulations, either under the current set-up or under the new Bill, that apply to GPs offering private services to their patients? And most importantly from a digital rights point of view, in a case where a person performs one public function as part of the NHS and a private function in their own business, how should their access to patient data be regulated and limited in order to continue to ensure privacy and confidentiality? Questions about private providers’ potential access to the NHS Summary Care Record - the one part of the huge NHS IT project that has not been abandoned - should also be asked.


Data about our health is among the most private information we have. A breach of privacy in this area can be hugely damaging. It may impact negatively on our job prospects and lead to us being unable to obtain cover or treatment further down the line. Questions about the privacy of such information should be examined now, with any leaks and loopholes shut down before it’s too late.

Image: CC BY-NC-ND 2.0 (The Prime Minister's Office)

Trust Exercise

Asking what parts of our identity ought to be revealed and what institutions are most deserving.

This article is cross-posted from Wendy M. Grossman's regular column net.wars.

When do we need our identity to be authenticated? Who should provide the service? Whom do we trust? And, to make it sustainable, what is the business model?

These questions have been debated ever since the early 1990s, when the Internet and the technology needed to enable the widespread use of strong cryptography arrived more or less simultaneously. Answering them is a genuinely hard problem (or it wouldn't be taking so long).

A key principle that emerged from the crypto-dominated discussions of the mid-1990s is that authentication mechanisms should be role-based and limited by "need to know"; information would be selectively unlocked and in the user's control. The policeman stopping my car at night needs to check my blood alcohol level and the validity of my driver's license, car registration, and insurance – but does not need to know where I live unless I'm in violation of one of those rules. Cryptography, properly deployed, can be used to protect my information, authenticate the policeman, and then authenticate the violation result that unlocks more data.

Today's stored-value cards – London's Oyster travel card, or Starbucks' payment/wifi cards – when used anonymously do capture some of what the crypto folks had in mind. But the crypto folks also imagined that anonymous digital cash or identification systems could be supported by selling standalone products people installed. This turned out to be wholly wrong: many tried, all failed. Which leads to today, where banks, telcos, and technology companies  are all trying to figure out who can win the pool by becoming the gatekeeper – our proxy. We want convenience, security, and privacy, probably in that order; they want security and market acceptance, also probably in that order.

The assumption is we'll need that proxy because large institutions – banks, governments, companies – are still hung up on identity. So although the question should be whom do we – consumers and citizens – trust, the question that ultimately matters is whom do *they* trust? We know they don't trust *us*. So will it be mobile phones, those handy devices in everyone's pockets that are online all the time? Banks? Technology companies? Google has launched Google Wallet, and Facebook has grand aspirations for its single sign-on.

This was exactly the question Barclaycard's Tom Gregory asked at this week's Centre for the Study of Financial Innovation round-table discussion (PDF). It was, of course, a trick, but he got the answer he wanted: out of banks, technology companies, and mobile network operators, most people picked banks. Immediate flashback.

The government representatives who attended Privacy International's 1997 Scrambling for Safety meeting assumed that people trusted banks and that therefore they should be the Trusted Third Parties providing key escrow. Brilliant! It was instantly clear that the people who attended those meetings didn't trust their banks as much as all that.

One key issue is that, as Simon Deane-Johns writes in his blog posting about the same event, “identity” is not a single, static thing; it is dynamic and shifts constantly as we add to the collection of behaviors and data representing it.

As long as we equate “identity” with “a person's name” we're in the same kind of trouble the travel security agencies are when they try to predict who will become a terrorist on a particular flight. Like the browser fingerprint, we are more uniquely identifiable by the collection of our behaviors than we are by our names, as detectives who search for missing persons know. The target changes his name, his jobs, his home, and his wife – but if his obsession is chasing after trout he's still got a fishing license. Even if a link between a Starbucks card and its holder's real-world name is never formed, the more data the card's use enters into the system the more clearly recognizable as an individual he will be. The exact tag really doesn't matter in terms of understanding his established identity.

"... the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by our own activity, on the fly, which is then useless and can be safely discarded”


What I like about Deane-Johns' idea is two things. First, it has potential as a way to make impersonation and identity fraud much harder. Second is that implicit in it is the possibility of two-way authentication, something we've clearly needed for years. Every large organization still behaves as though its identity is beyond question whereas we – consumers, citizens, employees – need to be thoroughly checked. Any identity infrastructure that is going to be robust in the future must be built on the understanding that with today's technology anyone and anything can be impersonated.

As an aside, it was remarkable how many people at this week's meeting were more concerned about having their Gmail accounts hacked than their bank accounts. My reasoning is that the stakes are higher: I'd rather lose my email reputation than my house.. Their reasoning is that the banking industry is more responsive to customer problems than technology companies. That truly represents a shift from 1997, when technology companies were smaller and more responsive.

More to come on these discussions...

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

Image: CC BY-NC 2.0@mermaid99

The Lives of Others

Manijeh Khan looks at what is happening to Data Retention rules in the EU

The Lives of Others is a poignant, Oscar-winning film by Florian Henckel von Donnersmarck, released in 2006, showing the extensive surveillance to which numerous East Germans were subjected at the hands of the Stasi. It is a chilling reminder of the terrible consequences of living in a police state. 

Ironically, in the same year, Europe passed a new law which has had a significant adverse impact on our right to privacy – namely the Data Retention Directive (the “Directive”). Despite such cautionary tales, the European Union has spent the last few years pushing ahead with implementation of the Directive.

Earlier this year, the EU Commission published an evaluation report on the Directive. The Commission conceded that the law required considerable fine-tuning, in terms of better harmonisation across the EU and the implementation of stronger safeguards to prevent misuse of data, but concluded that overall, data retention has proved to be a “valuable tool” in the fight against crime. That position has been strongly disputed by both European Data Rights (“EDRI”) and the European Data Protection Supervisor (“EDPS”).

Background to the Data Retention Directive

The Directive requires telephone and internet service providers (“telecoms providers”) to retain traffic, location and subscriber data from between six months and two years for the purpose of investigation, detection and prosecution of serious crime.

Data retention by telecoms providers existed well before the enactment of the Directive, except that it was voluntary and circumscribed by the E-Privacy law. Telecoms providers retained our mobile and internet traffic data for commercial reasons, such as billing, interconnection payments or marketing, but the information had to be deleted or made anonymous once it was no longer necessary as set out under the E-Privacy Directive (2002).

The limitations of this approach were that, since data retention was voluntary, there was no consistency in the manner in which information was retained. Web logs could have been kept anywhere from a few days to several months or not at all, depending on the particular policy of the ISP concerned. Moreover, the provisions of the E-privacy law meant that generally data could never be held for long durations. In a nutshell, under these circumstances, law enforcement authorities could not depend on the data being available for any substantial length of time or at all. 

In the wake of the London and Madrid bombings, stronger investigative measures were seen as essential to combat terrorism and the UK government led the charge for a system of mandatory data retention to be imposed on telecoms providers throughout the EU, with data being held on to for longer than the providers might otherwise have considered necessary for business purposes. The Data Retention Directive was implemented, despite fears that it would facilitate mass surveillance.


The disquiet surrounding the Data Retention Directive has continued and not been quelled by the EU Commission’s evaluation report.

EDRi (the European Digital Rights group of which the Open Rights Group is a member) issued a shadow report sharply critical of the Commission’s stance in the evaluation. EDRi condemned the EU Commission for failing to produce sufficient evidence demonstrating that data retention is necessary for the investigation of crime. In picking apart the statistics and arguments relied on by the Commission to support data retention, EDRI made the following observations:

  • The Commission relied exclusively on information provided by Member States and failed to conduct any independent research into the need for mandatory data retention.
  • The Commission failed to procure relevant and reliable data from Member States; for example, nine out of ten court judgements submitted by the Dutch Ministry of Justice to the Commission relate to crimes committed long before the Directive was implemented.
  • The Commission failed to seek any information from those Member States that had not implemented the Directive.
  • Data used to investigate the Madrid bombings was available in the absence of any data retention legislation.
  • An independent study commissioned by the German government found that in 2005, only 4% of requests could not be (fully) served for a lack of retained data (Max Planck Institute for Foreign and International Criminal Law). The German Federal Crime Agency (BKA) found that in 2010 only 0.01% of criminal investigation procedures were potentially affected by a lack of traffic data.
  • On the other hand, where traffic and location data was retained, a recent study, the Scientific Services of the German Parliament shows that: “[i]n most states crime clearance rates have not changed significantly between 2005 and 2010. Only in Latvia did the crime clearance rate rise significantly in 2007. This is related to a new Criminal Procedure Law though and is not reported to be connected to the transposition of the EU Data Retention Directive.”
  • The efficacy of data retention was also disputed on the basis that circumvention is possible through the following means: anonymisation tools (such as proxy servers or VPN), prepaid anonymous SIM cards, telecom providers that are not subject to the Directive and cyber cafes.

Peter Hustinx, the European Data Protection Supervisor (“EDPS”) has also criticised the Commission’s report for the lack of credible evidence supporting the need for data retention: “Interesting examples of its use have been provided, however, there are simply too many shortcomings in the information presented in the report to allow general conclusions on the necessity of the instrument [i.e. the Data Retention Directive].”

What’s the risk?

It is essential that we remain vigilant in protecting our data and ensuring that our privacy is breached only in extreme circumstances, where it is absolutely necessary.  The dangers have been highlighted by EDRI, who refer to a booklet entitled “There is No Secure Data” prepared by the German Working Group on Data Retention, which describes several alarming cases of misuse of data, as follows:

  • German telecommunications giant, Deutsche Telekom, illegally used telecommunications traffic and location data to spy on about 60 individuals including critical journalists, managers and union leaders in an attempt to track down leaks. The company used its own data pool, as well as that belonging to a domestic competitor and a foreign company, respectively.
  • In Poland, retained telecommunications traffic and subscriber data was used in 2005-2007 by two major intelligence agencies to illegally disclose journalistic sources without any judicial oversight.

There are other well-known examples of how data in the wrong hands can be abused and many of these, like The Lives of Others, have been important enough to be captured on celluloid.  The McCarthy trials and the Watergate affair have already been made into acclaimed films; the recent phone hacking scandal at the News of the World may be next.  We must learn from these cautionary tales.  As argued passionately at the end of Good Night and Good Luck, if “this instrument is good for nothing but to entertain, amuse and insulate… it is merely wires and lights in a box.”


The implementing legislation for the Data Retention Directive has been held to be unconstitutional in many states across Europe, including Austria, Belgium, Germany, Greece Romania and Sweden. However, out of these only Romania has ruled that blanket data retention per se is indefensible. Others have focused on issues such as use, access and the length of data retention. In Germany for example, 6 months was held to be the upper limit of what could be deemed an acceptable period of retention.

Merits of Data Retention

In the evaluation report, the EU Commission referred to several incidents in which traffic or location data had apparently proved valuable to an investigation: in Belgium location data was used to show complicity in a tiger kidnapping; in Hungary and Poland traffic data was used to investigate a fraud against elderly persons conducted over the telephone; in Germany it was used to identify the murderer of a police officer - when the assailant escaped in the victim’s car, which he then abandoned, he telephoned for alternative means of transport; Czech “Operation Vilma” into a network exchanging child abuse content would allegedly have been “impossible” without traffic data. 

The EDPS also appeared to accept that there may be some possible value in data retention in specific cases and under very strict conditions (para 80 of the Opinion). However, he urged the EU Commission to obtain further, more robust evidence and to examine all the options including repeal of the Directive or replacement by a more targeted law.


There is an alternative to mandatory data retention as a method of investigation, namely data preservation - also known as “Quick Freeze”. This is where once an individual suspect is identified their data is preserved as from the date of the court order. Recently, a species of data preservation, known as “Quick Freeze Plus”, has been developed. This model goes beyond Quick Freeze in that a judge may also grant access to any data voluntarily retained prior to the order and which has not yet been deleted by the operators. It may additionally include a limited obligation on telecom companies to retain data in respect of users who have a flat-rate subscription (where there is usually no need to store data for billing purposes).

In the EU, countries such as Germany, Austria, Belgium and Sweden are using data preservation and other targeted methods in investigating crime. It is the only method envisaged under the Cybercrime Convention.


Assuming that the EU listens to reason and carries out a more thorough evaluation of data retention, this should generate more sensible evidence which should in turn dictate which investigative tool we ultimately opt for. However, any solution will need to be applied consistently.  The Data Retention Directive for example only applies to telecom providers, to the exclusion of other internet companies such as search engines. At the moment, voluntary retention by such internet companies has been left largely unhindered.

Search engines and social media websites retain much more meaningful data (i.e. content data, as opposed to mere traffic, location or subscription data) and for relatively longer periods of time; in addition, they willingly comply with requests for information from law enforcement authorities, without any judicial oversight or legal guidelines. If we are worried about data retention we need consistent regulations and practices across the board – covering not only telcos, but other internet and data gathering companies.

By the same token, if the evidence strongly suggests that there is significant value in retaining data, we should adopt a coherent strategy. For example, we may wish to stay away from Quick Freeze Plus, which may be an unsatisfactory halfway house with a contradictory outcome, as on the one hand it concedes value in data retention, but on the other hand implies that such retention would be entirely voluntary, with the result that any records retained by telecoms providers might be entirely ad hoc and patchy. Under this option, if investigators needed to dig into past records, it would be something of a lottery whether the data was there or not.  If data retention really is essential (and that must be demonstrated by clear and cogent evidence), it should be made mandatory, but with strict limits on the period of retention, access and use in order to safeguard privacy.

The way forward

We will have to see how things shape up over the next few months. Currently, the Commission is in consultation with law enforcement authorities, the judiciary, industry and consumer groups, data protection bodies and civil society organisations to discuss the way forward. A proposal for a revised Directive is expected by the end of this year. The hope is for clear evidence that can stand up to scrutiny and a rational approach built on such evidence.  If we favour retention without justification, monitoring without limits and disclosure without cause, then we have failed to learn the lessons told to us by von Donnersmarck, Woodward, Bernstein, Clooney et al.

Manijeh Khan is a Commercial, IT & IP lawyer

Image: Photo by Michael Pujals CC BY-NC-SA 2.0

How the Government turned anti social media

Loz Kaye responds to David Cameron's potential idea of a social media block in 'emergencies'

We have all been shocked by the scenes of arson, looting and violence on the streets of our country over recent days. Living as I do in central Manchester, I have been touched by it too. The night of the riots here was a night of helicopters and sirens, from my flat I saw people chased by police vans through the local retail estate.

The awful events have left everyone searching for answers as to the causes of the disturbances and what we do next. Sadly, politicians back from their holidays have skipped the how, what, why - the facts part of the debate - and rushed straight to the blame game. In a depressingly familiar pattern, technology is being made a scapegoat. This time it is social media and services such as Blackberry Messenger that are in the frame.

The Prime Minister’s statement on the riots to a recalled House of Commons was short on real substance, but it did include the following:

“Free flow of information can be used for good. But it can also be used for ill. And when people are using social media for violence we need to stop them.... we are working with the Police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality."

This is a dangerous kneejerk reaction, which is unwarranted and has real potential to harm freedom of speech in the United Kingdom.

The wording of David Cameron’s speech is very careful, to try and make it impossible to raise objections. It seeks to focus on individuals and violence. To start with, this ignores that there are already powers to deal with the intention of this statement. This area is covered for example by the Regulation of Investigatory Powers Act 2000 (RIPA) and the Communications Act 2003. In practice, media lawyer Steve Kuncewicz has pointed out: “We have seen [communication] bans handed out as part of ASBOs previously, as well as bans from contacting other users in harassment cases...”. 

There is of course a very high profile case of an individual being prosecuted for supposed “menace” on a social network - Paul Chambers in the infamous “Twitter Joke Trial”.  Even those who thought the prosecution was justified must recognise the facts that there was no bomb, and crucially in light of the current debate, there was no panic or riot at Robin Hood airport. The waste of police time and money on this affair appears more ridiculous than ever. But it also shows how blameless individuals can be caught up in the scramble to appear tough on crime or terrorism, by cracking down on the internet.

If the PM’s office is at least aware of the existing powers, perhaps this is just another empty exercise in keeping the Tory backbenchers happy by appearing to do something that will in fact be ditched quietly when Mr Cameron is back from his second summer holiday. After all, the impossibility of what is being proposed is self evident to people with even a casual knowledge of technology or social media. All too often I can’t help thinking that that our policy is being made by leaders that seem to believe programmes like Spooks are real life. There is no immediate Facebook death ray that will take out individual plotters from the web at a time of crisis.

If this is more than an exercise in spin, surely the coalition is seeking to go further than current law already permits.

To go further is to ask for wider blanket powers of web and telecommunications blocking. To hide it in the language of stopping plotters is disingenuous. That the proposals have been understood as calling for the ability to take action such as “turning off Twitter” is evident by the reaction.

One striking example was Louise Mensch MP’s appearance on Sky TV. That she seems to think it is possible to target individual hashtags in some meaningful way was rightly greeted with people banging their heads on their desks throughout the land. But to just dismiss her views as ill informed would be a real mistake. She is on the Culture, Media and Sport Select Committee after all. She states it would be acceptable to turn twitter off for “half an hour or an hour”. We now have people we should trust to guard our democracy who think curtailing freedom of speech has the same status as “a brief road or rail closure”.

It is a mark of how far we have lurched towards authoritarianism that we even need to look at how nonsensical so much of the comment on this issue has been. If young people - and from the court reports - estate agents, teachers and parents, really think so little of their communities that they are prepared to smash and burn for a pair of shorts they will find a way with or without Blackberry Messenger. As Sam Biddle put it in Gizmodo: “window-smashing pedestrians didn't stumble upon Twitter and think, My God, we could use this to organize a bloody great riot!” 

Even if the government takes the view that freedom of speech needs to be suppressed in the name of national security, what is being proposed does not solve the problem of rioting and looting anyway. By the time enough evidence could have been amassed to warrant some kind of shut down, the damage would have been done. Incidents took place over the course of hours - not the half an hour or an hour that Mensch refers to. So surely that leaves us in a place where MPs of her view will be asking for blocks of several hours. Or days.

It is typical of this Government’s approach to set out an unfeasible course of action, then expect others to implement it - in this case “the police, the intelligence services and industry “. It turns the police into passive observers and reactors, rather active participants working in a proportionate manner with communities. It was this that restored calm to our streets - not squaddies, bullets, or water cannon - and certainly not censorship. We need to look at root causes, not blame channels of communication.

The simplistic demonisation of certain communication channels from various quarters has contributed to the pressure on the Government. The Deputy Assistant Commissioner of the Metropolitan Police, Steve Kavanagh blamed Twitter for fuelling the riots with “inflammatory” and “inaccurate” messages. At one point the Sun was frothing about the “twitter rioters”. All of this bears only the faintest relation to evidence. The Mail, in their utterly imitable style, even managed to link BBM to their obsession with real estate. In the quest to find “an electronic ‘master key’” to turn off “sinister” technology, they observed RIM co-chief executive Mike Lazaridis “was also unavailable for comment at his glass-walled mansion.”

Parliament has learnt nothing from “Hackgate”. In the wake of the News International scandal there was a widespread hope that the main parties had thrown off their fear of the tabloids and had gained new purpose and moral fibre. All too soon it has been business as usual, with politicians bounced into populist positions with no proper justification.

There is a wider context to these calls for communication curbs - the creeping censorship agenda that groups like the Pirate Party and ORG have been highlighting. Just a few weeks before these events, I warned that the judgement requiring BT to block Newzbin2 set the precedent for further restrictions. ORG’s Peter Bradwell said on the same case that "website blocking is pointless and dangerous.” Even with my pretty jaded view I did not think we would be proved right so soon. This has always been the core point of those of us defending digital rights. It is not about free stuff - it is about free speech.

We have seen some of the worst sides of human nature during and in the wake of these riots. Thankfully we have seen some of the best sides of Britain too. And a lot of that has been thanks to social media. The speed at which hundreds were mobilised by the #riotcleanup hashtag was impressive. Even while the police vans were racing past my flat, @RiotCleanUpManc was planning for the next day, which they couldn’t have done if they had been restricted.

As it happened, when it came down to it, most of the graft had already been done by dedicated public sector workers, but the symbolic value was vital as well. The image of brooms held up flashed through the web- a sign of peaceful, positive defiance. A true demonstration of the strength of a free internet.

These have been testing times for our liberal democracy. To share information is vital for active participation in our society. If we give in at the first push, our society is neither liberal, nor democratic.


Loz Kaye - Leader Pirate Party UK

Image: CC-AT-SA Flickr: worldeconomicforum

Web blocking rears its ugly head

Milena Popova assesses the impact from the Newzbin ruling

Reading the headlines Wednesday morning, you could be forgiven for thinking that one of the long hard battles the Open Rights Group has been fighting for the last couple of years - the one on the web blocking provisions in Sections 17 and 18 of the of the Digital Economy Act 2010 - had been won. "Government scraps plans to block illegal filesharing websites”, proclaimed the Guardian, with similar headlines on BBC News and other outlets. The reports referred to comments made by Business Secretary Vince Cable in the wider context of his response to the Hargreaves Review.

Once you look at the specific comments made by Mr Cable and the timing of this announcement, however, things seem a little less rosy. The sudden change of heart comes less than a week after the first web blocking injunction on copyright infringement grounds was granted in the UK by a High Court judge. The Newzbin2 case is a landmark ruling, asking BT to use Cleanfeed software (normally used to block child pornography websites) to block access to Newzbin2 a popular website which enables filesharing based on the Usenet platform.

What is really important in the Newzbin case is that the injunction is granted not based on the Digital Economy Act 2010 (the relevant web blocking sections of which will now most likely never be implemented), but based on Section 97A of the Copyright, Designs and Patents Act 1988. Section 97A, in turn, is the UK implementation of a European Union Directive on E-Commerce. The reach of Section 97A is substantial: it gives the High Court the power


to grant an injunction against a service provider, where that service provider has actual knowledge of another person using their service to infringe copyright.

The terms of reference here are extremely broad with few clarifications or restrictions. Pretty much the only qualification are the words “actual knowledge”. Reading the full ruling in the Newzbin2 case, it quickly becomes apparent that Mr Justice Arnold, by ruling in favour of the Motion Picture Association, has taken the broadest possible interpretation of Section 97A.

One wonders, at this point, why the MPA is bothering with Newzbin in particular - they are a private members-only service with very limited reach, using a fairly obscure technology. The material damage, if any, they are doing to the film industry is exremely limited, particularly compared to other filesharing services. There are some other good questions around the way the MPA have gone about this, eloquently raised by Alison Wheeler; notably, why the target here is BT rather than, say, Newzbin’s overseas ISP wherever the servers are hosted.

Here is one theory: Newzbin is an easy target for a test case. There was already a pre-existing ruling stating that Newzbin1 - a practically identical service - was guilty of copyright infringement. Because the new incarnation of the site is hosted outside the UK, no legal measures can be taken against the site directly. From there it is a small step to see how much you can get away with in terms of web blocking under existing legislation (as opposed to the not-yet-implemented Sections 17 and 18 of the Digital Economy Act which at that point were in the process of being reviewed by Ofcom). What the Newzbin2 case therefore has done is open the gates to web blocking.

Back to the Business Secretary’s comments from Wednesday, we can see that he references Ofcom’s guidance on the implementation of web blocking under the Digital Economy Act (executive summary: unworkable). Speaking to the BBC, however, Mr Cable also suggested that “test cases” had played a part in the government’s decision to drop the implementation of Sections 17 and 18 of the Digital Economy Act. That comment, combined with the timing of the announcement, strongly hints at the Newzbin2 case.

Comparing Sections 17 and 18 of the Digital Economy Act and Section 97A of the Copyright, Designs and Patents Act, what strikes me is how restrictive the former seem compared to the latter. They speak of proportionate responses and infringement activities that have a “serious adverse effect on businesses or consumers” and explicitly state that in determining whether to grant an injunction the court must consider the importance of freedom of expression. No such formal safeguards are to be found in Section 97A. Ironically, BT’s counsel used Section 17 of the Digital Economy Act in their defense in the Newzbin2 case.

The Digital Economy Act continues to be a poor piece of legislation, and to an extent the announcement that Sections 17 and 18 will not be implemented comes as a relief. However, given the context of the Newzbin ruling and the opening of the door to web blocking based on existing legislation which is much broader, I wonder if a year from now we will look back and wish we had Sections 17 and 18 instead.


Milena is an economics & politics graduate, an IT manager, and a campaigner for digital rights, electoral reform and women's rights. She tweets as @elmyra

Image: CC-AT Flickr: say_cheddar

On the horizon: a parody exception to copyright?

Jag Bahra on why allowing parodies of protected works is an important step towards a more balanced and sensible law of copyright.

This morning Business Secretary Vince Cable announced how the Government proposes to respond to the Hargreaves Review of Intellectual Property.  He announced support for all 10 recommendations in the Hargreaves Review, including for 'exceptions' such as the long overdue legalisation of format shifting and moves to make data-mining for scientific research legal. We may also at last be given an exception to copyright for works of parody.  Such an exception was recommended in both the Hargreaves (2011) and Gowers (2006) reviews. This article takes a look at the case for parody and some international examples of where such an exception is already in place. 

It is little wonder that parody is such a controversial copyright subject.  A parody mocks an existing film, song, book or other work – by borrowing its most distinctive and recognisable parts.  On the face of it this would be at odds with copyright law, which stops others from making any copy or adaptation of a protected work- or any substantial part of it. 

Under the current law we have a doctrine of ‘fair dealing’, which is limited to the purposes of criticism and review.  Any use must include sufficient acknowledgment of the original.  This is clearly not suitable for parodical works. 

Interestingly, in the early 20th Century the Courts were willing to allow some room for parodies.  For example see Glyn v Weston Films (1916) and Joy Music v Sunday Pictorial Papers (1920).  However in more recent cases the Courts have gone against this precedent, asserting the only issue to consider is whether a substantial amount of the original work has been copied. 

And herein lies the fundamental problem for parodists.  Any parody must necessarily appropriate and transform significant portions of the original work in order for it to make sense.  As the copying of any substantial part (i.e. anything that is not de minimis) of a work is an infringement of copyright, it is difficult to see how any parody will not automatically be infringing.  

The case for allowing parodies is strong.  Parody is often the most effective way to criticise.  There has been recent controversy surrounding a video produced by Greenpeace, which parodied Volkswagen’s popular ‘little Darth Vader’ advert.  Greenpeace’s video uses the same theme and imagery, but instead frames Volkswagen as the evil Galactic Empire, intent on destroying Earth with its VW-branded Death Star.  The motivation behind this is that Volkswagen is opposing a piece of European legislation imposing limits on CO2 emissions and that the company’s claims of ‘eco-friendliness’ are a dishonest front. 

In this case it is clear that the parody had been made purely for the purposes of legitimate criticism.  Of course, it aimed to bring Volkswagen’s activities into question in the minds of the public, but this is perfectly lawful - no actionable harm was caused.  No consumers would become confused and think that the video was actually produced by Volkswagen.  The market for the original advert was not harmed.  Greenpeace did not aim to gain financially from their video.  All of these factors point towards the inevitable conclusion that parody should be allowed to exist within the copyright framework.

Greenpeace’s video was removed from Youtube after a generic copyright complaint from Lucasfilm, but has since returned.  Thankfully the matter comes under US jurisdiction and is therefore protected under fair use, as Greenpeace asserted.  The Fair Use doctrine is enshrined in the US Copyright Act, and is further-reaching than our own fair dealing provisions.  It states that “the fair use of a copyrighted work…for purposes such as criticism, comment, news reporting, teaching… scholarship, or research, is not an infringement of copyright.”  When considering whether a use is ‘fair’ the Court must consider the following four statutory factors:

(1)    the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
(2)    the nature of the copyrighted work;
(3)    the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
(4)    the effect of the use upon the potential market for or value of the copyrighted work.

It is important to note the wording of this provision - this is a non-exhaustive list, and leaves a wide scope for potentially fair uses, including parody.  The open-ended nature of fair use requires a case-by-case approach, examined by the Courts, rather than a statutory, bright-line test.  This approach was exemplified in the now legendary case of Campbell v Acuff-Rose Music (1994), which concerned the notorious hip hop outfit 2 Live Crew and their explicit take on Roy Orbison’s soppy ballad “Pretty Woman”.  The Supreme Court ruled that parody constituted fair use, recognising that the taking of the central elements of the original work was not only permissible, but essential in works of parody.

Parody exceptions exist in a number of European jurisdictions, including France, Germany, Spain and Sweden – although each operates slightly differently.  French law allows exceptions for parody, pastiche and caricature, “taking into account the usage of the genre”.  In order to qualify, the parody must have been intended to be humorous in nature and there must be no risk of confusion with the original work.  A parody has even been held to defeat both the author’s right to make adaptations and the author’s moral right to integrity (the case concerned well-known cartoon characters depicted in obscene situations.  In Germany and Sweden parody exceptions have been carved out by the Courts rather than in statute, but exist nonetheless.

The Australian Copyright Amendment Act 2006 introduced a fair use exception for the purposes of parody and satire, along with format-shifting and time-shifting.  When determining whether the use is fair, the Courts must consider all the circumstances of the case including the nature of the work; the nature of the use; and any effect on the commercial market for the original work.

In 2008 the New Zealand Government launched a consultation into whether a parody exception should be introduced.  This was unfortunately shelved due to a general election but another review is scheduled for 2013 and it is thought that the issue will return then. 

There is, frankly, not much of an argument to be made against allowing a parody exception to copyright.  By allowing parodies to exist, copyright owners do not actually suffer.  It would be ridiculous to suggest that authors, musicians and filmmakers are somehow worse off in jurisdictions which allow parody, for fear that someone might decide to change the lyrics of one of their songs to fulfil a different purpose and upload it to Youtube.  

Parodies, essentially by definition, do not compete with the original work in the market but co-exist, often appealing to a different demographic.  There are countless examples of parody creating works of value – take for example Weird Al Yankovic, who has made a successful career for himself by parodying the works of others to great effect.  Parody may even sometimes add value to the original work. For example, rapper Chamilionaire actually attributes the success of his song “Ridin’ Dirty” to Yankovic’s parody “White and Nerdy”.  What parody does is mock or criticise constructively – the law should be facilitating these legitimate aims, not preventing them.  

Some may be concerned that allowing parody would be a dangerous move that opens the floodgates for bogus works that free-ride on original works of merit, purporting to be parodies, satires or caricature.  However it is important to remember that this will be a specific exception for parody, not a US-style, non-exhaustive doctrine of fair use.  Indeed, Professor Hargreaves concluded explicitly that a fair use doctrine should not be adopted in the UK.  Any exception would need to be carefully framed such that relevant factors are taken into account.

Some may claim that we simply “don’t need” a parody exception, as if it is really not that important.  This is a cynical and perhaps simplistic view.  As already discussed, parody is an effective method of criticism.  In the age of online activism and digital media campaigning it will become crucial.  Allowing corporations to silence criticism using intellectual property laws is simply not on.  The Greenpeace vs Volkswagen saga is just one example of parody being put to work in this way, and I suspect over the coming years many more examples will appear. 

Allowing parody of protected works will be an important step towards a more balanced and sensible law of copyright.  To sit back and do nothing now will be to deny artists, creators and activists alike a powerful tool of communication.  Nothing happened after the Gowers Review in 2006 - let’s not miss out on this opportunity again.

Jag Bahra is a law graduate, civil liberties & copyleft enthusiast.

Consumer Focus have produced a briefing on parody here.

Image: Weird Al Yankovic. Photo by watsonsinelgin CC BY-NC-SA 2.0

UK ruling makes internet browsing a copyright risk

UK ruling makes internet browsing a copyright risk, rendering innocent acts of millions illegal

Browsing is the digital equivalent of reading. When you consume the content of a book, you read it. When you consume content online, you browse it.

The wide ramifications of the ruling by the Court of Appeal two days ago on July 27th in the case NLA v Meltwater & PRCA is that the temporary digital copies a browser creates when opening a website will be a breach of copyright unless a license is granted by the rights holder. The ruling does address a lot of other copyright related issues specifically to the dispute between NLA and Meltwater & PRCA as well, but for the broader audience this aspect of the ruling is the most interesting to fully understand.


Why does this have wide ramifications?

The significance of this ruling is that if you live in UK, every time you click on an internet link you must have a license for every page you open. This is the case for every link you follow on the internet, any link people send to you by email, or any link you find on Twitter or Facebook.

This ruling is strikingly different from general practice that consider temporary digital copies from browsing as transient copies facilitating the transmission of a work and therefore part of the explicit exception in the Copyright law.


How do you know if you have the license from the right holder to open their page?

In many cases it is impossible to know ahead of time simply because you don't know where a link will lead you and what page will be opened in your browser. Once you have opened the page, digital copies are created by your browser, one in the temporary internal computer memory and one on your screen, and by this point you are twice in breach of copyright according to the CoA ruling unless you have been granted a license to make copies of this page.

Many web sites do have a link to terms and conditions at the bottom of their page. Examples from the Guardian and the Telegraph, both NLA owners. Both are tedious and long, but in general they grant you a "personal non-commercial use" licence.


The problem with terms and conditions of web pages

There are several fundamental problems with terms and conditions like those of the Guardian and the Telegraph. Firstly, you don't see them before you open the page and by this time the browser has already made a copy of the page.

Secondly, such terms are likely to change at any point in time without you being notified. Since you don't see the terms before opening a page and the burden of finding and reading the t&c's for every page you open is too big of a burden to put on a user, can the rightholder really hold you to these terms in the first place? If you haven't been presented with them and you haven't accepted them, are the terms binding at all?

Thirdly, the common terminology of a "personal non-commercial use" is very vague and poorly suited to give sufficient guidance to a user what one can or cannot do.


Why the ruling creates millions of UK copyright offenders

The consequence of the CoA ruling is that if you at work or in a work context open a web page with a "personal and non-commercial use only" license, you are in breach of copyright.

Should you be a journalist researching a story you are about to write, you are in breach of copyright. If you are you an employee reading up on the latest news in your industry in the business section of an online newspaper like the Telegraph, you are in breach of copyright.

In the UK there are millions of employees every day that browse the internet to read news and other content online inadvertently becoming copyright offenders.


Why the UK is not served by this ruling

The UK society cannot be served by a copyright law that so fundamentally clashes with how millions of its citizens are using the internet every day. The ability to browse the internet without fear of infringing copyright is a fundamental internet principle.

This principle has been one of the cornerstones for the successful development of the internet and all its associated business models. As job creation and economic prosperity is becoming increasingly created by digital services and ecosystems, it would be devastating for UK and stifling for UK companies if such a fundamental principle is questioned.


Why Meltwater fights this cause

Meltwater is a Norwegian privately held software company offering online news and social media analytics to more than 20,000 clients globally. In late 2009, Meltwater brought a new licensing scheme aggressively pushed by the National Licensing Association, the NLA, to the Copyright Tribunal to rule on its reasonableness.

Meltwater has agreed to take a license with NLA for its own practice, but questioned the reasonableness of NLA to request an additional license from each of our clients, collecting copyright fees for every article Meltwater's service is pointing them to. Such licenses would apply to the clients of all players in our industry, and across UK thousands of companies would have to pay additional copyright fees if NLA got it their way.

Surprisingly, Meltwater was the only one to challenge NLA. The easiest for us would have been to roll over and pass the NLA fees on to our clients like all our competitors did, but we took this fight because we think what NLA is trying to do is WRONG.

PRCA intervened in support of Meltwater and together we are doing everything we can to avoid that the clients of Meltwater will have to pay copyright licenses for articles that they themselves can read freely on the internet or, if license fees do have to be paid, to keep the cost to a reasonable level.


Last word is not said

This issue continues in two parallel tracks:

The wider principle CoA ruling classifying millions of Brits as copyright offenders will be appealed to the Supreme Court. It is an open question if they will look at it, but Meltwater will do everything it can to make it happen.

The specifics of the NLA license are scheduled to come up in the Copyright Tribunal in September later this year. Meltwater is confident that the Copyright Tribunal will rule the NLA licensing scheme over-reaching and unreasonable.


Final reflection

It is my personal opinion that the CoA ruling is a parenthesis in the history of UK copyright law. Regardless of whether the Supreme Court is accepting our appeal or not, it is inconceivable that the CoA ruling will withstand the scrutiny of time. We will at some point shake our heads in disbelief by the thoughts of its absurdity and the strange and slightly entertaining copyright rulings of the early days of the internet.

Professor Lionel Bently, Herchel Smith Professor of Intellectual Property, Cambridge University, comments on the ruling as follows:

"...hereafter web-users surf the internet at their peril"

"...there is something fundamentally wrong with a legal regime which renders the innocent acts of many millions of citizens illegal."


For more analysis of the case we recommend: Professor Bently's full commentary; "Bently slams very disappointing ruling in Meltwater and "Clippings ruling could derail much online publishing, says expert" by Outlaw.



Jorn Lyseggen is the founder and CEO of Meltwater Group. He is a Norwegian serial entrepreneur and Meltwater is his 4th start-up. He has two prior industrial exits and one IPO. He currently lives in Palo Alto, California. Follow him on twitter: @jorn_lyseggen

Image: Jorn Lyseggen ©

"This will be a day long remembered”

Emily Goodhand looks at the recent judgement in the 'Stormtrooper Helmet' copyright case

In what has quickly become known as the case of the Stormtrooper helmet, the Supreme Court finally handed down its judgment in the Lucasfilm Limited v Ainsworth case yesterday. Cue numerous creative Star Wars headlines. The Supreme Court was asked to investigate two significant issues: firstly, whether the helmet could be classed as a sculpture for the purposes of the Copyright, Designs and Patents Act, and secondly whether claims of copyright infringement occurring outside of the European Union against persons living in England could be heard in an English court.  

The Force is strong with this one

Crucially, the Supreme Court held that the helmet was NOT a sculpture and therefore was not a work which was subject to section 4 of the CDPA. The judges instead found the helmet to be a mixture of costume and prop, given that they were functional items “in the process of production of the film” (SC ruling). Yes, the helmet was more unique and imaginative than, say, an army helmet from World War I, but essentially it still fulfilled a utilitarian purpose and was not therefore considered to be a sculpture.

This is very significant: if the helmet had qualified as a sculpture (and therefore an artistic work), Mr Ainsworth would have infringed Lucasfilm’s copyright, and furthermore, the ruling could technically have applied to many other costume props in other films and theatre as well. At a time when rights clearance is already a murky and complex area, this would be the last thing that anyone would want.  Finally, this particular judgment teased out one of the lesser known defences under the CDPA: the section 51 defence which states

“It is not an infringement of any copyright in a design document...for anything other than an artistic work or a typeface to make an article to the design or to copy an article made to the design” (CDPA s.51)

If the helmet had been classed as a sculpture (read: artistic work), it would have infringed copyright in the drawing. However, because the helmet was not classed as a sculpture, Mr Ainsworth could invoke this defence under UK copyright law.

The Imperial Senate will no longer be of any concern to us

The other issue that was before the Supreme Court was one of justiciability. The Court upheld this part of the appeal based on developments in European law. As a result of this decision, cases involving foreign copyright (i.e. outside of the European Union) can be brought in English courts, as long as the claims of infringement are against persons resident in England. Could this open the floodgates to much more copyright litigation in the UK? The jury, as it were, is out on this one; some think it will, others reserve judgement.

It will be interesting to see the ripple effect of this aspect of the judgment, particularly with regards to the online environment which has rarely sat well with copyright law. If someone is successfully sued for copyright infringement in this way, it remains to be seen what sort of damages the claimant will be entitled to (for example, will they be high as in US cases, or lower as in EU cases). It also calls into question the recent extradition order for TVShack’s Richard O’Dwyer; if the case for copyright infringement can now be heard in the UK, surely he is now entitled to a trial here? In any case, copyright is not going anywhere for the foreseeable future, and it is highly likely that we will see quite a few more infringement cases make their way to the UK courts.


Emily Goodhand (@copyrightgirl) is Copyright & Compliance Officer at the University of Reading.

Image: Photo by myrrh ahn CC BY-NC-SA 2.0

Hoaxes aside, real risks to blogging in Syria

Jillian C. York on the 'Amina' hoax and why anonymity online is still essential in Syria

In the wake of "Amina" hoax, in which the popular blog of a Syrian woman turned out to be a fictional work by an American man named Tom MacMaster, it has been all too easy to gloss over the real tragedies on the ground in Syria.

For years, the Syrian regime has censored the internet pervasively, with heavy focus on political content, as well as social media. In 2010, the relatively unfettered mobile networks became subject to filtering as well, what had been an alternative means of access to an uncensored internet.

Circumvention tools have long been used within the country, and are often made accessible by cybercafe owners. But most tools lack protection against technological surveillance, and Tor - which provides anonymity as well as circumvention - has been blocked on some Syrian ISPs in recent months.

In February of this year, Syria unblocked Facebook, Blogspot and YouTube for the first time since 2007, but as we've previously reported, that decision was less about placating citizens and more about making it easier for the regime to spy on and conduct attacks against them.

And while 'Amina' was fake, Syria has arrested or jailed scores of real bloggers and social media users over the years, including Tal Al-Mallouhi, thought to be one of the world's youngest prisoners of conscience. More recently, Amjad Baiazy, a Syrian activist who worked with Doctors without Borders and other organizations and who is active on social media, including Twitter, was detained upon trying to leave Syria for his home in the UK.

While hoaxes such as that perpetuated by MacMaster should encourage us to investigate sources, they should not cause us to ignore the myriad Syrian bloggers who are taking real risks to inform the world of the situation on the ground. Nor should the concerns around the use of anonymous sources in stories about "Amina" stop us from safeguarding the right to anonymity for users who need it most.


Jillian C. York is EFF Director of International Freedom of Expression, she tweets as JillianCYork

This article originally appeared here and is licensed under CC BY 3.0

Image: CC-AT Flickr: syriana2011

Featured Article

Schmidt Happens

Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.

ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views

People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.

ORG Events