Skyping the Barrel

Skype have finally reneged on their ongoing challenge to the validity of the GPL2 open source software licence.

Skype had used open source software (Linux) licensed under the GPL2 in Skype-phones, but didn't comply with the requirement to supply the source code of the software with the phone. GPL compliance enforcer extraordinaire Harald Welte brought a case against Skype before the German Courts, who deemed this a breach of the GPL2 licence terms in August 2007. Skype initially decided to appeal against this decision.

Commenting on the issue of GPL2’s requirement to make source codes available, in possibly one of the more esoteric analyses of open source software terms, one of the judges stated:

“If a publisher wants to publish a book of an author that wants his book only to be published in a green envelope, then that might seem odd to you, but still you will have to do it as long as you want to publish the book and have no other agreement in place.”

This seems to me to imply that open source software licensing is really weird (at least to a German judge), but that an open source software licensee must still comply with the terms of the licence. Which is probably correct, albeit using a rather strange example.

Skype’s decision to withdraw from the Appeal (as opposed to being ruled against) sadly leaves us with no definitive legal decision to add any clarity (although we still have the first instance decision). It does, however, indicate that, at least in Germany, GPL licence terms are taken seriously.

Sweet victory

How much sweeter is a perfume when it is supplied by a selected distributor? Dior, Guerlain, Kenzo and Givenchy have clearly placed their marker in the French eBay case (in the perfume claims), where they have apparently succeeded in having eBay fined for permitting the auction of genuine branded products, because they were not being supplied through the appropriate distribution channels established by Dior, Guerlain, Kenzo and Givenchy for (as well as for counterfeit products in the handbag claims, discussed in my earlier post). Of course, if the brand holders are right that no branded products for which there is an established exclusive or selective distribution network can be supplied through eBay, it could also solve the problem of counterfeit sales at a stroke, at least where the brand name is mentioned. Establish a network and eBay can exclude all such products from its auctions.

However, this does, as ipKat notes, seem to raise some rather odd questions. Where did these products originate from in the first place? If they were on the market in the EU, then the brand owners rights should have been exhausted. And presumably they were being supplied by the brand owners or distributors within the brand owners' network. If so isn't there some breakdown in this network- unless network members are supplying large enough quantities for these to be resold on eBay, in which case the brand owner has already been paid? Shouldn't the brand owners take action against them? Or more profoundly, do we seriously think that selective distribution networks are justified for something like perfumes and many other branded goods, other than as a means for maintaining high prices? I can't remember when I have been helped by a store assistant in buying a perfume.

The Establishment bytes back

Do the French eBay decision and the US Google decision mark a real turning point in the very long legal honey moon for internet businesses? The early years of the internet were often described as a Wild West where laws did not apply. Of course, only partly true. Often too many laws applied; but few were applied. And an environment thrived which has created not just large and successful businesses, but new business models which now underpin the modern economy.

However, while politicians and legislatures have recognised the value of such an economy, and provided harmonisation and light touch regulation, established businesses have seen their business models undermined, frustrated at the impotence of existing rights and enforcement regimes to provide meaningful protection. Now perhaps the tide is turning. Despite the electronic commerce directive (which is intended to provide freedom for ISPs from regulation) a French Court has fined eBay (in the handbag claims) for failing to take adequate action to remove counterfeit handbags from auction sale.

The Directive is intended (amongst other things) to ensure that ISP hosts do not have burdens placed on them to keep track of what is going on and prevent it. If a host is notified of an alleged infringement it should take suitable steps to remove it; but shouldn't that mean just to stop that (specific) act of alleged infringement, not any other ones which are like it? If a take-down notice can properly apply to a range of potential infringements other than the specific one identified then effectively the host has a monitoring requirement imposed on it, which is not permitted under the Directive; on the other hand, if it only applies to the individual identified act of infringement then a rights holder has a monumental task to police possible infringements.

There has always been a concern that if a host does more than just host - eg provides some monitoring - that it may find that it is no longer protected under the Directive. It is unclear whether eBay has ironically fallen foul of this in its attempt to provide rights holders, through its VeRo programme, with tools to assist them identifying potential infringement, or perhaps with its other restrictions such as control over who may auction trade mark goods, and the types of auction they may enter. Or is this, a French judge being persuaded to protect a French institution - the fashion industry - just evidence of the Establishment rallying its forces more effectively against e-Commerce? If not a change in sentiment within the French court system - one could be forgiven for not being very surprised that a French court has decided this way - perhaps an astute choice of forum to make the point.

Even so, there are strong signs that political pressure, even if not public sentiment, is everywhere shifting towards much more rigorous protection of intellectual property rights, and even perhaps a trace of an idea that the incumbent e-commerce service providers would not be too unhappy with some shift now that they are incumbent. Either way there are clearly some very interesting battles to be fought out here because the interests of a very free and open market which lowers the costs of intermediaries (the cost of "doing the deal") is very much in tension with the fact that making it easy to do the deal makes it easier to do the illegal deal. Some changes will undoubtedly be on the way, but let us hope that they are not ones which stifle innovative new businesses.

newyork.newyork - so good they named it twice

Yesterday, at a conference in Paris, the internet domain name regulator ICANN decided in principle to deregulate the system for acquiring website domain names. The aim with this deregulation is to increase flexibility, particularly as to the choice of names available.

This could be great news for people like the New York State Tourism website information board, who will potentially no longer need to go by the website address of iloveny.com, instead they could simply become newyork.newyork (or big.apple or thecity.thatneversleeps maybe). Companies such as Apple and Microsoft may be able to become apple.apple and microsoft.microsoft. Such flexibility may come at a steep cost, with some estimating $100,000 or more per domain name!

Following approval of this recommendation, ICANN may now start the drawn out process of implementing these changes. Things have not changed dramatically yet (ICANN is working towards 2009), so watch this space for more announcements.

Domain names may now also be able to be used in other languages, such as Arabic or Mandarin Chinese.

If these suggestions are fully implemented then my worry is that this will increase cost for business. Businesses may now need to consider whether they register variants on their current trade mark portfolio with all these potential new domain names. There is also, potentially, a greater opening to cybersquatters, which businesses may need to consider.

Now we are three

I was chatting to a friendly journalist this week and realised that we'd hit another milestone in the history of Naked Law: now we are three years old (as of Sunday just gone).  This made me look back at my previous posts about our first and second birthdays.

There have been no revolutions at Naked Law in the past three years, though there have been some evolutionary changes along the way (notably when we changed the layout and adopted Barbara's new logo, of which we remain very proud).  We're glad to have survived the inevitable ups and downs that most bloggers experience, particularly when the team has been rather (understandably) preoccupied with fee-earning work.  And we are planning to keep going too - there is still plenty to talk about on the themes we have chosen.

As always, we welcome any comments and feedback that our readers and subscribers may have about the future of Naked Law.  Thanks to you all for coming back for more.

Have you 'Googled' the privacy policy?

Privacy and data protection appears to be the topic of the moment, with many new cases being reported on, and publicity surrounding data protection breaches.  We have mentioned a number of these cases on our blog over the past few weeks. 

The BBC has reported last week on some complaints being made about the positioning of Google's privacy policy.  Prompted by this, I wanted to see just how accessible Google have made their policy. I discovered that at the bottom of the i-Google home page there is a link to the policy: however the page reached from clicking on that link is not actually the policy but a 'privacy notice' which then links to a 'privacy policy' with a further one or two clicks depending on the link selected.

The complaints about Google's site have been made in the US, and in the context of compliance with the online privacy protection act 2003 applicable in California.  Not being a US lawyer, I am not going to comment on whether Google comply or not in this case. But I thought a brief mention about privacy policies and why they are so important to include on websites might be useful to readers. 

Anyone who runs a website needs to be aware of the legal requirements surrounding the use of personal data, as these not only come into play where the site actually asks users to enter personal information about themselves.  Even the use of cookies to track on-line movements of users of the website, and other data obtained about traffic using the site including location data, and browsing activities, could amount to what's known as 'processing of personal data'. Under UK law, users of any website should be informed if their personal data is going to be 'processed', and how the information obtained about them will be used and stored. The best way of notifying users is by including an easily accessible privacy policy on your site, with clear and obvious links to it from your home page.  The privacy groups in the US were complaining that Google had not got this right under US law.

Under UK law, website owners must also be careful to be data protection compliant with what they do with the data, and consent is required to be obtained from individuals before certain types of processing can be undertaken (for example use for direct marketing by email, disclosure to third parties) of personal data.  It is important to note that inclusion of a privacy policy of itself if not sufficient to ensure compliance with the Data Protection Act 1988.

Expelliamus!

JK Rowling has recently won a privacy ruling on behalf of her son.

David Murray, now 5, was the subject of covertly taken photographs when aged 19 months, when out with his mother on a public street. Joanne Murray and her husband objected to this on the basis that it was an intrusion into David’s right to privacy. When summarizing the reasons for endorsing their case, Master of the Rolls Anthony Clarke stated “if a child of parents who are not in the public eye could reasonably expect not to have photographs of him published in the media, so too should the child of a famous parent”.

This effectively overturns an earlier judgment that David had no arguable case that he had a right to privacy in a public place. It opens the door to further legal action, rather than being a conclusive result.

This case is also interesting in that it further bolsters the view that a breach of the right to privacy could automatically lead to a breach of the data protection act. If the right to privacy is breached, then use of that personal data may also constitute ‘unlawful and unfair’ use of a person’s personal data.

My opinion is that, at a simple level, this judgment is potentially a helpful clarification of the existing law of privacy in a specific context. The judgment does not extend the existing right to privacy. Rather it looks at the right to privacy afforded to the children of celebrities. J K Rowling was not trying to secure a ruling that she should be afforded a right to privacy in a public place, rather she was trying to secure a ruling that her child should not be subject to any more intrusion than any other child, notwithstanding her celebrity status.

The case will now proceed to full trial (assuming the parties do not settle) in due course.

Where there be film, there be pirates

Domestic bliss is regularly interrupted in this Naked Lawyer's house whenever we rent a DVD and have to sit through the opening sequences. You know the ones I mean – “you wouldn’t steal a [car/handbag/puppy]”, “piracy is a crime”, “you won’t get a warranty on a pirate DVD”… (all perfectly true). But hang on: “Piracy is stealing” (and this is where I start to rattle my popcorn and shout at the screen) – no it’s not! Call me a picky lawyer (ok, I admit it), but surely “stealing” refers to the offences set out in the Theft Acts – that is, broadly, depriving someone of something tangible that belongs to them. It does not refer to copyright infringement, and the Act that sets out the infringement offences certainly does not use the language of “stealing” and “theft”. Copyright infringement does not, at its heart, involve the taking of tangible property – the whole point is that copyright is an intangible right which can only be misused (or “infringed”) by others, not put in a sack and slung over your shoulder.

Now the film industry (along with the music and software industries) would have you believe that copyright infringement is theft because you are “stealing” the money that would otherwise have been paid to them if someone had bought a genuine copy of the film/song/application rather than a pirate one. This has always seemed to me to be a gross oversimplification. Just because someone buys a fake DVD doesn’t mean, had they not been able to do so, they would have otherwise bought the real deal. In fact, I would have thought that many people simply don’t want to pay the higher prices of the genuine copies and so, if they can’t get cheaper pirate ones, may not bother at all. In any event, the loss of a chance for the film company to make some money (ie. because someone already has a fake DVD) is not the same thing as stealing money the film company already has in its bank account.

Clearly, given my profession, I would not advocate piracy or condone the distribution of fake DVDs. But I do object to the inaccurate marketing used by film makers to try to prevent it. Yes, the public should be educated as to the ownership of rights in films and what they are and are not entitled to do with their copies. But they should not be subject to veiled references to crimes which do not apply and which, to me, look like unnecessary scaremongering.

And with that, I’ll put the popcorn back down.

Is it bad Phorm?

We’ve probably all heard recent reports about Phorm’s “Webwise and Open Internet Exchange” products. These employ a technology which utilizes ISP data to target users with tailored advertising; ISPs with whom Phorm has done a deal so far include Virgin, TalkTalk and BT. As Virgin is my provider, my immediate reaction to hearing the news was indignation at the thought of being snooped on in this way, not to mention misery at the thought of my screen being flooded with still more unwanted ads.

The Foundation for Information Policy Research, in an open letter to the Information Commissioner’s Office (“ICO”), gave voice to some of the same fears. It argued, in particular, that the use of the software would entail breach of the Data Protection Act 1998 because it would involve “sensitive personal data” such as search terms used (which would reveal details of things like political, religious, sexual preferences and health issues). If the Phorm software does indeed entail the “processing” of sensitive personal data, it would find itself having to comply with the data protection regime of notification and consent.

There are two other potential legal angles for Phorm to worry about; The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“Privacy Regulations”) and the Regulation of Investigatory Powers Act 2000 ("RIPA 2000").

The Privacy Regulations apply to commercial communications made by email, fax or phone. They require users to be informed if cookies are stored on their computers and to be given the opportunity to stop the storage. They also require ISPs to get customer consent before they use their traffic data to market their services. RIPA 2000 regulates the interception of communications without prior informed consent; for these purposes, web-hosts are deemed to be “communicating” their web pages to the end user.

In response to these concerns, the ICO last month issued a press statement analyzing whether the technology Phorm proposes complies with the data protection and privacy laws; it declined to comment on RIPA 2000 since the Home Office has responsibility for enforcement of that law.

On the data protection point, the ICO said that the Phorm technology did not involve the processing by Phorm of personal data. This is because each user profile built by the software is based on a randomly allocated identification number which is held only on the user's terminal and by Phorm itself and it is impossible for its employees to locate particular user ID profiles on its system. However, the ICO acknowledged the possibility that the ISP itself, which undertakes the actual profiling of users, might be able to link particular user profiles with their IP addresses leading to the creation of a data trail by which it might be possible to identify individuals. If so, ISPs who handle Phorm profiles may be processing personal data. However, Phorm intends to ensure compliance with data protection act rules by presenting users with an unavoidable statement about the software and asking whether they wish to be involved in its use; that users will have easy access to information on how to change their mind about opting in; and that they will be free to opt in or out of Phorm at any point. This statement will also contain the required information about cookies as is required by the Privacy Regulations.

So far, it was looking good for Phorm, until that part of the ICO statement which states that, in order to comply with the Privacy Regulations' rules on obtaining user consent to use of their internet traffic data, Phorm will probably have to operate its system on an "opt-in" basis, so as to ensure that it has users' consent to the use of their traffic data to provide value-added services and profile-driven marketing. This was not what Phorm wanted, having hoped to get the ICO's blessing for a mere "opt-out" clause (which would deem all users to have given consent unless they expressly withheld it).

This is obviously a commercial disincentive which is likely to much reduce the number of users whose usage can legally be tracked in order to target advertising. If required to actively sign up to “targeted marketing” then users are instinctively likely to decline the offer, unless Phorm can really persuade us all that opting in would replace the irrelevant advertising we have to submit to already rather than adding even more advertising to the web page than there is at the moment.

One also wonders why websites would want to sign up for the software which is quite likely to more accurately push their competitors’ sites in front of their customers? For example, if I mainly look at the BBC news website, wouldn’t Phorm “understand” this and so push adverts for other news and current affairs sites at me, to the BBC’s detriment? We’ll have to wait and see how it works in practice, I guess.

Blog Mgog

It has been reported that a Welsh blogger has been fined £150 (plus costs) for posting 'menacing messages' on his blog about a police officer who originally interviewed him.

Gavin Brent is reported to have been found guilty under the Telecommunications Act of posting menacing messages. I suspect this is an erroneuous reference to the Communications Act 2003 S. 127, which provides that it is an offence to make improper use of a public telecommunication network. A person who 'sends by means of a public electronic communications network, a message or other matter that is grossly offensive, or of an indecent, obscene or menacing character' is committing an offence.

The offender here wrote something which could be construed as offensive in relation to the police officer's family. Another cautionary tale to all bloggers out there.