IT Law in Ireland

Eircom hacking shows flaws in Irish computer crime law

2009-07-08T09:49:00.003+01:00

Today's Irish Times has a report of an apparent denial of service attack against Eircom:

MANY OF Eircom’s 500,000 internet subscribers have been left offline or experienced delays in web browsing at times this week because of a suspected attack by hackers.

Some customers who tried to connect to popular sites such as RTÉ, Facebook or Bebo were redirected to incorrect websites, often displaying images of advertising or scantily clad women.

The company blamed the problems on “an unusual and irregular volume of internet traffic” directed at its website, which affected the systems and servers that provide access to the internet for its customers.

Internet discussion groups speculated that the problems were caused by a hacker accessing Eircom’s domain name server (DNS) system through a denial-of-service attack.

This involves a target site being saturated with messages and requests to the point it can no longer function properly.

I've said it before but it's worth repeating: Irish law does not adequately deal with computer crime at the moment (with denial of service attacks being one of many areas left without adequate sanctions) and legislation to implement the Cybercrime Convention and the Framework Decision on Attacks Against Information Systems is now long overdue.

Here's an excerpt from a chapter I wrote in Reich (ed.), Cybercrime and Security discussing the uncertain Irish law on denial of service attacks:

Whether or not such an attack would amount to an offence under Irish law will vary depending on the precise structure of the attack.

For example, suppose that A sets out to harm B by sending several million emails to B’s server. The effect is not only to use up B’s bandwidth but also to use his disk capacity. In this case, it might be possible to charge A with criminal damage under section 2 of the Criminal Damage Act 1991, on the basis that A has damaged B’s data within the meaning of section 1 by adding to it without lawful excuse.

This result is supported by the English decision in DPP v. Lennon. In that case the defendant was a 16 year old who took umbrage at the circumstances of his dismissal and sent five million emails to his former employer with the expressed intention of “causing a bit of a mess up”. He was charged with unauthorised modification to a computer system with intent to impair the operation of the computer, contrary to section 3(1) of the Computer Misuse Act 1990 (the equivalent provision to section 2 of the Criminal Damage Act 1991). His defence was that the company had implicitly consented to receiving emails and as such he had not made unauthorised modifications. Although the trial judge accepted this argument, on appeal the Divisional Court held that any implied consent did not extend to emails sent for the purpose of disrupting the system. Per Jack J.:
“I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system.”
However, if the facts of a denial of service attack are varied slightly then criminal damage may no longer be an appropriate charge. Suppose for example that C sets out to hinder access to D’s publicly available website, and does so by programming several computers to repeatedly download large pages from the site. The result is to use up D’s bandwidth and ensure that other users cannot get through to the site, though the server itself continues to function. What crime, if any, has been committed?

In this case C would not have damaged D’s data (assuming that C downloaded data only and did not make any modifications to the data on the server). It might be argued that C has committed criminal damage to the server itself given the extended definition of “damage” under section 1, which includes situations where a person “whether temporarily or otherwise, render[s] inoperable or unfit for use or prevent[s] or impair[s] the operation of” property.

Such a charge would, however, prevent some difficulties. It might be successful if the effect of a denial of service attack was to cause the server to crash – that temporary inoperability would certainly seem to constitute damage within the meaning of section 1. In the hypothetical above, however, C has not rendered the server inoperable but merely inaccessible – which would seem to fall outside the scope of the criminal damage offence.

On the other hand, using the reasoning in DPP v. Lennon it might be possible to characterise the attack as unauthorised access contrary to section 5 of the Criminal Damage Act 1991. The argument could be made that while public websites carry with them an implied permission to access the site, this permission does not (to use the words of Jack J.) cover visits which are “the purpose of interrupting the proper operation and use of [the] system”, so that such a visit would constitute operation of the server with intent to access data without lawful excuse.

Search engines and safe harbours

2009-07-03T10:49:00.003+01:00

Danny O'Brien has a strong piece in today's Irish Times arguing that Irish and European law is holding back development of online businesses by imposing excessive liabilities on search engines. Here's an excerpt:

In the US, the law specifically carves out a protection against liability for "information location tools" - search engines, in other words.

It is the same sort of "safe harbour" that protects web hosting services from being sued over their customers' content and internet service providers and mobile phone companies from being penalised for making temporary caches of websites to cut down connection costs and speed up connections.

No such protection exists in Europe for search engines. However the very fact that these US search engine companies are so large and, moreover, have large subsidiaries in Europe and beyond, gives them a little more protection from midnight raids than start-ups like SurfTheChannel.

It also provides them with something of an economic advantage over any upstart European search engine.

When Bing, the new Microsoft search engine, was launched, only a few noted that its "video search" effectively embedded copyrighted content on to Microsoft's own website (try typing The Office into its video search and see what happens).

If that had been a European search engine launched by a plucky new start-up, you can bet that its lawyers would have warned them off such a feature.

This effectively means that one of the biggest selling points of Microsoft's Google competitor is out of bounds for any European contender...

Perhaps the best solution would be for individual countries in the EU to make themselves more business friendly.

The e-commerce directive already allows individual nations to carve out wider exceptions than those listed.

Countries like Spain, Portugal and Austria have all included some protection to search engines, as well as anyone providing a weblink to another website.

Perhaps Ireland could create its own "safe harbour" in national law for new internet start-ups.

That way, we could draw investment from other countries who want the benefit of being able to find what we need on the internet but are scared to alienate the vested interests who would rather choke it. (emphasis added)

I'm in agreement with Danny and would go one step further - rather than limit a new immunity to search engines, we should extend it to other online intermediaries such as content aggregators. This 2006 report from the UK Department of Trade and Industry is a good starting point for understanding how content aggregators and others are deterred by possible liability.

The Music Industry v. ISPs - Round 2 - UPC and BT vow to fight

2009-07-02T13:34:00.006+01:00

Adrian Weckler has the press releases:

UPC

The company is now preparing its defence and intends to vigorously defend its position in Court...

UPC has made its position clear from the outset -- it will not agree to a request that goes beyond what is currently provided under existing legislation. There is no basis under Irish law requiring ISPs to control, access or block the internet content its users download. In addition, the rights holders' proposal gives rise to serious concerns for data privacy and consumer contract law.

Irish and European law maintains a careful balance between the rights and obligations of copyright owners, internet users and ISPs. The three strikes policy that was agreed in private with eircom as part of the settlement, and any attempt to impose in upon the industry generally, seriously undermines that balance.

It is unfortunate that the rightsholders did not take up UPC's suggestion that it convene a stakeholder forum in which their concerns could be addressed. UPC indicated that it would be willing to participate in such a forum provided all relevant parties that have a vested interest in this matter were included (eg ISPs, the Data Protection Commission, the National Consumer Agency and relevant Departments of the Government). (Emphasis added)

BT are more laconic:

BT Ireland believes there is no legal basis for such a claim and the proceedings will accordingly be strongly defended.

Quote of the day

2009-06-30T09:25:00.001+01:00

Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.

- Bruce Schneier

Bord Gais Laptop Loss

2009-06-25T22:09:00.002+01:00

I wrote an opinion piece for the Sunday Business Post on the recent Bord Gais laptop loss - using it as a jumping off point to argue for a data breach notification law in Ireland. Here's an excerpt:

It hasn’t been a good week for personal information. Last Tuesday, the HSE admitted that it had lost an unencrypted laptop containing sensitive information, including particular social work case notes on nine families.

Remarkably, the HSE had not reported this loss to the Data Protection Commissioner, who learned of the incident from media reports. The HSE incident was eclipsed the following day when Bord Gáis revealed that it had lost an unencrypted laptop with account details - including bank and credit card information - on 75,000 customers, exposing them to the risk of identity theft.

Unfortunately, these are not isolated incidents. In the last year alone, multiple cases have come to light: notably Bank of Ireland, which lost personal data on more than 30,000 life assurance customers; the Office of the Comptroller and Auditor General, which lost information on 380,000 social welfare recipients; and Airtricity which posted the financial details of 1,200 customers on its website for six weeks.

Why have Irish organisations been so slipshod with the information we have entrusted to them? One problem is that the bodies that hold the data suffer little direct damage if the data is lost - it is the individual, not the company, who suffers the harm. Consequently, there is little financial incentive for them to take adequate measures to protect our data.

This is compounded by a lack of transparency. Under Irish law, there is no express obligation for a company that has lost customer data to notify anyone - neither the customer nor the Data Protection Commissioner.

The result is that organisations try to cover up data breaches to save face. Consequently, if your details are leaked, it is entirely possible that the first you will know of it is when you discover that your fraudulent alter ego has enjoyed a spending spree on your credit card or run up huge debts in your name. By then, it’s too late.

More from the Digital Rights Ireland perspective here. What Irish bloggers have been saying about the Bord Gais scandal here.

The Music Industry v. ISPs - Round 2

2009-06-18T20:51:00.012+01:00

After their inconclusive action against Eircom, this time the music industry is suing UPC and BT. Proceedings were issued on Tuesday according to the (stupidly not hot-linkable) search facility on courts.ie. Expect the cat to be put among the pigeons shortly.

I believe that litigation demanding that ISPs monitor what their users do and/or disconnect users based on three unproven allegations is unjustified - for the reasons why, see the Digital Rights Ireland site in relation to user monitoring and three strikes.

Digital Britain and the Internet Watch Foundation

2009-06-18T14:22:00.005+01:00

The long awaited Digital Britain Report (pdf) has stirred up a great deal of comment - particularly in relation to filesharing - though little of it complimentary. (E.g. Andes Guadamuz | Chris Marsden | Lilian Edwards | The Register.)

But one aspect of the report which has received less attention (with the notable exception of the Register) is its discussion of the Internet Watch Foundation (pp. 202-203). This is relatively short so it's worth posting in full:

Criminal Material on the Internet

64. The Internet Watch Foundation, based in Cambridge and with just 15 employees, is tasked with minimising the availability of criminal content – specifically, child sexual abuse content hosted anywhere in the world and criminally obscene and incitement to racial hatred content hosted in the UK. It works with law enforcement agencies worldwide and operates a "notice and take down" procedure in relation to content on UK sites and a list of international child abuse sites that ISPs can block at the network level. The vast majority of UK networks use this list and discussions are under way to ensure that relevant consumer networks are comprehensively covered.

65. As a result of the partnership approach adopted by the IWF, less than 1% of child sexual abuse content, known to the IWF, has been hosted in the UK since 2003, down from 18% in 1997. The IWF’s work remains invaluable to every part of the value chain in the UK’s Internet industry. And, in a world of universal availability, increasing take-up and enhanced services on the network the work of the IWF will become more and more important.

66. IWF’s current income includes a contribution from the EU Safer Internet Action Plan with the bulk being derived from voluntary membership subscriptions. Its current income equates to some £1m per annum. This voluntary structure means that there is no certainty that the level of funding received now from the EU or from its membership will continue at this level in the future. In the current economic climate a voluntary funding base carries with it increased uncertainty over funding. Whereas having secure funding would allow the IWF to consider expanding its internal skill base, especially with regard to hiring additional technical expertise and raising greater awareness amongst Internet users about their role and remit. The IWF model of self-regulation is a success and is admired internationally, but if the regulation of criminal content is not adequately funded by industry, Government would need to consider statutory intervention. We therefore call on the IWF membership to propose a more secure funding model for the future.

67. The IWF has also been a model for international hotlines for reporting child abuse material, especially across the EU. Some operators already use its list of illegal sites internationally. Since most child abuse material originates outside the EU, there is a case for its operations to cover at least the whole of the EU. We will therefore explore with the IWF and the European Commission the scope for a pan-European model with commensurate funding.

What to make of this discussion? First, it's noticeably uncritical. For example, the claim that the "IWF model ... is a success and is admired internationally" simply ignores the criticisms that have been voiced of the IWF model by observers such as Lilian Edwards, Frank Fisher, Richard Clayton (pdf) and others.

In part, this flows from a second problem with the report - it doesn't differentiate between the role of the IWF in dealing with illegal material hosted in the UK (which is generally regarded as successful) with its role in providing a blacklist against which ISPs can/must filter (a much more controversial and ineffective endeavour). By conflating the two it attempts to use the success of the hosting remit to justify expansion of the very different filtering remit.

Third, the report - by referring to exploring "a pan-European model" - appears to be unaware of the fact that there are already proposals at an EU level for internet filtering. In fact, far from exporting the IWF model to Europe those proposals - by requiring the involvement of "judicial or police authorities" and "adequate safeguards ... to ensure that the blocking is limited to what is necessary, that users are informed of the reason for the blocking and that content providers are informed of the possibility of challenging it" - would if adopted require the IWF model to be entirely rebuilt.

Overall, therefore, the report's analysis of the IWF is quite flawed - undermining the recommendations it makes in respect of funding. It will be interesting to see how IWF members respond.

Incidentally, it's also been a busy week elsewhere in Europe in relation to internet filtering as proposed German legislation to require blocking of child pornography appears to be agreed between the main parties.

A must see - Tony Bunyan comes to Dublin

2009-06-15T12:56:00.004+01:00

Tony Bunyan is one of the stalwarts of the civil liberties movement in the UK and Europe. As a journalist, writer and founder of Statewatch he's been at the very forefront of monitoring what governments and the European Union have been doing in our name (but without our knowledge). The Irish Council for Civil Liberties is bringing him to Dublin next Saturday (20th June) to talk about his new report, "The Shape of Things to Come" - and I can't recommend this event highly enough to anyone interested in law, technology and civil liberties. It will be held in The Blue Room, Law Society of Ireland, Blackhall Place, Dublin 7 (map) at 3.30pm. The talk is free but spaces are limited so if you'd like to go, contact Joanne Garvey (Tel: 01-7994504 or E-mail: info@iccl.ie) to ensure a place.

Update: The Irish Times has a report from the talk.

Computers, Freedom & Privacy 2009

2009-06-02T14:26:00.005+01:00

I'm lucky enough to be at Computers Freedom & Privacy 2009, which has just started in George Washington University with a opening talk from Susan Crawford. She's been appointed as Special Assistant to the President for Science, Technology, and Innovation Policy, and her talk (and the hosting of CFP in Washington this year) reflects a buzz of excitement here about the new administration and the possibility for change in technology and privacy policy.

Video of most of the conference proceedings is being streamed live online. There's also a twitter feed at #cfp09 and an event blog.

Mulvaney v. Betfair - High Court holds that hosting defence is available to chatroom operators

2009-05-26T17:38:00.010+01:00

Can a chatroom operator rely on the hosting defence under the E-Commerce Directive? In the first Irish case to consider the scope of the Directive and the Irish implementing Regulations the High Court has held that the answer is yes - an answer which may have significant implications for Irish sites hosting other types of user generated content.

The case - Mulvaney v. The Sporting Exchange (trading as Betfair) - involved plaintiffs who claimed to have been defamed by material posted on a Betfair chatroom by Betfair clients. The plaintiffs brought proceedings against the posters themselves and also against Betfair as the operator of the chatroom, claiming that Betfair was therefore liable as a publisher of the defamatory statements.

Betfair sought to rely on the hosting defence in Article 14 of the E-Commerce Directive as implemented by Regulation 18 of the implementing Regulations. Two issues therefore arose: whether Betfair could rely on this defence notwithstanding the gambling exclusion in the Directive / Regulations, and whether in relation to the chatroom Betfair could be said to be a host.

As regards the gambling issue, the court took the view that whether or not Betfair's main function (as a betting exchange) was covered by the exclusion, the chatroom was not directly connected with that activity and as such it could be treated as a distinct activity for the purposes of the Directive.

The court then considered whether Betfair could be considered to be a host in respect of the chatroom, or more precisely whether it was an "intermediary service provider who provides a relevant service consisting of the storage of information provided by a recipient of the service". Here the court relied on Bunt v. Tilley to hold that Betfair was an "intermediary service provider" and, in a remarkably short ruling, held that it fell within the hosting defence:

5.10 Betfair submitted that, in the present case, it is the third parties who provided the information in question, i.e. the allegedly defamatory comments, and that Betfair stored this information on its servers that hosted the Chatroom. Betfair submitted that this service was provided at a distance by electronic means and at the individual request of the recipient of the service. It is submitted by Betfair that it, therefore, acted as "hosts" of that information for the purposes of Regulation 18 of the 2003 Regulations.

5.11 At Recital 20, the E-Commerce Directive states that:-
“The definition of 'recipient of a service' covers all types of usage of information society services, both by persons who provide information to open networks such as the Internet and by persons who seek information on the Internet for private of professional reasons.”

5.12 It seems to me that this provision clearly covers such use of the services provided by the defendant as was made by the third parties in these proceedings. Furthermore, at Recital 18 of the E-Commerce Directive, it is provided, inter alia, that:-
"Information society services span a wide range of economic activities which take place on-line; these activities can, in particular, consists of selling goods on-line; activities such as the delivery of goods as such or the provision of service off-line are not covered; information society services are not solely restricted to services giving rise to on-line contracting but also, in so far as they represent an economic activity , extend to services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data; information society services also include services consisting of the transmission of information via a communication network, in providing access to a communication network or in hosting information provided by a recipient of the service."
5.13 There is no case law dealing directly with the question of whether Regulation 18 covers the provision of Chatroom facilities. However the E-Commerce Directive appears to apply to chatrooms if they are hosting information provided by a recipient of the service and available to other users of the service. In addition, the corresponding Article to Regulation 18 (i.e. Article 14), has been recognised in the Report from the Commission to the European Parliament on the application of the E-Commerce Directive, where at page 12 , it states:-
"In particular, the limitation on liability for hosting in Article 14 covered different scenarios in which third party content is stored apart from the hosting of websites, for example, also bulletin boards or 'chatrooms'."
5.14 As the service provided by Betfair, through its Chatroom, clearly falls within the meaning of "relevant service" as defined by the 2003 Regulations, it follows that Betfair, in providing this service, is a "relevant service provider" and so an "intermediary service provider" within the meaning of the 2003 Regulations. Betfair is, therefore, entitled to the benefits of Regulations 15 and 18 of the 2003 Regulations.

6. Conclusions

6.1 ... For the reasons which I have just sought to analyse, I am also satisfied that the provision of a chatroom service comes within the definition of an intermediary service provider contained in the 2003 Regulations, and that the provision of that service to its subscribers by Betfair constitutes the provision of a relevant service consisting of the storage of information provided by a recipient of the service within the meaning of the same Regulations.

6.2 If follows that Betfair are, in principle, entitled to the protection of the E-Commerce Directive in these proceedings. In order to be able, successfully, to defend the proceedings on that basis it is, of course, also necessary that Betfair be able to establish, as a matter of fact, in each individual case, that the conditions concerning knowledge and expeditious action set out in subparas (a) and (b) of Article 14 of the E-Commerce Directive are met. Whether that can be established on the facts of this case is a matter which did not arise on this preliminary hearing and will fall to be determined at the trial.

This conclusion - that chatroom operators are hosts as regards user comments - appears to me to be correct, but the underlying reasoning is rather scanty. (I should say that this is not a criticism of the judge, who can only decide on the arguments raised by the parties.)

There's no discussion, for example, of the fact that the chatroom was subject to terms of use and was (apparently) moderated by Betfair - a surprising oversight, considering that it might have been the basis for an argument that the posters were acting under the control of Betfair which, if successful, would have ruled out the hosting defence. (See e.g. the analysis of Lilian Edwards in respect of eBay's "control" over its users.)

Equally, there's no reference to the related argument that the hosting defence is intended to cover purely technical (and essentially passive) storage of information, and is lost when a provider exercises a greater degree of control over the information which users provide. Goldstone and Gill, for example, suggest that:

The recitals to the Directive are narrow in scope and state, for example, that the activities to which the exemptions apply are 'limited to the technical process of operating and giving access to a communication network' and are of a 'mere technical, automatic and passive nature'. The recitals do not suggest that the Directive intended the hosting defence also to apply to storage of information by Web site operators such as UGC Web sites.

Whether correct or not, it is remarkable that this argument doesn't appear to have been made in this case.

Finally, there's no reference to the cases in other jurisdictions which have challenged the scope of the Article 14 hosting immunity. (Lilian Edwards has some examples here and more recently here.)

Consequently, although this decision will give some comfort to Irish chatroom operators, it shouldn't be given too much weight and is unlikely to be the last word on the scope of the hosting defence in Ireland. We may have to wait for a more fully reasoned judgment (or guidance from the ECJ) before we can definitively say what rules apply to Irish sites which host user generated content.

For more on this decision see A&L Goodbody | Olswang | Sunday Business Post.

Transparency in overseeing state surveillance: How not to do it

2009-05-15T13:54:00.013+01:00

Under Irish law a designated High Court judge (currently Mr. Justice Iarfhlaith O'Neill) is assigned to oversee the operation of telephone tapping and data retention. Unfortunately, the annual reports of the designated judges are not exactly models of transparency. Here's the most recent example - all three paragraphs of it:

I'll be writing more about Irish law in this area shortly: stay tuned. (Or should I say "keep listening"?)

Edited to add: The Sunday Times has now picked up on this issue.

UCD Launches MSc In Digital Investigation

2009-05-05T22:35:00.003+01:00

Shameless plug ahead - I'm happy to say that I will be teaching next year on a new course offered by the UCD School of Computer Science and Informatics, the MSc in Digital Investigation. This is essentially a civilian counterpart to the successful MSc in Forensic Computing and Cybercrime which is restricted to police officers. Full details on the course site, but here's a brief outline:

This programme is aimed at information security professionals who need to acquire skills for investigation of computer-related incidents. It introduces the concepts, principles, and professional practice in digital investigation. The programme is delivered in cooperation with the leading Irish experts in the field.

Programme Structure

This is a two-year part-time course. The first three semesters of the course, are made up of six examinable modules, which cover all areas of investigative expertise from legislation and forensic analysis techniques to presentation of investigation results in the court of law:

* Computer Forensics Foundations
* Law for IT Investigators
* Application Forensics
* Investigative Techniques
* Corporate Investigations
* Information Security

The fourth semester of the course comprises an individual research project on a real-world topic in digital investigation.

IWF Annual Report: Wikipedia blocking and more

2009-05-01T11:34:00.011+01:00

The Internet Watch Foundation has just issued its 2008 Annual Report (PDF) where it offers this defence of its role in the Wikipedia blocking saga, along with an indication that it will review its procedures in light of this case:

Wikipedia on the IWF list

In December our hotline received a report regarding an indecent image of a pre-pubescent girl on a Wikipedia page. The image was assessed according to current UK legislation, in accordance with the UK Sentencing Guidelines Council thresholds (see page 8, Figure 5) and was considered to be potentially illegal.

Our procedures require us to pass details of every URL considered to be in breach of UK legislation to law enforcement and hotline associates around the world for further investigation, in accordance with the laws in the hosting country. If the URL is hosted outside the UK, it is also added to our URL list which is provided to companies in the online sector that have voluntarily committed to blocking access to these URLs to help protect their customers from inadvertent exposure to indecent images of children online.

These procedures and policies are approved by our Board of Trustees and Funding Council, and our hotline systems, security and processes, including the handling of the URL list, are periodically audited by external independent inspectors, including forensic, academic and law enforcement professionals identified by our Board.

In this particular case there was an unforeseen technical side-effect of blocking access to the Wikipedia page in question. Due to the way some ISPs block, users accessing Wikipedia from these ISPs appeared to be using the same IP address. This undermined the way Wikipedia controls vandalism therefore anonymous UK Wikipedia users were blocked from editing.

Following representations from Wikipedia the IWF invoked its Appeals Procedure. This entails a review of the original decision with law enforcement officers. They confirmed the original assessment and this information was conveyed to Wikipedia. Due to the public interest in this matter our Board closely monitored the situation and, once the appeals process was complete, they convened to consider the contextual issues involved in this specific case. IWF’s overriding objective is to minimise the availability of indecent images of children on the internet, however, on this occasion our efforts had the opposite effect so the Board decided that the webpage should be removed from the URL list.

As a learning organisation we are committed to improving our services so issues raised by this incident will be addressed, in collaboration with our industry partners, in the year ahead. (p.9)

My take? The Wikipedia debacle created a number of fundamental challenges for the IWF in relation to its reputation, procedures and legitimacy, as well as undermining the technical claims for the efficacy of internet filtering. This IWF response offers the possibility that they will address these issues - but it remains to be seen whether the outcome will be (possibly modified) business as usual or whether there will be a fundamental rethink of the IWF's role in internet filtering.

Incidentally, the annual report is also interesting in that it signals a move towards tackling child pornography by targeting a new type of intermediaries - by seeking to have domain name registries delist domain names involved in the sale of child pornography. This follows a trend I've noted before - towards domain name registrars / registries becoming the new points of control for regulators.

Realm Communications backs down from RegTel challenge

2009-04-26T21:50:00.002+01:00

Remember the High Court challenge brought by Realm Communications (of Irish Psychics Live fame) against industry self-regulatory body RegTel? (Full details in this earlier post, but in short Realm were found to have been overcharging customers in breach of the Regtel Code of Practice and were banned from sending premium texts for twelve months.) In an apparent victory for RegTel, Realm has now agreed to abandon that action, to revise its services and to pay refunds in respect of customer complaints - though it seems that the twelve month ban has been waived. (Irish Times | Statement from Regtel)

The significance of this result? Although the result has no precedential value, it should strengthen the hand of Regtel in taking action against persistent breaches by removing a lingering threat about the scope of its authority. Perhaps more importantly from their perspective, it may also support the argument that premium rate services should be controlled by self-regulation via Regtel rather than (as the Minister has previously proposed) by statutory regulation giving new powers to ComReg.

Thoughts on the new Surveillance Bill

2009-04-19T18:54:00.006+01:00

I've a piece in today's Sunday Business Post on the Department of Justice's new Surveillance Bill. For some reason it's not online, so here's the full text:

Operation Observation Comes to Ireland

This week the Department of Justice published a Surveillance Bill which, if enacted, will allow Gardaí to break into private property to place covert video cameras and audio bugs, to plant tracking devices on cars and to use evidence gathered in this way in criminal prosecutions. The Bill – which was already on the legislative programme but was rushed forward after the murders in Limerick of Shane Geoghegan and Roy Collins – is intended to place existing Garda practices on a statutory basis in line with Ireland’s obligations under the European Convention on Human Rights.

Currently, due to the lack of statutory controls, material gathered in this way –such as transcripts of conversations – can be used for intelligence purposes but would not be admissible in criminal trials. The Bill aims to remedy this by providing that Gardaí will generally have to obtain permission from a District Court judge before this type of surveillance can be carried out (except for tracking devices and urgent cases, where internal permission will suffice) and that a designated judge of the High Court will keep the overall operation of the system under review. In addition, these methods can only be used in respect of crimes carrying a possible sentence of at least five years imprisonment and where the surveillance is, in all the circumstances, proportionate.

The Bill promises to regularise the law in this area and to that extent must be welcomed. It is unfortunate, however, that it took a number of high profile and tragic killings before this was given priority. As far back as 1996 the Law Reform Commission in a consultation paper identified a need for reform and in a 1998 report it recommended that there should be a legal basis for Garda surveillance of this type. Successive Ministers for Justice have, however, largely ignored this recommendation, most notably in 2006 when the Privacy Bill introduced by then Minister for Justice Michael McDowell targeted surveillance by the media – but entirely excluded Garda surveillance from its scope. In light of over a decade of government inactivity, the Bill is long overdue.

The timing of the Bill aside, its provisions generally represent a substantial step forward. It has clearly been influenced by the constitutional guarantee of the inviolability of the dwelling and the safeguards which it provides are more robust than those recommended in 1998 by the Law Reform Commission. It introduces for the first time in Irish law the principle that judicial approval should be required before surveillance is carried out. Unlike other forms of surveillance such as data retention – which currently can be used in respect of even the most minor crimes – the Bill is limited to genuinely serious offences and also introduces a requirement that the surveillance must be proportionate having regard to the impact on the rights of innocent third parties.

There are of course some aspects of the Bill which could be improved. For example, the procedure to deal with cases of exceptional urgency is too lax. Under the Bill as it stands those cases would bypass the judicial process entirely, so that surveillance could take place for up to 3 days without any authorisation. There must be a question mark as to whether this provision would be constitutional if it was used to break into and bug a dwelling. Instead, it would be preferable to deal with cases of urgency by permitting Gardaí to commence surveillance without a judicial authorisation but then requiring that an application be made to the District Court for retrospective approval and/or permission to continue the surveillance. There must also be a question mark over the proposal to allow the use of tracking devices on vehicles – for up to four months – without any judicial approval.

Also, while the Bill is generally good as far as it goes, there is a strong argument to be made that it doesn’t go nearly far enough.

Despite its broad title – the Criminal Justice (Surveillance) Bill 2009 – it seems to be intended to deal with one narrow form of surveillance: covert surveillance by devices which are physically planted in certain locations. Many other forms of surveillance – such as the use of long lenses to observe locations from a distance and live monitoring of internet activity – will still be entirely unregulated. As a result there will continue to be doubt as to whether Gardaí have the power to use these types of surveillance and as to whether the resulting evidence can be used in criminal prosecutions. It is likely that there will be criminal cases in the future which fail as a result.

Meanwhile, although there is some legislation regulating other forms of surveillance such as the interception of communications, data retention and Garda use of CCTV, that legislation has developed on an ad hoc and reactive basis with few consistent principles applying to its use or oversight. Much of it is also out of date, most notably the 1993 interception of communications legislation. That law was designed with voice telephony and faxes in mind but due to technological changes no longer adequately protects email and other internet communications. For example, the law does not cover interception of internet telephone calls using services such as Skype, nor does it protect users of webmail services such as Gmail or Hotmail. In addition, Irish law currently protects messages only as they are “being transmitted”, making it likely that the stored contents of a person’s inbox would not be protected.

This ad hoc legislative framework also suffers from weak oversight mechanisms. Although the legislation provides for a designated judge to oversee interception, data retention and now covert surveillance, the annual reports of that judge have consisted of no more than a single page stating that the operation of the law has been kept under review and its provisions are being complied with. Compared with the UK system, for example, Irish law has little public accountability in relation to matters such as the volume of surveillance being carried out; whether individual files are reviewed to ensure correct procedures were followed; or whether mistakes were made such as the targeting of the wrong individual or number and what steps were taken to safeguard against such mistakes in future.

Considered as a whole, therefore, the wider Irish law is inadequate. Given that many of these issues were flagged by the Law Reform Commission in 1998, it is hard to see any justification for the failure to address them to date. Although this Bill does provide for some improvements, it is at best a piecemeal response which will not address similar problems with other forms of surveillance. It is clear that the time has come for comprehensive reform of the overall law relating to surveillance. This Bill is a good first step towards that reform. But it is only a first step, and it would be regrettable if the government were to continue to ignore this area until forced to act by another highly visible crime.

TJ McIntyre is a solicitor, Lecturer in Law in UCD and Chairman of Digital Rights Ireland

Edited to add: It's now available here.

Perspectives on internet filtering

2009-04-15T19:59:00.004+01:00

In light of recent EU moves towards internet filtering now might be a good time to point to a paper by Colin Scott and myself where we argue that filtering risks jeopardising values we associate with freedom of expression - in particular legitimacy, transparency and accountability. It's available on SSRN here. If you find that paper interesting you might also enjoy the collection of essays from which it was taken - Brownsword and Yeung (eds.), Regulating Technologies.

European Commission position on anonymisers

2009-04-12T16:54:00.003+01:00

European law requires data retention - tracking details of every email you send. But data retention is easily circumvented by using anonymous email services. So will European law eventually prohibit anonymous email as well?

Jens Holm MEP recently put down a question on this issue. Here's the text of his question and the Commission's rather lukewarm response - while anonymisers might not be under threat at European level at the moment, the answer suggests that this might change in the not too distant future:

Anonymity services

The need for reliable systems for giving information anonymously has been highlighted in connection with trials concerning serious criminal cases and financial crime. Large sums can be lost if ordinary members of the public do not dare to contact journalists or the police. The development of electronic anonymity services has come a long way in Sweden. They are used by both private individuals and companies, on both the Internet and intranets, for both private and commercial use.

1. Does the Commission intend to submit a proposal to prohibit such services within certain fields?

2. Does the Commission consider that individual Member States have the right to prohibit such services?

3. Does the Commission consider that the right to electronic anonymity is or should be guaranteed at EU level?

Answer given by Mr Barrot on behalf of the Commission (3.4.2009)

1. The Commission is studying the impact of anonymity services on the ability of law enforcement bodies to provide security to the citizens in the EU. The Commission is currently not planning to submit a proposal prohibiting the use of such services.

2. It is the Member States' responsibility to safeguard their internal security. If the use of these services demonstrably limits their ability to do so, they may consider regulating the use of these services, while respecting the European Convention on Human Rights and other principles and guarantees regarding civil liberties in Europe and their obligations under the Treaties. Any such measures must be duly justified and must be proportionate and limited to what is necessary in a democratic society. Furthermore, given the relevance of whistle blowing systems for law enforcement against certain types of crime, the need to maintain the possibility of conferring information anonymously to the relevant organisations should be taken into account when considering regulation of anonymous communications services.

3. The fundamental right to protection of personal data is enshrined in Article 8 of the EU Charter. Whilst there is no explicit right to electronic anonymity as such under Community law, the Data Protection Directive is to require that personal data must be processed fairly and lawfully, including the data minimisation principle. This principle may be furthered by the use of anonymous data wherever possible. Confidentiality of communications and related traffic data is protected by the Directive on privacy and electronic communications. The data minimisation principle, leading to anonymity, may also be achieved by the use of Privacy Enhancing Technologies (PETs). However Member States may adopt measures to restrict the scope of these principles which are necessary to safeguard important public interests such as national security or law enforcement, including combating terrorism or fighting cybercrime.

EU to require internet filtering?

2009-04-10T17:53:00.004+01:00

One of the most important recent developments at EU level - and one that's received surprisingly little media attention (The Register aside) - is the proposal from the Commission to require member states to introduce internet filtering for child pornography. This requirement would be part of a wider Framework Decision on combating the sexual abuse, sexual exploitation of children and child pornography (PDF) and article 18 is the relevant provision:

Blocking access to websites containing child pornography
Each Member State shall take the necessary measures to enable the competent judicial or police authorities to order or similarly obtain the blocking of access by internet users to internet pages containing or disseminating child pornography, subject to adequate safeguards, in particular to ensure that the blocking is limited to what is necessary, that users are informed of the reason for the blocking and that content providers are informed of the possibility of challenging it.

In short, all European countries would be required to introduce filtering along the general lines of that coordinated by the Internet Watch Foundation in the UK (which I've described and criticised here).

The lack of detail in this proposal is worrying - what is meant by "internet pages" for example? Web pages? Usenet posts? Gopher pages? (Yes, it still exists folks - try it!) What are "adequate safeguards"? What is the difference between pages which "contain" and pages which "disseminate" child pornography? Would the ability to challenge a block include an appeal to an independent judicial authority? What sort of blocking would suffice - simple DNS poisoning, crude blocks of particular ranges of IP addresses, two-stage systems along the lines of BT's Cleanfeed?

On the other hand, in some jurisdictions (notably the UK), this proposal would represent a step forward for civil liberties. The specific safeguards proposed - decisions by "competent judicial or police authorities", blocking being limited to what is necessary, users being informed of the reason for a block and content providers being informed of a right to challenge a block - go well beyond what is currently provided for by the IWF for example. (Indeed, the Commission's impact assessment (PDF) for this proposal points out (p.30) that a system such as the IWF's which is based solely on self-regulation may not be "prescribed by law" as required by Article 10 ECHR.)

This proposal has met with strong opposition from EuroIPSA:

Malcolm Hutty, president of EuroISPA, representing ISPs from across Europe at the EU, considers the EU plans to block sites will "increase risks to the security, resilience and interoperability of the internet" and also stated: "For technical reasons, blocking simply cannot provide the level of protection that is necessary, and simple morality demands that we take strong collective action to get child pornography removed from the Internet, rather than simply hiding behind national firewalls," he added.

Incidentally, the impact assessment for the proposal contains an interesting and rather optimistic assessment of the costs associated with filtering (p.28):

In particular, blocking access to websites containing child abuse material would involve economic costs. The economic impact of a similar measure to restrict access to material inciting terrorism was assessed in revising the Council Framework Decision on Combating Terrorism. As the impact assessment accompanying the Commission proposal stated, the cost of imposing any of the different filtering methods to all internet service providers based in the EU is impossible to calculate. An upper limit of EUR 10 per computer is given on the basis of a specific example of implementing filtering in a network of 100 000 computers at 4 000 schools in Ireland. The cost of running a blacklist of illegal content may be borne by those in charge of it, whether law enforcement authorities or specific NGOs. This can be estimated at about EUR 110 000 to build the database and EUR 90 000 per year for maintenance. However, EU funding may be available for managing blacklists and exchanging information on illegal content.

The idea that the cost of generating and maintaing a blacklist can be capped at €90,000 per annum seems optimistic beyond belief. Is this supposed to include, for example, costs of compensating businesses who have been wrongfully blocked? The legal costs associated with appeals against wrongful blocks? The staff needed to look at alleged illegal content and decide whether it is in fact illegal? The effort required to keep the block list under review? By way of contrast, the overall budget for the IWF in 2006/2007 (PDF, p.15) was STG£876,087. Although not all that amount would be directed to generating and maintaining a blacklist, the figure nevertheless suggests that the Commission costs have little contact with reality.

[Edited to add: I've uploaded to SSRN a paper by Colin Scott and myself on internet filtering more generally.]

New rules for electronic discovery in Ireland

2009-04-03T16:18:00.002+01:00

Statutory Instrument No. 93 of 2009 has made some significant changes to electronic discovery in Ireland. McCann Fitzgerald have summarised the effects:

* a party may seek electronic data in searchable form from its opponent;
* the court may order a party to give inspection and search facilities for electronic data on its computer systems to the other side;
* where computers contain sensitive non-discoverable data, the court instead may order that an independent expert carry out the inspection and search for relevant electronic data (the party seeking that discovery will have to fund the expert’s costs and expenses);
* where a party giving discovery finds that searching for the documents or data is excessively costly or burdensome, it may apply to the court to seek to narrow the scope of the discovery order;
* a party giving discovery must list the documents or data according to agreed categories or in a sequence corresponding with the manner in which the documents or data has been stored or kept in the usual course of business – the intention is to make discovery more comprehensible;
* all parties giving discovery must swear in an affidavit of discovery that they understand their obligation to give discovery of documents and electronic data (within the categories of discovery agreed or ordered by the court) which may help or damage their case in any way.

Interestingly, although the new rules provide for parties to be obliged to allow the other side "inspection and searching facilities", they appear to apply only to existing documents. They don't seem to refer to the question of whether the court can order a party to carry out analysis of ("data mine") electronic records - thus leaving unaltered the effect of the ruling in Dome Telecom v. Eircom.

Another blow for "three strikes" and music industry internet filtering

2009-03-28T15:11:00.002Z

Significant developments at European level, where the European Parliament's report Security and Fundamental Freedoms on the Internet has rejected arguments for the filtering of p2p networks or disconnection of users alleged to have shared music. As summarised by the Irish Times:

The report on security and fundamental freedom on the internet said the penalties imposed should be "proportionate to the infringements committed" and rejected "systematic monitoring and surveillance” of all users’ online activities. It also warned against "certain excessive access restrictions placed by intellectual property holders themselves".

This echoes action by the Council of Europe which in July 2008 adopted Human Rights Guidelines for Internet Service Providers. Those guidelines took a similar approach - rejecting blanket monitoring of traffic and stating that:

Cutting access to individual customer accounts constitutes a restriction on your customer’s rights to access the benefits from the information society and to exercise their rights to freedom of expression and information. Cutting access should only be done for law enforcement or other legitimate and strictly necessary reasons.

Of course, neither document is itself directly enforceable in Irish law - but both may have a persuasive effect if the issues of filtering and disconnection of users return to the High Court.

Censorship in Oz - Now links are banned too

2009-03-17T12:25:00.002Z

Remarkable news from the Sydney Morning Herald:

The Australian communications regulator says it will fine people who hyperlink to sites on its blacklist...

The move by the Australian Communications and Media Authority comes after it threatened the host of online broadband discussion forum Whirlpool last week with a $11,000-a-day fine over a link published in its forum to another page blacklisted by ACMA - an anti-abortion website.

The irony here is that the anti-abortion website was referred to ACMA by an anti-censorship campaigner seeking to demonstrate that the blacklist would be used to censor legitimate political speech. Once he succeeded in this aim, it seems that ACMA became embarrassed by their own actions and are now trying to prevent Australians from viewing the page and deciding for themselves whether ACMA's decisions can be trusted.

Electronic Frontiers Australia has more.

In the meantime, here's the ACMA response which they're now trying to censor:

Subject: Complaint Reference: 2009000009/ ACMA-691604278
Date: Wed, 21 Jan 2009 15:45:00 +1100
From: online@acma.gov.au
Complaint Reference: 2009000009/ ACMA-691604278
I refer to the complaint that you lodged with the Australian Communications and Media Authority (ACMA) on 5th January 2009 about certain content made available at:

http://www.abortiontv.com/Pics/AbortionPictures6.htm

Following investigation of your complaint, ACMA is satisfied that the internet content is hosted outside Australia, and that the content is prohibited or potential prohibited content.

The Internet Industry Association (IIA) has a code of practice (http://www.iia.net.au/index.php?option=com_content&task=view&id=415&Itemid=33) for Internet Service Providers (ISPs) which, among other things, set out arrangements for dealing with such content. In accordance with the code, ACMA has notified the above content to the makers of IIA approved filters, for their attention and appropriate action. The code requires ISPs to make available to customers an IIA approved filter.

Information about ACMA’s role in regulating online content (including internet and mobile content), including what is prohibited or potentially prohibited content is available at ACMA’s website at www.acma.gov.au/hotline

Thank you for bringing this matter to ACMA’s attention.

One point stands out about this response. Similar to the Wikipedia debacle in the UK, material is being blacklisted on the basis that it is "potentially" prohibited - that is to say, ACMA is taking a guess as to what the actual censorship body - the Classification Board - might do if asked to decide on the material.

That link contains photos of aborted foetuses. Gruesome? Certainly. But legitimate political speech seeking to demonstrate what the site argues is the "reality" of abortion? Without a shadow of a doubt - making it remarkable that it should be banned to Australian viewers based on nothing more than a hunch as to what a censorship body might think.

Secret databases and employment blacklists

2009-03-16T14:22:00.001Z

Henry Porter has been one of the most astute observers of the state of civil liberties in the UK in recent years. In this column he paints an alarming picture of how secret databases are already being abused:

The facts are horrifying. The secret database penalised innocent people by storing unverified information about character and abilities, which often prevented them gaining employment. Union membership was a black mark. An electrician from Manchester Steve Acheson believes he was blacklisted because of his union membership and only received 36 weeks employment in the last nine years. He has spoken movingly about the way his character and demeanour have been affected by the lack of work during one of the greatest construction booms ever known...

The bigger point is this: where information about people is gathered in a database without individuals knowing what is held on file or being able to challenge it if they suspect it is wrong or unjust, abuse of their rights is likely to follow. That applies right across the board – from Kerr's seedy operation, run out of anonymous offices in Droitwich, to the big government databases formed or proposed by schemes such as the national identity register, ContactPoint, the e-Borders scheme and the communications superdatabase, which will allow the government to store information on every phone call, email, text message and internet connection.

Ryanair screen scraping case is (partially) scraped away from the Irish courts

2009-03-14T10:17:00.002Z

Remember Ryanair v. Bravofly - the case brought by Ryanair in the High Court seeking to prevent Bravofly from screen scraping its website to provide users with price comparison information?

In a recent judgment, the High Court has now accepted that it has no jurisdiction over a large portion of that litigation.

The issues here are somewhat complex but to summarise: after the action against Bravofly was commenced Ryanair added a second defendant - Travelfusion - to the proceedings, on the basis that they were the "provider of the technical facilities and services necessary to permit the screen-scraping facilities".

Travelfusion, in turn, applied to have the proceedings against it dismissed on the basis that the Irish courts had no jurisdiction to hear the matter under the Brussels Regulation. This argument had two dimensions - first that as an English company with no place of business in Ireland there was no basis for jurisdiction under the Regulation and secondly that the terms of use of the Ryanair website conferred exclusive jurisdiction on the English courts. Ultimately, however, Travelfusion rested its case entirely on the second aspect.

The relevant provision was Clause 7 of the Terms of Use, which provided:

Disputes arising from the use of this website and the interpretation of these Terms of Use of the Ryanair website are governed by English Law. All disputes relating to these Term of Use and the use of the Ryanair Website are subject to the exclusive jurisdiction of the English court, save that Ryanair may, at its sole discretion, institute proceedings in the country of your domicile.

Ryanair conceded that if the clause applied it would determine jurisdiction over all the screen scraping claims - the question was, however, whether the clause took effect as part of an agreement between the parties.

This put Ryanair in a difficult and awkward position. Their claim that screen scraping was prohibited rested in large part on the argument that the terms of use were contractually binding on visitors to the site - if that were so, however, then the clause would take effect and Article 23 of the Brussels Regulation would confer exclusive jurisdiction on the English courts. Travelfusion was also in an awkward position - seeking to assert that the choice of law clause was effective while the remainder of the terms of use were not. As the court noted:

the circumstances giving rise to the issue in this case are highly unusual. The party who has produced the standard form containing a choice of jurisdiction clause is the one saying it does not apply. Equally the party denying that there is any contract at all is the one who is placing reliance on a clause which arises out of a contract alleged by its opponent but denied by it.

Could Travelfusion rely on the choice of law clause while simultaneously denying the existence of a contract? The court's conclusion was that it could. Three factors were important in this outcome. First, it would do no injustice to Ryanair to apply a choice of law clause which it itself had put forward. Secondly, if Ryanair were successful in its claim the choice of law clause would necessarily be contained in any contract. Thirdly, the alternative would be wastefully to litigate the same issue (whether a contract existed) twice - once at the jurisdiction stage and once again at the substantive hearing.

Consequently, the court accepted that the choice of law clause applied and as such Ryanair's action against Travelfusion was struck out. The case against Bravofly, however, remains.

From a practical perspective, this is certainly a cautionary tale for internet businesses - don't assert a choice of law in your website terms of use unless you're happy for it to apply to all claims that might arise out of the use of the website.

(Ryanair's terms of use, incidentally, seem to have been amended since the start of this case in order to head off this type of defence. The current terms of use state "It is a condition precedent to the use of the Ryanair website, including access to information relating to flight details, costs etc., that any such party submits to the sole and exclusive jurisdiction of the Courts of the Republic of Ireland and to the application of the law in that jurisdiction, including any party accessing such information or facilities on their own behalf or on behalf of others.")

The case against an Irish Internet Death Penalty

2009-03-01T16:10:00.007Z

I've written a short piece for today's Sunday Business Post on the implications of the Eircom / IRMA deal for Irish internet users. Unfortunately the Business Post is no longer updating its online content until late on Sunday (in a move to drive sales of the dead tree version?) so you can't see it there yet. In the meantime, here's the story as it was submitted:

Time to oppose an Irish Internet Death Penalty

Banning someone from internet use is a draconian punishment. In an era where internet access is increasingly essential – whether to send an email, look for a job, or book a flight – to deprive a person of this basic right is to seriously disrupt their daily life. In fact, an internet ban is such a sanction that the Irish courts have only ever imposed this punishment in extreme cases involving child pornography.

Yet in a private deal between Eircom and the music industry – a deal which the music industry is now trying to force on other Irish internet service providers – internet bans may become commonplace. The deal has been called “three strikes and you’re out” but it might better be called “three accusations and you’re out” as there would be no trial, no evidence held up to court scrutiny and no right of appeal. Instead, once the music industry makes three allegations that a particular internet user is sharing music then Eircom will disconnect that user, applying what’s often called an internet death penalty while acting as judge, jury and executioner.

What might this deal mean for the Irish internet? We can certainly expect users to be wrongfully accused. The company which the music industry previously used to identify filesharers – MediaSentry – has a track record of false accusations and was recently found to be operating illegally in several US states. As a result, the music industry has recently dumped MediaSentry and turned to Danish firm Dtecnet – but the inherent unreliability of this process remains.

Ironically, Eircom users will be particularly vulnerable to false accusations. In 2007 Eircom supplied up to 250,000 customers with wireless modems whose passwords were insecure. This means that a neighbour or passer by could easily use their broadband without their permission. Should they face an internet ban for the actions of somebody piggybacking on their wireless?

This reflects a broader problem where innocent third parties will be affected. Internet connections are not generally unique to an individual. Instead they’re shared – amongst families and flatmates for example. But three accusations will mean the connection will be shut off for every user so that others will suffer based on the alleged wrongdoing of another.

The deal is also undemocratic. The European Parliament has recently rejected a scheme to disconnect users based on mere accusations. In the United Kingdom similar proposals were ultimately rejected after public consultations and open debate. Here, however, the music industry is trying to foist this system on ISPs in a private deal while bypassing scrutiny by the Oireachtas, the Department of Communications and the democratic process.

In another part of this deal, as well as disconnecting users the music industry also wants Irish ISPs to impose a second type of internet death penalty, by preventing Irish users from reading certain websites. This time there is pretence of legal cover, in that the obligation would be to block websites only where a court order is granted – but the music industry has threatened to sue any ISP which opposes such an order, meaning that any court will hear only one side of the story. The result, if this scheme is allowed to proceed, will be to make ISPs responsible for censoring what their users can view on the internet.

If this precedent is set for the music industry, expect others to follow soon after. The publishing industry, for example, might target Google’s Book Search project which it has claimed infringes copyright. The Church of Scientology already has a track record of trying to silence criticism by claiming that its copyright is infringed by certain sites. Diebold – a US manufacturer of electronic voting machines – has been found by the US courts to have abused copyright law to shut down internet sites in order to conceal flaws in its technology. If Irish ISPs become internet censors then similar plaintiffs can be expected to try their luck here.

Quite apart from civil liberties concerns, there are also commercial costs. If this deal is allowed to proceed it will harm Ireland’s reputation as an internet-friendly country. By requiring companies to police the actions of their users and censor what they can see – a duty which they are not subject to in other jurisdictions such as the United States – it will drive up costs (for both companies and users), harm inward investment and encourage technology firms to relocate elsewhere.

In short, this deal is an unacceptable threat to Irish internet users and businesses. Fortunately, so far only Eircom has signed up. Other ISPs are still considering whether to cave in to the threats of the music industry. There is still time for them to do the right thing and say no to a privatised internet death penalty.

TJ McIntyre is a solicitor, Lecturer in Law in University College Dublin and chairman of Digital Rights Ireland.

Edited to add: The piece is now online.

ECJ upholds Data Retention Directive

2009-02-10T08:55:00.001Z

The big news of the day is that the European Court of Justice has upheld the Data Retention Directive against the challenge by the Irish Government in Ireland v. Parliament and Council where it was claimed that it was adopted on the wrong legal basis. The decision doesn't consider whether the Directive is in breach of fundamental rights, and the Digital Rights Ireland action on that basis will continue. More once I've had a chance to read the full decision.