Monday, 25 May 2015

ECommerce formalities back in the CJEU spotlight

For an ecommerce lawyer who spent far too many hours at the turn of the millennium pondering how writing and signature requirements could be complied with electronically, reading the CJEU decision in El Majdoub v CarsOnTheWeb (C322/14, 21 May 2015) is something of a throwback.

The 2001 Brussels Jurisdiction Regulation, like its predecessor the Brussels Convention, requires a jurisdiction agreement to be in writing or evidenced by writing.  In an attempt to update the writing requirement for the electronic age, the Regulation added a new gloss.  Article 23(2) provides that “any communication by electronic means which provides a durable record of the agreement” shall be equivalent to writing.

The CarsOnTheWeb click-wrap process provided a box to accept its terms and conditions. The terms and conditions themselves, containing the choice of court provision, were behind a hyperlink with the rubric ‘click here to open the conditions of delivery and payment in a new window’.  The CJEU analysed the process:

“it is an essential feature of the facts of the case in the main proceedings that a potential purchaser must expressly accept the seller’s general terms of sale by clicking the relevant box before making a purchase. However, that operation does not automatically lead to the opening of the document containing the seller’s general terms, as an extra click on a specific hyperlink for that purpose is still necessary.” [21]

El Majdoub argued that the process did not provide a durable record of the agreement, since a window containing the terms and conditions was not automatically created.

The CJEU disagreed. Clicking on the relevant box expressly accepted the terms and conditions. Because the terms and conditions could be saved or printed, that possibility of creating a durable record was sufficient regardless of whether the purchaser actually durably recorded the terms and conditions.

The CJEU considered its 2012 decision in Content Services (Case C49/11). In that case it held that a hyperlink to terms and conditions did not satisfy the Distance Selling Directive (now superseded by the Consumer Rights Directive) requirement that a consumer should receive written confirmation or confirmation in another durable medium.  Distinguishing Content Services, the Court said in CarsOnTheWeb:

“both the wording of Article 5(1) of Directive 97/7, which expressly requires the communication of information to consumers in a durable medium, and the objective of that provision, which is specifically consumer protection, differ from those of Article 23(2).”

Requirements of form have a long history. They tend to be technology-specific, causing problems when an unforeseen new technology arrives.  

In the case of durable form the EU legislature has sought to identify the essence of an old technology requirement – writing - and translate it into a new medium. 

The risk with that approach is that the newly articulated formality does not accurately reflect the characteristics of the previous technology and, when interpreted, may turn out to be more onerous rather than technology-neutral.

In Content Services the CJEU said:

“a substitute for paper form may be regarded as capable of meeting the requirements of the protection of the consumer so long as it fulfils the same functions as paper form.”

It went on:

“Where a medium allows the consumer to store the information which has been addressed to him personally, ensures that its content is not altered and that the information is accessible for an adequate period, and gives consumers the possibility to reproduce it unchanged, that medium must be regarded as ‘durable’ within the meaning of that provision.”

Paper, however, is not tamperproof. Some paper is flimsy.  The Australian Electronic Commerce Expert Group identified the risk of overstating the qualities of previous technology in its 1998 Report to the Attorney-General:

“There is always the temptation, in dealing with the law as it relates to unfamiliar and new technologies to set the standards required of a new technology higher than those which currently apply to paper and to overlook the weaknesses that we know to inhere in the familiar.”

While the CJEU’s decision in CarsOnTheWeb is welcome, it is debatable whether the court should have had to interpret a requirement of form based on durability in the first place.

In 1954 England had the good sense to repeal most of S.4 of the Statute of Frauds, the 1677 legislation that rendered a variety of contracts unenforceable without a signed note or memorandum in writing.  At the same time S.4 of the Sale of Goods Act 1893, which required writing as a condition of the enforceability of contracts for the sale of goods of the value of £10 or upwards, was repealed. 

These reforms followed the recommendations of an official Committee in 1937, which had observed:

“'The Act', in the words of Lord Campbell . . . 'promotes more frauds than it prevents'. True it shuts out perjury; but it also and more frequently shuts out the truth. It strikes impartially at the perjurer and at the honest man who has omitted a precaution, sealing the lips of both. Mr Justice FitzJames Stephen ... went so far as to assert that 'in the vast majority of cases its operation is simply to enable a man to break a promise with impunity, because he did not write it down with sufficient formality.’ ”

Even in England, a relatively liberal jurisdiction in this regard, some requirements of form remain. Section 4 of the 1677 Act still applies to guarantees. Requirements of signature, writing and the like apply to some specific types of transaction such as an assignment of copyright. 

Consumer protection laws, such as those regulating consumer credit, tend to impose detailed formalities.  Even when adapted to the electronic environment, such requirements of form can still pose vexing questions. In Bassano v Toft (2014) the court considered whether an electronically generated document had been signed by clicking on an ‘I accept’ button, and if so whether the signature was in "the space in the document indicated for the purpose", as required by the applicable consumer credit regulations. Popplewell J held that both were satisfied:

“the word "I" can be treated as being the mark which is unambiguously that of Mrs Bassano affixed for the purposes of authenticating and agreeing to be bound by the terms of the document”.

In the 1990s requirements of form began to be perceived as an obstacle to electronic commerce. What constituted writing or signature in an electronic environment? How do you satisfy a legibility requirement when the consumer controls the screen display? What constitutes a document? Mr Justice Lightman gave an answer to that question in 1999 in Victor Chandler International v HM Customs and Excise:

“In summary, a document is a material object which contains information capable of extraction from it (e.g. a tape so long as it is not blank). Mr Oliver (Counsel for VCI) properly disavowed that he was a document: the repository of information must be inanimate: neither a person nor A.P. Herbert's "negotiable cow" (referred to in Uncommon Law, p.201) can constitute a document.)”

Some legislative initiatives such as the US Uniform Electronic Transactions Act promulgated in 1999, followed by the federal E-SIGN Act in 2000, sought to facilitate electronic transactions by rendering requirements of form, as far as possible, medium-neutral. As the Chair of the UETA Drafting Committee, Patricia Blumfeld Fry, memorably explained:

“. . . UETA preserves the requirements concerning the manner of sending, posting, displaying, formatting, etc. contained in other State law. If other State law requires information to be furnished in a conspicuous manner, UETA §8 states that you can furnish the information electronically, but must do so in a conspicuous manner. If other State law requires the information to appear in purple ink sprinkled with glitter, you can furnish the information electronically only if you can assure that it appear to the recipient in purple sprinkled with glitter."

The UK Electronic Communications Act 2000 took a different approach, providing a power to amend existing legislation piecemeal to facilitate electronic transactions. In 2001 a Law Commission Advice increased confidence that e-mails and website trading were capable of satisfying formal requirements of writing and signature. Subsequent court decisions have confirmed the traditionally liberal English view of what can constitute a signature including, for instance, typing one’s name at the end of an e-mail.

Sunday, 22 February 2015

From telegram to tweet: Section 127 and all that

Big Brother Watch has this week published the results of its research, conducted via freedom of information requests to police forces, into charges and cautions under two communications offences: Section 127 of the Communications Act 2003 and the Malicious Communications Act 1988.

The report ‘Careless Whispers’ finds that for the three years November 2010 to November 2013 at least 4,259 people were charged and at least 2,070 cautioned under the two provisions, nearly two thirds of which were under Section 127.  At least 355 of these cases involved social media.  The proportion involving social media is on the increase.

BBW's conclusions are twofold: that these offences were designed for one-to-one communications such as post and telephone, not for the one-to-many communications typical of social media; and that they are out of date and the law needs to be reformed. 

Specifically BBW calls for the abolition of Section 127 and the removal of 'grossly offensive' from the Malicious Communications Act.

Section 127 has two limbs. It is an offence for someone to send by means of a public electronic communications network a “message or other matter that is grossly offensive or of an indecent, obscene or menacing character”. It is similarly an offence if someone “for the purpose of causing annoyance, inconvenience or needless anxiety to another” sends “a message that he knows to be false”.

Section 127 applies to all internet communications, public or private, one-to-one or one-to-many. That is because when you send a tweet, post something to Facebook or send an e-mail the communication will travel across a UK public telecommunications network that carries internet traffic.  Section 127 catches that communication, regardless of whether it ends up in someone's private mailbox or published on a social media platform.

Some may argue that exactly because the internet and social media are 'one to many' the communications can be more damaging, and stricter content prohibitions should apply than to private communications.  Others will say that individual freedom of public expression is a major advance wrought by the internet that should be defended at least as jealously online as offline.  There is a debate to be had about that.  What is beyond doubt, however, is that Section 127, and its application to social media, is the result of historical accident not conscious design.

Section 127 goes back at least to the 1935 Post Office (Amendment) Act. The first limb, including ‘grossly offensive’, was designed to deter telephone users from being abusive to telephone operators; the second to catch senders of distressing hoax telegrams. Instances of malicious or even fraudulent hoax telegrams were known from at least the early 20th century. 

In fact the first limb of Section 127 can be traced back even further than 1935, to the Post Office (Protection) Act 1884. Here is the ancestry of the section, focusing on the origin of 'grossly offensive'.

'Grossly offensive' originated in 1884 as part of a prohibition on material on the outside of postal packets (including telegrams). At the outset an M.P., Charles Warton, voiced concern in Parliament about what might be caught:

"… many people—even many Members of that House—frequently sent letters through the Post with very amusing pieces of scurrility upon them. … under this clause, a very heavy liability might attach to it. … it might happen that one man would use words—for instance, he might write "swindler" or "liar" upon the outside of a letter—which were not really indecent or obscene, only what they would call vulgar, and see what a tremendous penalty the clause imposed for that—imprisonment for 12 months."

In the event the MP's fears were borne out in 1913 when one John Cole was convicted under the 1884 Act at Leeds magistrates after sending postcards to various local officials, calling a well-known local alderman an 'insurance swindler'. This was found to be grossly offensive.

The prohibition on ‘grossly offensive’ material on the outside of postal packets remained unchanged until the Postal Services Act 2000.  By that time the legislative line of descent had forked.  While 'grossly offensive' was removed from the postal packets offence, it remained in the telephony provision. That was widened to cover messages sent by public telecommunications services in 1969, then amended to 'public electronic communications network' in 2003.

It is not clear why in 2000 "grossly offensive" was removed from the prohibition applicable to the outside of postal packets, but not removed from what in 2003 became Section 127.

Section 127, in particular, has long been a cause for concern. It lays down stricter prohibitions online than would apply offline.  It can criminalise activities, such as sharing a photo with friends via smartphones, that would be legal if done face to face.

During the debate on the 2013 Defamation Bill the government minister said: "An individual should be charged and prosecuted for the offence they commit, irrespective of whether it happens in the street or in cyberspace”. This is the hallowed mantra that what is illegal offline should also be illegal online.

But if we are serious about that, the converse should also apply: if it is not illegal offline it should not be illegal online. With Section 127 that is patently not the case.  It sweeps up more than the offline offences. It can lead to incidents such as last year’s prosecution (apparently under Section 127) for sharing a photo of a police officer decorated with cartoon penises.

The notorious Twitter Joke Trial was a section 127 prosecution, albeit that it ultimately failed. The Director of Public Prosecution’s social media prosecutorial guidelines, while welcome, are no substitute for appropriately formulated legislation.

By way of a historical footnote, the Twitter Joke Trial was not the first occasion on which a joke communication has landed the perpetrator in hot water with the criminal law. This incident from 1924 could have graced the pages of PG Wodehouse. 

In January 1924 the Rev. Walter Karran, a curate on the Isle of Man, pleaded guilty at Liverpool Police Court (under pre-1935 legislation) to uttering a forged telegram (or to aiding and abetting the same – reports vary).  The following account is based for the most part on the report in the Dundee Courier of 25 January 1924.

The Rev. Karran had been travelling to Liverpool from the Isle of Man. He suggested to a fellow-traveller on the ferry, Miss Alice Winstone, that he should send a telegram to his Bishop purporting to be from the then Prime Minister, Mr Stanley Baldwin. He then wrote the following message which he asked her to send from the telegraph office in Liverpool, giving her the money to pay:

“To Denton Thompson, Bishop’s Court, Kirkmichael, I.O.M. – Meet me at Adelphi Hotel, three, to-morrow afternoon. Most important. – Baldwin.”

The Bishop received the telegram and hastened to Liverpool, where he knew that Baldwin was speaking that day, but discovered on arrival that he had been hoaxed. The Bishop was meant to be moving the Church Enabling Bill in the Manx Legislative Assembly, which had to be postponed due to his absence. The Bishop had thought the telegram must concern the Baldwin Trust, of which he was Chairman.

Following police enquiries the Rev. Karran confessed and took full responsibility. The Director of Public Prosecutions instigated proceeedings. In court counsel, in mitigation, said that the Rev. Karran was a “devoted worker in his vocation, but inclined in lighter moments to take a humorous view of things and to indulge in practical joking”. Miss Winstone was threatened with sea sickness and it was to divert her attention that he suggested the joke. It was rumoured that the Bishop was likely to be offered a bishopric in England and he thought the telegram would be “a very amusing bit of leg-pulling”.

The Stipendiary Magistrate was less amused. The explanation given as to why the Bishop might have thought the telegram genuine “made the so-called joke a singularly offensive one”. It was “incredible to most people that a clergyman could do such a thing”. The Rev. Karran was fined £10 and 25 guineas costs.  A summons against Miss Winstone was withdrawn, she being held to be an innocent party in the episode.

Telegram or tweet, jokes have a tendency to fall flat when scrutinised in the cold light of the courtroom.

Monday, 2 February 2015

IP address resolution - a conundrum still unresolved?

Am I the only one still confused by Clause 17 (now Clause 21) of the Counter-Terrorism and Security Bill?  This is the clause that will extend the communications data retention provisions of DRIPA to cover so-called IP address resolution. I have been wrestling with it since the beginning of December.  The most recent Parliamentary explanations have not lifted the fog.

The second day of the House of Lords Committee stage took place on 26 January. In response to a plea to explain what data might be covered by the clause, the Minister said this:
“The noble Lord, Lord Rosser, asked for examples of access data that may be required. An example is port numbers, which are akin to a house number, where an IP address is akin to a postcode. I know that the noble Baroness, Lady Lane-Fox, could probably give us a tutorial on the technical points; I could probably do with one at some point. Other types of data include the MAC address—the identifier of a particular computer—the time, the location and so on.”

So far, so clear.  It’s about port numbers and MAC addresses.  The Home Office Fact Sheet and the Impact Assessment suggested the same.  But the Minister went on to say:
“Those are the types of data covered by “or other identifier”, and that is set out in the Explanatory Notes which accompany the legislation.”

So according to the Minister a port number is an ‘other identifier’ as defined by Clause 21.  But the conundrum is, as I read it Clause 21 does not empower the retention of ‘other identifiers’.   It empowers retention of communications data that can assist in associating an “IP address or other identifier” with the sender or recipient of a communication.

Clause 21 empowers the mandatory retention of:
“communications data which … may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)”

An identifier “means an identifier used to facilitate the transmission of a communication”.

If the clause does (as the Home Office clearly intends) empower mandatory retention of port numbers, it is because they can assist in linking an IP address (or other identifier) simultaneously used by thousands of ISP customers to one customer device or connection – not because a port number is itself an 'other identifier'.

I can see nothing in the clause that provides a power to require port numbers or MAC addresses to be retained on the basis that they are ‘other identifiers’. 

This does add spice to the question what is ‘other identifier’ doing in Clause 21 at all, when the issue that gave rise to the clause was about simultaneous IP address sharing?  A clear explanation of Clause 21 would be helpful. Even better, the government could start again with a redraft that is specific about what the clause is aiming to achieve.

Sunday, 25 January 2015

Latest score in the jurisdiction game: Internet 0, EU Court of Justice 2

The CJEU in Pez Hejduk (22 January 2015) has plumped for mere accessibility as the threshold for online copyright jurisdiction under Article 5(3) of the EU Jurisdiction Regulation.

Mere accessibility is problematic for the internet. Exposing a website to the jurisdiction (or a fortiori the laws) of any country from which it can be accessed is, David Post has argued, not a reasonable outcome. (Some, epitomised by the Gutnick-inspired English defamation cases, may consider it quite reasonable since anyone posting to the internet knows the worldwide reach of the medium).  From a broader perspective mere accessibility chills cross-border freedom of expression, encourages geo-blocking of websites and impedes the free flow of information across borders.  Pez Hejduk is another bad day for the internet.

The CJEU headed down this road in October 2013 with Pinckney, a copyright infringement case against a German CD pressing company. The litigation was brought in France on the basis that the CDs could be purchased in France from a UK website unconnected with the German company. That was said to amount to damage in France.

For a tort such as copyright infringement Article 5(3) allows the plaintiff to sue in the place of the damage.  Article 5(3) is an exception to the primary rule that proceedings have to be brought in an EU defendant’s home country. Article 5(3) is the kind of effects-based rule that, unless it is kept within bounds, has the potential to create jurisdictional overreach. 

That potential is magnified with the inherently cross-border nature of the internet.
In Pinckney the court agreed with the plaintiff that damage was shown by the ability to purchase the CDs in France. It was irrelevant what kind of copyright infringement (reproduction? distribution? making available to the public?) was alleged against the German pressing company. Copyright infringement was to be treated as a general concept. Harm could apparently be relied upon however remote might be the causal relationship between the actual infringement alleged (reproduction in Germany?) and the harm relied upon (availability of CDs in France via an unconnected UK website).

So like the smile on the Cheshire Cat, jurisdictional harm seemed to float free, decoupled from any specific territorial infringement alleged against the defendant. That was not a promising start for keeping damage-based jurisdiction on the internet within sensible bounds.

Pez Hedjuk concerned photographs published on a German .de website. The copyright owner sued in Austria.  Again the precise basis of the infringement allegations is not entirely clear from the CJEU judgment.  It seems likely that the claim was for making available to the public in Austria from the German website, thus infringing Austrian copyright.

In Pez Hejduk causation was less tenuous than in Pinckney.  The Court identified a specific causal event as giving rise to the alleged damage: “the activation of the process for the technical display of the photographs on that website”. Even so the CJEU could have gone on to find that, for the purpose of jurisdiction under Article 5(3), a website operator does not cause damage in Member States that it has not targeted.  But it did not do so.

The CJEU held that the mere fact that the .de website was accessible in Austria was sufficient to establish damage under Article 5(3), where (as would inevitably be the case) the photographs were protected by copyright in Austria as well as in Germany. There was no basis in Article 5(3) for limiting jurisdiction to cases where the German site had targeted Austria.

Article 5(3) is supposed to be a strictly limited special derogation from the general rule under the Regulation that a plaintiff must sue in the defendant’s Member State. But for the internet mere accessibility comes close to turning the exception into the rule. Unless the site or content is geo-blocked a plaintiff can, based on mere accessibility of the site, sue in parallel in any number of Member States (albeit limited in each case to damage caused within the Member State in which it sues).

The twin prongs of mere accessibility and Pinckney’s broad causation brush are a recipe for jurisdictional overreach.

The Pinckney approach is odd when one considers that a plaintiff relying on Article 5(3) can sue only for damage caused within that Member State. How can the existence or likelihood of relevant damage (a jurisdictional issue) be evaluated if no attention is paid to the causal link between the specific infringement alleged and the harm relied upon?

The unwillingness of the Court in both Pinckney and Pez Hejduk (in each case rejecting the recommendations of the Advocate General) to align Article 5(3) more closely with the scope of the substantive right by way of targeting is difficult to understand, given that it has already gone down the path of interpreting Article 5(3) differently for different rights:

“the meaning of [Article 5(3)] may vary according to the nature of the right allegedly infringed…” (para 29).

eDate/Martinez (defamation/privacy), Wintersteiger (trade mark) and Pinckney (copyright) are all examples of this.  The Court may be making an implicit distinction between the nature of the right (which it allows can affect the interpretation of Article 5(3)) and its substance (which cannot). Whether the two are separable is open to question. Can the nature of a right be characterised without regard to its substance? What is the basis for distinguishing between relevant and irrelevant aspects of a right?

The Court in Pez Hejduk also relied on the lack of mention of targeting in Article 5(3):

“It is clear from [Pinckney] that, unlike Article 15(1)(c) … Article 5(3) does not require, in particular, that the activity concerned be ‘directed to’ the Member State in which the court seised is situated ...”.

It is true that unlike Article 15(1)(c), Article 5(3) makes no mention of directing activities. But nor does it mention mere accessibility; nature of the right versus substance; centre of interests of the plaintiff (edate/Martinez); limitation of damage to that caused in the Member State; country of registration of the trade mark (Wintersteiger); or any of the other glosses that the CJEU has placed on Article 5(3).

Perhaps the most persuasive reason relied upon by the Court in Pez Hejduk is that the Member State court best placed to exercise jurisdiction is the one that will apply its own law:

“The courts of other Member States in principle retain jurisdiction, in the light of Article 5(3) … and the principle of territoriality, to rule on the damage to copyright or rights related to copyright caused in their respective Member States, given that they are best placed, first, to ascertain whether those rights guaranteed by the Member State concerned have in fact been infringed and, secondly, to determine the nature of the damage caused …”.

However where the claim is copyright infringement by the presence of content on a website the most likely basis of a cross border claim will be making available to the public. As a matter of substantive EU copyright law (applying Sportradar to copyright) there can be no infringement and so no damage caused by a tort if the site is not targeted to that Member State. That will be the same throughout the EU. In those circumstances it is hard to see what practical purpose is served by allowing mere accessibility rather than targeting to be the jurisdictional threshold.

Sunday, 4 January 2015

Internet legal developments to look out for in 2015

[Updated 28 May 2015]

Some EU and UK internet legal developments to look out for in 2015 (last year’s list here). (And see here for Cyberlaw Memes and Themes for 2015.)

        EU copyright reform The last European Commission closed its Public Consultation on EU copyright rules on 5 February 2014. The new Commission has announced that EU copyright modernisation will be a priority for 2015, as part of a Digital Single Market package. [The Commission published its Digital Single Market Strategy on 6 May 2015.] 

        Copyright Private Copying Exception On 1 October 2014 the UK introduced its new format shifting (‘personal copying for private use’) copyright exception. At the end of November three UK music industry bodies (The Musicians’ Union, The British Academy of Songwriters, Composers and Authors and UK Music) announced that they were mounting a judicial review court challenge to the legislation.   Their case is that the exception should have provided fair compensation to copyright holders and consequently does not comply with the EU Copyright Directive.

        Online copyright jurisdictionPez Hejduk (C-279/13) is a pending reference to the CJEU concerning cross-border jurisdiction over online copyright infringement under Article 5(3) of the Brussels Jurisdiction Regulation.  The Advocate General has proposed that the Court should lay down a different rule from any of those adopted in previous cases (eDate/Martinez, Wintersteiger and Pinckney): jurisdiction limited to the courts of place of the event causing the damage, with a possible exception for the place of damage where the site was clearly and incontestably targeted towards one or more other Member States.  Judgment is due on 22 January 2015. [The Court rejected the Advocate General's Opinion and adopted a mere accessibility criterion. Bad news for the internet.]

        Copyright and linking C More Entertainment (C-279/13) is the last of a trilogy of copyright linking cases to come before the CJEU (the others were Svensson and Bestwater). A date for judgment is not yet available. [It appears that the referring court has now withdrawn the questions about linking.  The CJEU gave judgment on a separate issue on 26 March 2015. However another linking case before the Dutch Supreme Court (Geenstijl) was referred to the CJEU on 7 April 2015.] 

        Site blocking orders 2014 saw the most significant UK site blocking case since Newzbin2, Cartier v BSkyB. It was the first UK trade mark site blocking case, the first since Newzbin2 to be contested by the ISPs and the first in which a third party (the Open Rights Group) intervened.  Numerous points were decided in three judgments and an injunction was granted. We can expect further site blocking applications in 2015. [A case brought by Cartier against Nominet, seeking an order that Nominet remove from its domain name registry (de-tag and lock) various domain names that resolve to websites alleged to infringe Cartier's trade mark, has been discontinued.] 

        Intermediary liability The pending Delfi reference to the European Court of Human Rights Grand Chamber concerns an online newspaper’s defamation liability for readers’ unmoderated comments on editorial articles. Various NGOs and media organisations have weighed in with interventions.  [Judgment will be given on 16 June 2015.] 

The mere conduit and injunction provisions of the ECommerce Directive are the subject of a German reference to the CJEU in Case 484/14 McFadden. It concerns injunctions against providers of open wi-fi networks to prevent copyright infringement by users.

        RIPA, DRIPA and the Counter-Terrorism and Security BillClause 17  [now Clause 21] of the C-TS Bill currently going through the UK Parliament will extend mandatory data retention to certain IP address resolution data, subject to the same 31 December 2016 sunset clause as DRIPA.  A legal challenge to S.1 of DRIPA by MPs David Davis and Tom Watson is under way. The High Court on 8 December 2014 granted permission to bring the judicial review application. Various current reviews of RIPA, DRIPA and other investigatory powers legislation will report during 2015. The reviews are conducted by: Independent Reviewer of Terrorism Legislation, RUSI, Intelligence and Security Committee of Parliament, and the Interception of Communications Commissioner (police acquisition of communications data to identify journalistic sources).  [Section 21 of the Counter-Terrorism and Security Act is now law. The ISC and IOCC reports have been published. The IRTL report has been submitted to the Prime Minister and is due to be published shortly. A new Investigatory Powers Bill has been announced in the Queen's Speech.]

Interception and surveillance complaints to the European Court of Human Rights include a case taken by Big Brother Watch, the Open Rights Group, English PEN and Dr Constanze Kurz and one by the Bureau of Investigative Journalism. See mindmap of legal challenges. Also look out for any further developments arising out of the Investigatory Powers Tribunal decision in December that, in the light of disclosures of interception practice made by the government in the proceedings, future use of Section 8(4) warrants and PRISM intelligence sharing would be ‘in accordance with the law’ under Article 8 of the European Convention on Human Rights. Legality prior to the government disclosures has still to be determined. [On 6 February 2015 the IPT adjudged that prior to the disclosures the PRISM sharing regime breached Article 8.]

        Social media offences The Criminal Justice and Courts Bill currently proceeding through Parliament will create a new ‘revenge porn’ offence.  It will also increase the maximum penalty under the Malicious Communications Act 1988 from six months to two years imprisonment. [Sections 32 to 35 of the Criminal Justice and Courts Act 2015 became law in April 2015.]

        Consumer Rights Act The Consumer Rights Bill currently before Parliament will, as part of a wholesale reform of consumer goods and services law, introduce a separate category of consumer contracts for supply of digital content, to which a self-standing set of implied conditions will apply. [Chapter 3 of the Consumer Rights Act 2015 is now in force.]

        Data protection A new General Data Protection Regulation (perhaps). The pending appeal in Vidal-Hall v Google. The CJEU reference in Case C-362/14 Schrems v Irish Data Protection Commissioner. [Google's appeal in Vidal-Hall was dismissed on 27 March 2015.]

Saturday, 3 January 2015

Cyberlaw memes and themes for 2015

(And see Internet legal developments to look out for in 2015.)

It is tempting just to change 2014 to 2015 in last year’s piece and recirculate.  Nudging and Bludgeoning, Magic wand politics, Politicians not understanding the internet, the Internet as Wild West, Cory Doctorow’s warning of the Coming War on General Purpose Computing, Technological neutrality, Copyright wars, Site blocking and Privacy are as topical as they were a year ago.

But that would be a cop out. So here are a few more memes and themes for 2015.

The War on the Internet. A cynic might say that a politician loves nothing more than an unwinnable war against an intangible enemy. Each setback demonstrates the resourcefulness and cunning of the opponent. Stronger measures are urgently required. Tough action plays to the electoral audience. Another setback feeds the cycle. 

Look out for War on the Internet slogans - ‘Social Responsibility’’, ‘Must Do More', ‘Internet Wild West’, ‘No Ungoverned Space’ - while tech businesses are demonised, scorned and blamed for the ill of the moment.

The Internet as security zone.  We know the rules when we pass through airport security: double-checked IDs, no risky items, unlimited inspection and above all no jokes. Will the internet come to resemble a security zone or be the poster child for freedom under the law?  Internet laws and quasi-laws challenging anonymity, demanding removal of undesirable content, empowering suspicionless state interception and criminalising badly judged tweets are with us already.

Berlin Walls in cyberspace. In the pre-internet world only the most repressive states attempted to erect impermeable borders, shielding their citizenry from noxious foreign influences and imposing a monopoly of national law on the state’s subjects.  In its most extreme form this was manifested in sealed physical borders, bans on external travel, import bans on books and jamming of foreign broadcasts.  

There are signs that, fearful of the inherent global nature of the internet, even liberal democratic states may be tempted to try to erect borders in cyberspace that are less permeable than their pre-internet physical equivalents. For more discussion see slides and video from my presentation at the Aberystwyth University Internet Jurisdiction Symposium, September 2014.

Fantasy Internet Ministers praise the liberating qualities of search engines and social media platforms.  Politicians of all stripes demand more freedom for internet users.  National border walls in cyberspace are torn down. MPs repeal restrictive internet laws and rein back intrusive state powers. Free flow of information across frontiers becomes sacrosanct.

Friday, 2 January 2015

The tangled net of GCHQ’s fishing warrant

[Updated 8 February 2015 and 10 June 2015]

The Section 8(4) RIPA warrant is the most powerful interception tool available to UK intelligence agencies. While a targeted Section 8(1) warrant has to name a person or a set of premises, a section 8(4) warrant can authorise bulk interception of millions of simultaneous communications on an internet backbone.

Periodically renewed Section 8(4) warrants are thought to authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, which reportedly processes 40 billion items of data per day.

Following the Snowden revelations a group of NGOs including Liberty, Privacy International  and Amnesty International challenged Section 8(4) in the Investigatory Powers Tribunal. The IPT found in December that, in the light of disclosures of interception practice made by the government in the proceedings, future use of Section 8(4) warrants would be ‘in accordance with the law’ under Article 8 of the European Convention on Human Rights. The legality of previous Section 8(4) interception has still to be determined. [Now held to have been lawful: IPT judgment 6 Feb 2015, para 12.]

The justification for the Section 8(4) warrant is that investigating terrorism and crime abroad is harder than domestically. It is said that a Section 8(4) warrant is primarily aimed at external communications (sent, received or both outside the British Islands) and not primarily at people located here; and that the purpose of accessing external communications is primarily to obtain information about people abroad. (IPT judgment, [145] and [147]).

But is the purpose of Section 8(4) to gain access to external communications? Or is it to gain access to the communications of people outside the British Islands? Is it a mixture of the two? Bearing in mind that people within the British Islands may send and receive external communications, the objectives are significantly different.

In fact Section 8(4) goes some way towards both objectives, but gives full effect to neither.  The result is a warrant with an avowed purpose to intercept external communications, but which in reality sweeps up both internal and external communications and then treats them identically. Or, if its purpose is to access communications of people outside the British Islands, it nevertheless allows some access to the communications of people within the British Islands.

These points are especially significant when it is appreciated that under Section 8(4) not only capture of communications but also their searchability does not depend on pre-existing grounds for suspicion. The bulk capture stage is suspicionless. Agencies trawling the intercepted material are then not confined to looking for activities of known suspects. The agencies can use keyword and other subject-matter searches to fish for new targets in the general pool of captured internal and external communications.  It is apt to describe Section 8(4) as a fishing warrant. 

This dual use of RIPA was confirmed by senior Home Office official Charles Farr in the IPT proceedings:

“Other information that is obtained via interception is used to identify other previously unknown communications of existing targets, and to identify new targets for investigation. Indeed, a significant proportion of initial intelligence leads derive from interception operations.” (emphasis added) (Farr witness statement, paragraph 31)

This article discusses how the Section 8(4) warrant implements the two avowed purposes and concludes with some observations on points for consideration in the forthcoming likely reform of RIPA.

How far is it the purpose of Section 8(4) to gain access to external communications?

A Section 8(4) warrant, like a targeted Section 8(1) warrant, has to be for a statutory purpose: national security, preventing or detecting serious crime or safeguarding the UK’s economic wellbeing (if relevant to national security).  These purposes govern all three stages of the Section 8(4) warrant structure: Capture, Select, Examine. The scheme is illustrated in this diagram:

The first stage, Capture, is the only point at which the internal/external communication distinction is relevant. In terms of the broader Section 8(4) legislative scheme the distinction plays no more than a fleeting introductory role. This has become more obvious following the judgment of the IPT.

Section 8(4) (in conjunction with Sections 8(5) and 5(6)) authorises “the interception of external communications in the course of their transmission by means of a telecommunication system”. However it also authorises “all such conduct (including the interception of communications not identified by the warrant) as it is necessary to undertake in order to do what is expressly authorised or required by the warrant”.

In other words, internal as well as external communications can be captured under a Section 8(4) warrant if they are unavoidably swept up in the interception process. 

On 4 July 2000 the government Minister Lord Bassam, in a letter to Lord Phillips during passage of the Bill, pointed out that:

“Clause 8(5) could, for example, make lawful the interception of internal communications where these mixed with external communications on a trunk used mainly for external purposes.”

In the House of Lords debate on the Bill on 12 July 2000 he said:

“It is still the intention that Clause 8(4) warrants should be aimed at external communications. Clause 8(5) limits such a warrant to authorising the interception of external communications together with whatever other conduct is necessary to achieve that external interception. Whenever such a warrant is signed, the Secretary of State must be convinced that the conduct it will authorise as a whole is proportionate—my favourite word—to the objects to be achieved. His decision to sign will be overseen by the Interception of Communications Commissioner.”

In the IPT proceedings Charles Farr said:

“Section 5(6)(a) makes clear that the conduct authorised by a section 8(4) warrant may in principle include the interception of communications which are not external communications insofar as that is necessary in order to intercept the external communications to which the warrant relates. But the primary purpose and object of any conduct authorised or required by a section 8(4) warrant must consist in the interception of external communications.” (witness statement, paragraph 155)

With this emphasis on external communications we might expect the distinction between internal and external communications to suffuse the whole of the Section 8(4) regime including the subsequent selection and examination stages. 

In fact, as can be seen from the IPT’s judgment, the distinction has no relevance at those stages:

“It is also common ground that the interception under a s.8(4) warrant (what the Respondents call “Stage one”) occurs before any question of selection for examination (what the Respondents call “Stage two”) arises under s.16. As Mr Ryder put it, the relevance of the internal/external distinction has no relation to the s.16 examination, when a communication may be accessed and read. The identification of communication links for interception is, as he described it, a ‘generic’ exercise, not an exercise which is done specifically case by case and communication by communication.” [95] (emphasis added)

The criteria that constrain selection and examination are different from internal/external communication.

The primacy that Section 8(4) accords to external communications at the capture stage is thus of limited significance.  External and internal communications are inseparable as they pass through a fibre optic cable. If the Secretary of State’s purpose is to capture external communications, and he has a basis for believing that the warrant will fulfil that purpose and is necessary and proportionate, Section 8(4) in practice authorises the capture of all communications passing through the cable whether internal or external. The captured communications, both internal and external, then form a common pool and are treated alike.

The limited significance of the external/internal distinction in the overall scheme of Section 8(4) can also be seen in the IPT’s discussion of the position if the Secretary of State had adopted an incorrect legal interpretation of ‘external communication’.

“…the distinction only arises at “Stage one”, when there is no examination:

i) All communications, whether they be external or internal, intercepted by s.8(4) warrant come to be considered for examination by reference to s.16 of RIPA, to which we turn below. It is that section which does what Mr Ryder called in argument the “heavy lifting”.” (emphasis in original) [101]

The IPT also referred to what it termed ‘inchoate’ external communications. This reflects the fact that in many cases the intercepting agency cannot know whether it is capturing an internal or an external communication. This is because the distinction depends on the location of the sender or recipient when the communication is sent or received respectively. For communications such as e-mails, the location of the recipient cannot be determined by looking at the communication or its related communications data.  The location of the mailbox may be ascertainable, but that cannot reveal the location of a person who picks up the message after the interception has taken place.

Lord Bassam recognised this for mobile roaming during the Parliamentary debate on the Bill:

“Even after interception, it may not be practicably possible to guarantee to filter out all internal messages. Messages may well be split into separate parts which are sent by different routes. Only some of these will contain the originator and the intended final recipient. Without this information it will not be possible to distinguish internal messages from external. In some cases it may not be possible even if this information is available. For example, a message between two foreign registered mobile phones, if both happened to be roaming in the UK, would be an internal communication, but there would be nothing in the message to indicate that.” (emphasis added) (Hansard, 12 July 2000)

The IPT judgment observed:

“It is inevitable that, when a telephone call is made from a mobile phone or IPhone, or an email is sent to an email address, it will not necessarily be known whether it will be received in the United Kingdom or in the course of travel or at a foreign destination. It is accepted that once and if received abroad by the intended recipient it will be an external communication, even if the sender did not know, when he or she made the call or sent the email, that that was to be the case.” [(94(iii)]

Selection and Examination – people outside the British Islands?

The Selection and Examination stages follow Capture. Examination is the point at which human analysts can read, look at or listen to captured material.  Although they are limited to examining material described in the Secretary of State’s certificate on the warrant, that description could be as wide as all communications between the UK and a named country, or passing through a particular cable.  

More significantly, analysts can (with some exceptions) only examine material that has been selected in ways that do not breach the Section 16(2) prohibitions. These are the provisions that do the ‘heavy lifting’ referred to by the IPT. Generally they reflect the second avowed purpose of Section 8(4) – to gain access to the communications of people outside the British Isles, but not those of people within the British Isles.

Lord Bassam, in the House of Lords debate on 12 July 2000, said:

“selection may not use factors which are referable to an individual known to be for the time being in the British Islands”

However RIPA is not that straightforward. Under Section 16(2) a selection factor is prohibited if it:

“(a) is referable to an individual who is known to be for the time being in the British Islands; and
(b) has as its purpose, or one of its purposes, the identification of material contained in communications sent by him, or intended for him.”

Lord Bassam’s summary reflects (a), but not the significant additional limitation in (b). This narrows the scope of the Section 16(2) prohibition, enabling at least one kind of search to be made using the name of someone known to be within the British Isles.  

Some examples illustrate the apparent effect of the Section 16(2) prohibitions. These apply whether the captured communications were internal or external.

-         An analyst could not (without a modification to the warrant) search for Joe Smith’s communications by (say) his e-mail address if he knows that Joe Smith is within the British Islands.  

-         If Joe Smith’s communication turns up in response to:
o   a subject matter search (e.g. ‘Syria’), not referable to any individual
o   a search using someone else’s name (not known to be within the British Islands) or the name of a corporation
o   a search for his own name within the body of someone else’s communication
o   a search for his own name aimed at finding his own communications, if the agency does not know that he is for the time being within the British Islands
then according to the letter of Section 16(2) it could apparently be examined.  (However if the examination itself involves a process of further selection, an analyst could be prohibited (without a warrant modification) from focusing on communications of someone known to be within the British Islands of which s/he becomes aware during examination.)

-         If Joe Smith has left the British Islands since sending the communication, then the analyst could apparently search using his name, since Joe Smith is no longer ‘for the time being’ within the British Islands

As to the last point, the IPT judgment could be read differently (para 143):

“Communications intercepted under a s.8(4) warrant cannot be read if sent by or to a person located in the UK, by reference to the s.16(2) procedure discussed at some length above.”

However that would not take account of ‘for the time being’, which on the face of it refers to the time of search, not the time of the communication.

This extract from the Foreign Secretary’s evidence to the Intelligence and Security Committee on 23 October 2014 also seems to conflate time of communication and time of search:

“The Foreign Secretary clarified after the meeting that, if a communication is intercepted under an s.8(4) warrant, and if one end is outside of the UK, it may be selected for examination without a 16(3) modification if the subject of interest is the non-UK end of the communication; however, if the subject of interest is the party in the UK, or if both ends are UK, there needs to be a 16(3) modification or 8(1) warrant authorised by the Secretary of State before it can be selected. He undertook to write to the Committee with further detail.”

Section 16 provides some limited gateways permitting examination even if the material was selected using factors prohibited by Section 16(2). 

The most potentially significant gateway is an additional certificate under Section 16(3). This allows otherwise prohibited examination if the Secretary of State certifies that selection by factors referable to the individual in question is necessary for national security, prevention or detection of serious crime, or national security-related UK economic wellbeing; and the material relates only to communications sent during a maximum period of three months (six months for national security). The extent to which Section 16(3) has been used is not public. 

There is also a procedure known as an ‘overlapping’ Section 8(1) targeted warrant. The procedure was first described in the Interception Commissioner’s Report for 1986 under the pre-RIPA interception regime. It appears that its purpose is to buttress the examination of communications to or from persons within the British Isles legitimately available for examination through the Section 8(4) procedure. However the procedure’s exact use and legal significance is unclear. The status of overlapping warrants and their relationship to Section 16(3) were issues during the passage of the Bill.

Reform of RIPA

Several reviews of RIPA are currently in progress. They include the Investigatory Powers Review by the Independent Reviewer of Terrorism Legislation under the Data Retention and Investigatory Powers Act 2014 (DRIPA), due to report by May 2015; the RUSI Independent Surveillance Review and an inquiry by the Intelligence and Security Committee of Parliament.

Reform of RIPA will be a priority after the 2015 General Election, with legislators mindful of the sunset date of 31 December 2016 for the RIPA amendments made by DRIPA. The pros and cons of Section 8(4) warrants will be hotly contested. Among the possibilities that we can anticipate being advocated may be:
-         Abolish all suspicionless bulk capture of communications.
-         Limit selection and examination under a Section 8(4) warrant to communications of pre-existing suspects.
-         Maintain the status quo.
-         Enact more extensive powers.

There will of course be debate around broader overarching issues such as whether it is any longer appropriate to treat communications data as deserving less privacy protection than content.

RIPA is notoriously difficult to understand.  The convoluted selection and examination provisions of Section 16 are among the most difficult to untangle. Whatever the eventual policy outcomes of the forthcoming debates, any new legislation should be clear, accessible and reflect the purposes for which it is enacted. 

The discussion above highlights some specific issues that are likely to have to be considered should Section 8(4) survive in any recognisable form.

Before commenting on these, one fundamental issue that will be relevant to any interception regime is hidden legal interpretations.

Hidden Legal Interpretations

Legal interpretations are critical to the operation of RIPA. An obvious example is the interpretation of ‘external communications’.  Others mentioned in this article include overlap of selection and examination, what constitutes an agency’s knowledge of someone’s whereabouts and whether it is bound to make enquiries, the relevance and extent of the various statutory purposes said to be embodied in the legislation, the significance of ‘for the time being’ in section 16(2) and the legal effect (if any) of overlapping warrants.  There have been other examples, such as extra-territoriality.

The agencies conduct their activities on the basis of legal interpretations of the legislation which generally remain hidden from view.  It took the extraordinary event of the Snowden disclosures for the government to reveal, in the resulting IPT proceedings, its particular (and widely criticised) interpretation of external communications.

It would be a significant step forward if the Interception Commissioner (or any future equivalent oversight body) were to be charged with publishing legal interpretations on the basis of which the agencies operate under interception legislation.

Turning to specific issues around Section 8(4):

Incidental awareness

Section 16(2) is structured as if selection and examination are separate phases. Yet if that were so, analysts would be able to examine and use material of which they became incidentally aware as a result of a permitted search, but which they could not legitimately have targeted directly. 

If while reading a communication selected by means of a permissible factor an analyst becomes interested in its sender or recipient, and that person is known to be within the British Isles, does that amount to selection? Does Section 16 then prohibit further examination without a modification to the warrant? This ought to be the case, and may be supported by para 105 of the IPT judgment, but is less than clear on the face of the statute.

This kind of issue may be covered in internal intelligence agency guidance documents.  It ought to be specifically and clearly addressed in legislation. It also may bear on the use of overlapping Section 8(1) warrants.

Internal/external communications

Warrants to intercept external communications go back to Section 4 of the Official Secrets Act 1920, which used the same definition of external communications as does Section 8(4). However the distinction now has limited significance in the overall scheme of Section 8(4) warrants. It is also curious that Parliament should have knowingly hung Section 8(4) on the slender thread of something largely unascertainable.

That is not to say that the distinction has no constraining effect on the initial interception stage. For instance, could a Secretary of State sign a Section 8(4) warrant to tap a domestic cable carrying 99% internal communications if his primary purpose and object was genuinely to capture some of the 1% external communications?

The Secretary of State would have to consider whether the warrant was necessary and proportionate, including in particular whether the information thought necessary to obtain under the warrant could reasonably be obtained by other means (Section 5(4)). Such considerations, and the requirement to certify a description of intercepted material considered necessary to be examined, ought to drive a Secretary of State towards directing Section 8(4) warrants at cables that are most likely to contain the highest proportion of external communications.  That approach is borne out by Charles Farr’s witness statement in the IPT proceedings (para 154):

“Thus, when conducting interception under a section 8(4) warrant, knowledge of the way in which communications are routed over the internet is combined with regular surveys of internet traffic to identify those bearers that are most likely to contain external communications that will meet the descriptions of material certified by the Secretary of State under section 8(4)(b)(i) of RIPA. While this approach may lead to the interception of some communications that are not external, section 8(4) operations are conducted in a way that keeps this to the minimum necessary to achieve the objective of intercepting wanted external communications.”

While broad considerations of necessity and proportionality give some comfort, they are not the most concrete of protections.  If Section 8(4) were to survive in anything like its current form, consideration might be given to, for instance, explicitly restricting it to international cables.

If it remained an avowed purpose of a Section 8(4) replacement to focus on interception of external communications, then consideration could be given to extending that beyond the capture stage. The agency could be required (to the extent feasible) to sift out and discard internal communications after capture. It could be required to cease examining a communication that it realised was internal. If a selection/examination distinction based on a person's location within or outside the British Islands were to be retained, then the scope for examining communications of people within the British Islands would bear reconsideration .  

Knowledge of location of a person

The prohibited Section 16(2) selection factors refer to an individual ‘known’ to be within the British Isles.  The agency is therefore on the face of it free to search for the communications of someone whose whereabouts are unknown, or if it suspects but does not know that the individual is within the British Isles (IPT judgment, [104] - [105]).

‘Known’ presumably means known to the agency.  Does that mean known to the particular analyst responsible for setting the selector, known to a group of analysts, or include anything in the records and archives of the agency?

Does it include information within the intercept material itself? One would assume not, since the agency could never safely set a name selector to search the pool of intercept material if it was deemed to know everything within it.

However there is a relevant difference between content and related communications data captured under a Section 8(4) warrant.  The section 16(2) restrictions do not apply to the related communications data.

The government argued before the IPT that this was justified by the use of related communications data in order to determine whether someone was for the time being within the British Isles. This was necessary in order for the safeguard in Section 16(2)(a) to work properly:

“In other words, an important reason why the Intelligence Services need access to related communications data under the s.8(4) Regime is precisely so as to ensure that the s. 16 safeguard works properly and, insofar as possible, factors are not used at the selection that are - albeit not to the knowledge of the Intelligence Services - “referable to an individual who is ... for the time being in the British Islands”.” [112]

The government submitted that this was plainly the express, and sensible, purpose of Parliament.

The government argument seems implicitly to posit some duty on the agency to enquire into the location of a selection target, albeit that is not spelt out in Section 16.

The IPT accepted that the different treatment of communications data

“is justified and proportionate by virtue of the use of that communications data for the purpose of identifying the individuals whose intercepted material is to be protected by reference to s.16(2)(a).”[114]

The IPT rejected the NGOs’ argument that use of communications data for this purpose could be addressed by an exception in the legislation, saying that it was an “impossibly complicated or convoluted course”. That issue could be revisited in any reform of RIPA.

[Updated 2 Jan 2015 15.30 with additional reference to certificates; and 23.30 to substitute British Islands for British Isles (thanks to @RichGreenhill for pointing that out; and 3 Jan 2015 15:11 to add reference to RIP Bill debate on S16(3)/overlapping warrants.); and 8 February 2015 to add reference to further IPT judgment; and 10 June 2015 to add references to Sections 8(5) and 5(6).]