Monday, 13 July 2015

Red lines and no-go zones - the coming surveillance debate

The government is gearing up for a rewrite of the UKs telephone and internet surveillance laws. RIPA, the Regulation of Investigatory Powers Act, is 16 years old. Some think RIPA gives law enforcement, intelligence agencies and public authorities the ability to intrude too far into private communications, especially through the bulk collection powers routinely used by GCHQ. Others argue that RIPA has been overtaken by technology and needs to be reinforced to maintain existing capabilities, or that existing powers should be extended.

One thing everyone agrees upon is that RIPA is incomprehensible and needs to be rewritten. Its interaction with other legislation governing the intelligence and security agencies is, in the words of the Intelligence and Security Committee of Parliament, "absurdly complicated".  David Anderson QC, the Independent Reviewer of Terrorism Legislation, said in his recent report 'A Question of Trust':
"RIPA, obscure since its inception, has been patched up so many times as to make it incomprehensible to all but a tiny band of initiates. A multitude of alternative powers, some of them without statutory safeguards, confuse the picture further. This state of affairs is undemocratic, unnecessary and in the long run intolerable." [35]
The Anderson Report, commissioned under the Data Retention and Investigatory Powers Act 2014 (DRIPA), was debated in the House of Commons on 25 June and in the House of Lords on 8 July. It is the second of three reports presaging a new Investigatory Powers Bill, to be published in draft this autumn for pre-legislative scrutiny by a Joint Parliamentary Committee. The other reports are the Intelligence and Security Committee of Parliament report published in March and the Royal United Services Institute report 'A Democratic Licence to Operate' to be launched on 14 July. The Bill itself is to be introduced in Parliament early in 2016. 

The Anderson Report is lengthy: 373 pages and 124 separate recommendations.   It ranges from matters of principle to the arcane detail of the existing legislation and the practices of the agencies and law enforcement.  As such it provides a solid reference point for all shades of opinion. 

The Reports recommendations mainly concern oversight and safeguards.  Most attention has focused on the proposal that the power to issue warrants should be shifted from Ministers to independent Judicial Commissioners.  The Report proposes no major curtailment of interception powers.  With that has probably receded any realistic prospect that the forthcoming legislation will reduce existing powers, unless the governments hand is forced by some future human rights ruling.

Privacy campaigners were particularly disappointed that the Report did not recommend cessation of bulk collection and analysis, although the Report was careful not to offer a view on whether, as a matter of human rights law, those powers are proportionate. GCHQ makes use of serial warrants under Section 8(4) of RIPA to capture from transatlantic cables and process (according to the Snowden documents) 40 billion data items a day. The Reports most significant recommendation in this area is to suggest a communications data only bulk interception warrant, to be used where a full Section 8(4) warrant collecting both content and communications data is unnecessary.

The new legislation is likely to cover a broad canvas.  It will have to deal with interception offences and warrants, communications data acquisition and mandatory communications data retention.   It is also likely to include powers to demand decryption and to engage in CNE (computer network exploitation, or hacking).

In a second article I will pick out some specific points to look for.  First, some matters of principle.

Competing principles
The Report identifies five principles that should underpin investigatory powers:  minimise no-go areas, limited powers, rights compliance, clarity and a unified approach.

The key passages are those in which the Report seeks to reconcile the competing first and second principles: on the one hand that law enforcement and intelligence agency no-go areas should be minimised as far as possible; but on the other hand that their powers need to be limited in the interests of privacy.

Limited powers the red line principle
The Report squarely confronts the issue of limited powers. It is not necessarily enough to clothe any given investigative power, however far-reaching, in a comforting cocoon of controls, safeguards and oversight.  Some powers may be too intrusive and repugnant to be acceptable on any terms:
"Firm limits must also be written into the law: not merely safeguards, but red lines that may not be crossed."    
"Some might find comfort in a world in which our every interaction and movement could be recorded, viewed in real time and indefinitely retained for possible future use by the authorities. Crime fighting, security, safety or public health justifications are never hard to find." [13.19] 
The Report then gives examples, such as a perpetual video feed from every room in every house, the police undertaking to view the record only on receipt of a complaint; blanket drone-based surveillance; licensed service providers, required as a condition of the licence to retain within the jurisdiction a complete plain-text version of every communication to be made available to the authorities on request; a constant data feed from vehicles, domestic appliances and health-monitoring personal devices; fitting of facial recognition software to every CCTV camera and the insertion of a location-tracking chip under every individual's skin.

It goes on:
"The impact of such powers on the innocent could be mitigated by the usual apparatus of safeguards, regulators and Codes of Practice. But a country constructed on such a basis would surely be intolerable to many of its inhabitants. A state that enjoyed all those powers would be truly totalitarian, even if the authorities had the best interests of its people at heart." [13.20]   
"[T]he crucial objection is that of principle. Such a society would have gone beyond Bentham's Panopticon (whose inmates did not know they were being watched) into a world where constant surveillance was a certainty and quiescence the inevitable result. There must surely come a point (though it comes at different places for different people) where the escalation of intrusive powers becomes too high a price to pay for a safer and more law abiding environment." [13.21]
Minimising no-go areas
Juxtaposed against the red line principle is Andersons first principle: minimising no-go areas for law enforcement as far as possible, whether in the physical or the digital world.
"My first principle applies in the physical sphere. If the State is to discharge its primary duty of protecting its population, it needs the power to do the most sensitive things that can be imagined: bug a bedroom, search a safe, trick a person into a relationship, read a personal diary, eavesdrop on a conversation between lawyer and client or journalist and source. None of those things will be appropriate save in exceptional and occasional circumstances. Even then, they may well be completely impracticable to implement. But the issue is when it should be lawful to exercise such powers, not whether they should exist at all. [13.10]  
The same is true of the digital sphere. There may be all sorts of reasons  not least, secure encryption  why it is not physically possible to intercept a particular communication, or track a particular individual. But the power to do so needs to exist, even if it is only usable in cases where skill or trickery can provide a way around the obstacle. Were it to be otherwise, entire channels of communication could be reduced to lawless spaces in which freedom is enjoyed only by the strong, and evil of all kinds can flourish. [13.11]  
This does not mean that state access to communications should be made easy.  Far preferable, on any view, is a law-based system in which encryption keys are handed over (by service providers or by the users themselves) only after properly authorised requests. [13.12] 
But in an imperfect world, in which many communications threatening to the UK are conducted over services whose providers do not or cannot comply with such requests, there is a compelling public interest in being able to penetrate any channel of communication, however partially or sporadically. Paedophiles should not be able to operate on the dark net with guaranteed impunity, and terrorists should not be able to render themselves undetectable simply by selecting an app on which their communications history will never be known even to the provider. Hence the argument for permitting ingenious or intrusive techniques (such as bulk data analysis or CNE) which may go some way towards enabling otherwise insuperable obstacles to be circumvented. Hence, also, the argument for requiring certain data to be retained so that they can be used in piecing together a crime after the event."  [13.13]
The Report records Law Enforcement as urging that no-go areas are unacceptable:
"The principle of policing by consent is applied by the police to the digital world, where it refers to the use of techniques that command general acceptance. I was told that just as the public would not accept the existence of physical no-go zones in towns and cities, so they expect the police to have the capacity, in appropriate cases and when duly authorised, to trace any kind of communication." [9.8]
If the goal of law enforcement is to eliminate impracticabilities in the digital world, that goes further than Anderson's first principle.  Anderson acknowledges that in both the physical and digital world a power may be impracticable to implement.  In the House of Lords debate Lord Blair cited the Loch Lomond effect, an incident in which police officers in pursuit of terrorists, tracking them by their mobile phones, lost contact in a notorious mobile dead spot around Loch Lomond.   Self-evidently this was due not to insufficient police powers, but to incomplete mobile coverage. 

Lord Blair used Loch Lomond as a metaphor for loss of capability due to technological change if the Anderson recommendations were not implemented. But the Loch Lomond metaphor would resonate more strongly with a demand that mobile non-spots should be filled in to aid law enforcement. That is paralleled in the digital world where, as often as not, the demand is for more comprehensive data to be retained and even generated for the benefit of law enforcement. In the physical world the more traditional notion of liberty is that law enforcement takes the world as it finds it, imperfections and all.

The claim that in the physical world the public would not accept no-go zones in towns and cities demands careful scrutiny. Towns and cities are full of physical no-go zones for law enforcement, protected by the law.  Our liberty depends on them. While the police may patrol where they wish in public areas like the streets, private homes and premises are off limits. The police may not enter without consent or a targeted warrant, or in exceptional situations such as a breach of the peace, saving life or preventing serious damage to property. Even on the public streets the police do not have free rein. They are constrained by law in what they may do to people and their vehicles.  

It will of course be said that law enforcement does not claim the power to roam freely through our private online spaces, but to enter only in carefully defined and limited circumstances when necessary and proportionate and subject to extensive safeguards and oversight. Even accepting that characterisation (and many would not in respect of bulk collection and mandatory communications data retention), it is pertinent to recall the reach of physical world powers when considering the extent of powers demanded over our online private spaces. 

In our private houses we do not generally have to let the police in without a warrant. We are not required to keep the curtains open so that they can check whether we are up to no good.  We do not have to make and retain a record, to be produced on demand, of our movements, of our visitors, of those with whom we have spoken or of the books and magazines that we have read. We do not have to leave a front door key at the local police station, nor a key to the locked drawer in the desk.  We do not have to pass through a security scanner when we exit our front door. If the police obtain a search warrant it is specific, not general. These private no-go zones for law enforcement are essential to our traditional notion of liberty. The public, unless it has already subsided into a state of supine acquiescence, would not accept otherwise.

The golden period
In todays mobile era we unconsciously create and leave behind us minute by minute traces of everything we do. Law enforcement submissions to the Anderson Review hint at digital technologys gift of an unprecedented amount of data:
As a senior counter-terrorism officer put it to me: We have had 15 years of digital coverage being the main thing  a golden period. But the way people run their lives is not so accessible to us now. [9.36]
Lord Paddick, speaking of the IRA era in the House of Lords debate, reinforced the impression:
Fixed-line and mobile communication data, including text messaging and who was contacting who, from where and at what time, could easily be accessed because mobile phone service providers need this information so that they can bill the customer.    
As Anderson says, quoting from one of the Snowden documents, we were in a golden age in terms of the accessibility of intelligencenever before had the police and the security services had such a wealth of information about the communication between criminals, terrorists or otherwise.
The golden period of bountiful data came into existence unnoticed by the general public, an accidental by-product of digital technology that may empirically have altered the balance between intrusive powers and privacy even if the powers themselves remained the same. 

Anderson relates that:
the NCA and police see their current [communications data acquisition] powers as, in large part, a translation of that well-established resource [(phone logs)] into the current age. Indeed they fear its dilution…” [9.32]
Is what we are seeing now less a dilution of traditional powers and more a reversion to the position that obtained in the physical world before the serendipitous golden age? When law enforcement speak of wishing only to keep pace with technology, of dilution of powers, or of needing a wider range of techniques to gain comparable insight, the baseline against which the comparison is being made has to be carefully examined. 

Anderson records that:
law enforcement does want a record to exist of an individuals interaction with the internet to which it can obtain access [9.61]
Law enforcement, seeking to preserve its golden age, appears to be on a quest for perfect traceability - a goal that we can confidently predict will remain tantalisingly out of reach. The problem with setting an unattainable goal is that there is no end to the powers that can be demanded in its fruitless pursuit.  It has already taken law enforcement and the intelligence agencies beyond anything that the public would accept in the private zones of the physical world. 
Granted, unlike in the physical world a vast amount of digital data comes into existence in any event. That is what ushered in the golden period.  It is said that it would be negligent not to empower law enforcement and the agencies to make use of it.  That still begs the question whether the data should be swept up for the benefit of law enforcement like leaves in the public streets, or whether it should be treated as part of the contents of a private house.  One points to bulk collection and retention, the other to targeted preservation and access.

Hogan J in the High Court of Ireland case of Schrems suggested that our electronic communications are an extension of the home:
"By safeguarding the inviolability of the dwelling, Article 40.5 provides yet a further example of a leitmotif which suffuses the entire constitutional order, namely, that the State exists to serve the individual and society and not the other way around."   
In this regard, it is very difficult to see how the mass and undifferentiated accessing by State authorities of personal data generated perhaps especially within the home - such as e-mails, text messages, internet usage and telephone calls - would pass any proportionality test or could survive constitutional scrutiny on this ground alone. The potential for abuse in such cases would be enormous and might even give rise to the possibility that no facet of private or domestic life within the home would be immune from potential State scrutiny and observation.
Should our internet life be treated, for privacy purposes, as taking place within the home?  We tolerate intrusive measures in a sensitive public area such as an airport. That does not mean that the same would be acceptable in the home. If our communications are an extension of the home, then to turn our smartphones and the internet into the equivalent of an airport security zone would surely cross a red line.
On the coat tails of the private sector
One response (ventilated in the Anderson report at [8.104] to [8.106]) to the question of how far communications should be treated as an extension of the private home is that we already share our data with many internet and social media companies and that the needs of the state may be thought to be more pressing than the profit-making aims of commercial companies. In a related vein, GCHQs Technical Director recently said: At its heart, the internet economy is fundamentally incompatible with privacy.
But however often we may decide to share data with an internet company, and however constrained some may regard our freedom of action to be when dealing with internet companies, we make that choice to engage with another private entity.  It is hard to see why that should affect our expectation of privacy as against the coercive powers of the state. If we let a stranger into our home the invitation does not implicitly extend to state agencies.  Nor is the state thereafter entitled to treat that home as any less of a private space for law enforcement purposes.  If the argument is that law enforcement and intelligence agencies should be freer to harvest and analyse our data because of what Silicon Valley companies do, that is to ignore the fundamental difference between consensual transactions of private actors and the coercive activities of the state.
International human rights standards
Anderson recognises that combining his first and second principles is not easy:
"It may be objected that the result in combination of my first two principles is uncertain. They would deprive criminals of sanctuary, whilst imposing limitations (for the protection of the innocent) on the methods that can be used to catch them. [13.22]  
To that, I would answer as follows: 
(a) It is how things are: criminals and enforcers are locked in a digital arms race, where neither can be sure of having the upper hand. 
(b) It is how things should be. When no human institution is perfect, and when the great majority of those using private communications enhance blameless lives by doing so, it is right that there should be legal limits on when and how those communications may be intruded upon. That is so, even if those limits from time to time diminish the effectiveness of law enforcement and result in more bad things happening than would otherwise be the case." [13.23]
He observes that:
"Understanding the need for legal limits on state power is easier than knowing where those limits are to be placed." [13.24]
To resolve that conundrum he turns to the principle of respect for internationally guaranteed human rights and freedoms. Assuming that a law is sufficiently clear and foreseeable, the balancing of security and privacy is founded on the concepts of necessity and proportionality. Anderson recognises their limitations:
"As a means of imposing strict limits on state power   they are less certain, and more contestable, than hard-edged rules of a more absolute nature would be. [13.28]  
This highlights the vital importance of ensuring that where potentially intrusive powers are concerned, the necessity and proportionality tests are applied according to a thorough set of criteria, and in an independent spirit." [13.29] 
In his recommendations Anderson has himself gone beyond human rights requirements, aiming to produce a modern, fair and workable law, not just one that may hope to survive future court scrutiny [13.30]. Andersons most eye-catching recommendation judicial approval of warrants is not at present required by European human rights law.

That aptly illustrates the difficulty of relying only on human rights law to reconcile conflicting principles of minimising no go areas and limiting powers. At least where direct interference by the state is concerned, human rights law sets only minimum standards. Compliance with minimum standards may still produce a result that does not live up to the best traditions of a liberal society.

Ultimately, as Anderson acknowledges, different people will draw their red lines in different places.  Many will argue that the red line should be drawn short of empowering bulk collection of communications and mandatory communications data retention, just as comparable powers and requirements do not exist and would be unacceptable within the private home in the physical world.
Extended powers?
These issues are significant when we look to the future. The Anderson report suggests that at least in some respects the States appetite for capturing and analysing bulk data is likely to spread further into the domestic arena:
The Agencies also anticipate that domestic security work will increasingly rely on the use of bulk data, including the examination of communications data within the UK. The spread of encryption and the multiplicity of identities used online by individuals mean that the kind of target search and discovery familiar from overseas operations will be needed in the domestic sphere.  [10.24]
Concomitantly, there could be pressure to extend the use of such powers from the intelligence agencies to conventional law enforcement:
There are still investigatory powers that only the security and intelligence agencies deploy: notably bulk data collection and CNE. I have not suggested that this should change. But as technology develops, bulk data analysis (notably by private companies) becomes a standard feature of everyday life and digital investigation techniques become more widespread, the trend may prove to be towards convergence rather than the reverse. [13.42]
The Anderson Report has recommended no significant limitation of existing powers, but has focused on the need for a compelling case to be made for their extension. Realistically the forthcoming draft Bill is unlikely to contain any significant curtailment of powers unless that is forced by a future court ruling. It is most likely to revolve around greater powers, future-proofing, transparency, judicial warrants and improved oversight and safeguards.

A second article will delve into some specific areas to look out for in the draft Bill.

Monday, 25 May 2015

ECommerce formalities back in the CJEU spotlight

For an ecommerce lawyer who spent far too many hours at the turn of the millennium pondering how writing and signature requirements could be complied with electronically, reading the CJEU decision in El Majdoub v CarsOnTheWeb (C322/14, 21 May 2015) is something of a throwback.

The 2001 Brussels Jurisdiction Regulation, like its predecessor the Brussels Convention, requires a jurisdiction agreement to be in writing or evidenced by writing.  In an attempt to update the writing requirement for the electronic age, the Regulation added a new gloss.  Article 23(2) provides that “any communication by electronic means which provides a durable record of the agreement” shall be equivalent to writing.

The CarsOnTheWeb click-wrap process provided a box to accept its terms and conditions. The terms and conditions themselves, containing the choice of court provision, were behind a hyperlink with the rubric ‘click here to open the conditions of delivery and payment in a new window’.  The CJEU analysed the process:

“it is an essential feature of the facts of the case in the main proceedings that a potential purchaser must expressly accept the seller’s general terms of sale by clicking the relevant box before making a purchase. However, that operation does not automatically lead to the opening of the document containing the seller’s general terms, as an extra click on a specific hyperlink for that purpose is still necessary.” [21]

El Majdoub argued that the process did not provide a durable record of the agreement, since a window containing the terms and conditions was not automatically created.

The CJEU disagreed. Clicking on the relevant box expressly accepted the terms and conditions. Because the terms and conditions could be saved or printed, that possibility of creating a durable record was sufficient regardless of whether the purchaser actually durably recorded the terms and conditions.

The CJEU considered its 2012 decision in Content Services (Case C49/11). In that case it held that a hyperlink to terms and conditions did not satisfy the Distance Selling Directive (now superseded by the Consumer Rights Directive) requirement that a consumer should receive written confirmation or confirmation in another durable medium.  Distinguishing Content Services, the Court said in CarsOnTheWeb:

“both the wording of Article 5(1) of Directive 97/7, which expressly requires the communication of information to consumers in a durable medium, and the objective of that provision, which is specifically consumer protection, differ from those of Article 23(2).”

Requirements of form have a long history. They tend to be technology-specific, causing problems when an unforeseen new technology arrives.  

In the case of durable form the EU legislature has sought to identify the essence of an old technology requirement – writing - and translate it into a new medium. 

The risk with that approach is that the newly articulated formality does not accurately reflect the characteristics of the previous technology and, when interpreted, may turn out to be more onerous rather than technology-neutral.

In Content Services the CJEU said:

“a substitute for paper form may be regarded as capable of meeting the requirements of the protection of the consumer so long as it fulfils the same functions as paper form.”

It went on:

“Where a medium allows the consumer to store the information which has been addressed to him personally, ensures that its content is not altered and that the information is accessible for an adequate period, and gives consumers the possibility to reproduce it unchanged, that medium must be regarded as ‘durable’ within the meaning of that provision.”

Paper, however, is not tamperproof. Some paper is flimsy.  The Australian Electronic Commerce Expert Group identified the risk of overstating the qualities of previous technology in its 1998 Report to the Attorney-General:

“There is always the temptation, in dealing with the law as it relates to unfamiliar and new technologies to set the standards required of a new technology higher than those which currently apply to paper and to overlook the weaknesses that we know to inhere in the familiar.”

While the CJEU’s decision in CarsOnTheWeb is welcome, it is debatable whether the court should have had to interpret a requirement of form based on durability in the first place.

In 1954 England had the good sense to repeal most of S.4 of the Statute of Frauds, the 1677 legislation that rendered a variety of contracts unenforceable without a signed note or memorandum in writing.  At the same time S.4 of the Sale of Goods Act 1893, which required writing as a condition of the enforceability of contracts for the sale of goods of the value of £10 or upwards, was repealed. 

These reforms followed the recommendations of an official Committee in 1937, which had observed:

“'The Act', in the words of Lord Campbell . . . 'promotes more frauds than it prevents'. True it shuts out perjury; but it also and more frequently shuts out the truth. It strikes impartially at the perjurer and at the honest man who has omitted a precaution, sealing the lips of both. Mr Justice FitzJames Stephen ... went so far as to assert that 'in the vast majority of cases its operation is simply to enable a man to break a promise with impunity, because he did not write it down with sufficient formality.’ ”

Even in England, a relatively liberal jurisdiction in this regard, some requirements of form remain. Section 4 of the 1677 Act still applies to guarantees. Requirements of signature, writing and the like apply to some specific types of transaction such as an assignment of copyright. 

Consumer protection laws, such as those regulating consumer credit, tend to impose detailed formalities.  Even when adapted to the electronic environment, such requirements of form can still pose vexing questions. In Bassano v Toft (2014) the court considered whether an electronically generated document had been signed by clicking on an ‘I accept’ button, and if so whether the signature was in "the space in the document indicated for the purpose", as required by the applicable consumer credit regulations. Popplewell J held that both were satisfied:

“the word "I" can be treated as being the mark which is unambiguously that of Mrs Bassano affixed for the purposes of authenticating and agreeing to be bound by the terms of the document”.

In the 1990s requirements of form began to be perceived as an obstacle to electronic commerce. What constituted writing or signature in an electronic environment? How do you satisfy a legibility requirement when the consumer controls the screen display? What constitutes a document? Mr Justice Lightman gave an answer to that question in 1999 in Victor Chandler International v HM Customs and Excise:

“In summary, a document is a material object which contains information capable of extraction from it (e.g. a tape so long as it is not blank). Mr Oliver (Counsel for VCI) properly disavowed that he was a document: the repository of information must be inanimate: neither a person nor A.P. Herbert's "negotiable cow" (referred to in Uncommon Law, p.201) can constitute a document.)”

Some legislative initiatives such as the US Uniform Electronic Transactions Act promulgated in 1999, followed by the federal E-SIGN Act in 2000, sought to facilitate electronic transactions by rendering requirements of form, as far as possible, medium-neutral. As the Chair of the UETA Drafting Committee, Patricia Blumfeld Fry, memorably explained:

“. . . UETA preserves the requirements concerning the manner of sending, posting, displaying, formatting, etc. contained in other State law. If other State law requires information to be furnished in a conspicuous manner, UETA §8 states that you can furnish the information electronically, but must do so in a conspicuous manner. If other State law requires the information to appear in purple ink sprinkled with glitter, you can furnish the information electronically only if you can assure that it appear to the recipient in purple sprinkled with glitter."

The UK Electronic Communications Act 2000 took a different approach, providing a power to amend existing legislation piecemeal to facilitate electronic transactions. In 2001 a Law Commission Advice increased confidence that e-mails and website trading were capable of satisfying formal requirements of writing and signature. Subsequent court decisions have confirmed the traditionally liberal English view of what can constitute a signature including, for instance, typing one’s name at the end of an e-mail.

Sunday, 22 February 2015

From telegram to tweet: Section 127 and all that

Big Brother Watch has this week published the results of its research, conducted via freedom of information requests to police forces, into charges and cautions under two communications offences: Section 127 of the Communications Act 2003 and the Malicious Communications Act 1988.

The report ‘Careless Whispers’ finds that for the three years November 2010 to November 2013 at least 4,259 people were charged and at least 2,070 cautioned under the two provisions, nearly two thirds of which were under Section 127.  At least 355 of these cases involved social media.  The proportion involving social media is on the increase.

BBW's conclusions are twofold: that these offences were designed for one-to-one communications such as post and telephone, not for the one-to-many communications typical of social media; and that they are out of date and the law needs to be reformed. 

Specifically BBW calls for the abolition of Section 127 and the removal of 'grossly offensive' from the Malicious Communications Act.

Section 127 has two limbs. It is an offence for someone to send by means of a public electronic communications network a “message or other matter that is grossly offensive or of an indecent, obscene or menacing character”. It is similarly an offence if someone “for the purpose of causing annoyance, inconvenience or needless anxiety to another” sends “a message that he knows to be false”.

Section 127 applies to all internet communications, public or private, one-to-one or one-to-many. That is because when you send a tweet, post something to Facebook or send an e-mail the communication will travel across a UK public telecommunications network that carries internet traffic.  Section 127 catches that communication, regardless of whether it ends up in someone's private mailbox or published on a social media platform.

Some may argue that exactly because the internet and social media are 'one to many' the communications can be more damaging, and stricter content prohibitions should apply than to private communications.  Others will say that individual freedom of public expression is a major advance wrought by the internet that should be defended at least as jealously online as offline.  There is a debate to be had about that.  What is beyond doubt, however, is that Section 127, and its application to social media, is the result of historical accident not conscious design.

Section 127 goes back at least to the 1935 Post Office (Amendment) Act. The first limb, including ‘grossly offensive’, was designed to deter telephone users from being abusive to telephone operators; the second to catch senders of distressing hoax telegrams. Instances of malicious or even fraudulent hoax telegrams were known from at least the early 20th century. 

In fact the first limb of Section 127 can be traced back even further than 1935, to the Post Office (Protection) Act 1884. Here is the ancestry of the section, focusing on the origin of 'grossly offensive'.

'Grossly offensive' originated in 1884 as part of a prohibition on material on the outside of postal packets (including telegrams). At the outset an M.P., Charles Warton, voiced concern in Parliament about what might be caught:

"… many people—even many Members of that House—frequently sent letters through the Post with very amusing pieces of scurrility upon them. … under this clause, a very heavy liability might attach to it. … it might happen that one man would use words—for instance, he might write "swindler" or "liar" upon the outside of a letter—which were not really indecent or obscene, only what they would call vulgar, and see what a tremendous penalty the clause imposed for that—imprisonment for 12 months."

In the event the MP's fears were borne out in 1913 when one John Cole was convicted under the 1884 Act at Leeds magistrates after sending postcards to various local officials, calling a well-known local alderman an 'insurance swindler'. This was found to be grossly offensive.

The prohibition on ‘grossly offensive’ material on the outside of postal packets remained unchanged until the Postal Services Act 2000.  By that time the legislative line of descent had forked.  While 'grossly offensive' was removed from the postal packets offence, it remained in the telephony provision. That was widened to cover messages sent by public telecommunications services in 1969, then amended to 'public electronic communications network' in 2003.

It is not clear why in 2000 "grossly offensive" was removed from the prohibition applicable to the outside of postal packets, but not removed from what in 2003 became Section 127.

Section 127, in particular, has long been a cause for concern. It lays down stricter prohibitions online than would apply offline.  It can criminalise activities, such as sharing a photo with friends via smartphones, that would be legal if done face to face.

During the debate on the 2013 Defamation Bill the government minister said: "An individual should be charged and prosecuted for the offence they commit, irrespective of whether it happens in the street or in cyberspace”. This is the hallowed mantra that what is illegal offline should also be illegal online.

But if we are serious about that, the converse should also apply: if it is not illegal offline it should not be illegal online. With Section 127 that is patently not the case.  It sweeps up more than the offline offences. It can lead to incidents such as last year’s prosecution (apparently under Section 127) for sharing a photo of a police officer decorated with cartoon penises.

The notorious Twitter Joke Trial was a section 127 prosecution, albeit that it ultimately failed. The Director of Public Prosecution’s social media prosecutorial guidelines, while welcome, are no substitute for appropriately formulated legislation.

By way of a historical footnote, the Twitter Joke Trial was not the first occasion on which a joke communication has landed the perpetrator in hot water with the criminal law. This incident from 1924 could have graced the pages of PG Wodehouse. 

In January 1924 the Rev. Walter Karran, a curate on the Isle of Man, pleaded guilty at Liverpool Police Court (under pre-1935 legislation) to uttering a forged telegram (or to aiding and abetting the same – reports vary).  The following account is based for the most part on the report in the Dundee Courier of 25 January 1924.

The Rev. Karran had been travelling to Liverpool from the Isle of Man. He suggested to a fellow-traveller on the ferry, Miss Alice Winstone, that he should send a telegram to his Bishop purporting to be from the then Prime Minister, Mr Stanley Baldwin. He then wrote the following message which he asked her to send from the telegraph office in Liverpool, giving her the money to pay:

“To Denton Thompson, Bishop’s Court, Kirkmichael, I.O.M. – Meet me at Adelphi Hotel, three, to-morrow afternoon. Most important. – Baldwin.”

The Bishop received the telegram and hastened to Liverpool, where he knew that Baldwin was speaking that day, but discovered on arrival that he had been hoaxed. The Bishop was meant to be moving the Church Enabling Bill in the Manx Legislative Assembly, which had to be postponed due to his absence. The Bishop had thought the telegram must concern the Baldwin Trust, of which he was Chairman.

Following police enquiries the Rev. Karran confessed and took full responsibility. The Director of Public Prosecutions instigated proceeedings. In court counsel, in mitigation, said that the Rev. Karran was a “devoted worker in his vocation, but inclined in lighter moments to take a humorous view of things and to indulge in practical joking”. Miss Winstone was threatened with sea sickness and it was to divert her attention that he suggested the joke. It was rumoured that the Bishop was likely to be offered a bishopric in England and he thought the telegram would be “a very amusing bit of leg-pulling”.

The Stipendiary Magistrate was less amused. The explanation given as to why the Bishop might have thought the telegram genuine “made the so-called joke a singularly offensive one”. It was “incredible to most people that a clergyman could do such a thing”. The Rev. Karran was fined £10 and 25 guineas costs.  A summons against Miss Winstone was withdrawn, she being held to be an innocent party in the episode.

Telegram or tweet, jokes have a tendency to fall flat when scrutinised in the cold light of the courtroom.

Monday, 2 February 2015

IP address resolution - a conundrum still unresolved?

Am I the only one still confused by Clause 17 (now Clause 21) of the Counter-Terrorism and Security Bill?  This is the clause that will extend the communications data retention provisions of DRIPA to cover so-called IP address resolution. I have been wrestling with it since the beginning of December.  The most recent Parliamentary explanations have not lifted the fog.

The second day of the House of Lords Committee stage took place on 26 January. In response to a plea to explain what data might be covered by the clause, the Minister said this:
“The noble Lord, Lord Rosser, asked for examples of access data that may be required. An example is port numbers, which are akin to a house number, where an IP address is akin to a postcode. I know that the noble Baroness, Lady Lane-Fox, could probably give us a tutorial on the technical points; I could probably do with one at some point. Other types of data include the MAC address—the identifier of a particular computer—the time, the location and so on.”

So far, so clear.  It’s about port numbers and MAC addresses.  The Home Office Fact Sheet and the Impact Assessment suggested the same.  But the Minister went on to say:
“Those are the types of data covered by “or other identifier”, and that is set out in the Explanatory Notes which accompany the legislation.”

So according to the Minister a port number is an ‘other identifier’ as defined by Clause 21.  But the conundrum is, as I read it Clause 21 does not empower the retention of ‘other identifiers’.   It empowers retention of communications data that can assist in associating an “IP address or other identifier” with the sender or recipient of a communication.

Clause 21 empowers the mandatory retention of:
“communications data which … may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)”

An identifier “means an identifier used to facilitate the transmission of a communication”.

If the clause does (as the Home Office clearly intends) empower mandatory retention of port numbers, it is because they can assist in linking an IP address (or other identifier) simultaneously used by thousands of ISP customers to one customer device or connection – not because a port number is itself an 'other identifier'.

I can see nothing in the clause that provides a power to require port numbers or MAC addresses to be retained on the basis that they are ‘other identifiers’. 

This does add spice to the question what is ‘other identifier’ doing in Clause 21 at all, when the issue that gave rise to the clause was about simultaneous IP address sharing?  A clear explanation of Clause 21 would be helpful. Even better, the government could start again with a redraft that is specific about what the clause is aiming to achieve.

Sunday, 25 January 2015

Latest score in the jurisdiction game: Internet 0, EU Court of Justice 2

The CJEU in Pez Hejduk (22 January 2015) has plumped for mere accessibility as the threshold for online copyright jurisdiction under Article 5(3) of the EU Jurisdiction Regulation.

Mere accessibility is problematic for the internet. Exposing a website to the jurisdiction (or a fortiori the laws) of any country from which it can be accessed is, David Post has argued, not a reasonable outcome. (Some, epitomised by the Gutnick-inspired English defamation cases, may consider it quite reasonable since anyone posting to the internet knows the worldwide reach of the medium).  From a broader perspective mere accessibility chills cross-border freedom of expression, encourages geo-blocking of websites and impedes the free flow of information across borders.  Pez Hejduk is another bad day for the internet.

The CJEU headed down this road in October 2013 with Pinckney, a copyright infringement case against a German CD pressing company. The litigation was brought in France on the basis that the CDs could be purchased in France from a UK website unconnected with the German company. That was said to amount to damage in France.

For a tort such as copyright infringement Article 5(3) allows the plaintiff to sue in the place of the damage.  Article 5(3) is an exception to the primary rule that proceedings have to be brought in an EU defendant’s home country. Article 5(3) is the kind of effects-based rule that, unless it is kept within bounds, has the potential to create jurisdictional overreach. 

That potential is magnified with the inherently cross-border nature of the internet.
In Pinckney the court agreed with the plaintiff that damage was shown by the ability to purchase the CDs in France. It was irrelevant what kind of copyright infringement (reproduction? distribution? making available to the public?) was alleged against the German pressing company. Copyright infringement was to be treated as a general concept. Harm could apparently be relied upon however remote might be the causal relationship between the actual infringement alleged (reproduction in Germany?) and the harm relied upon (availability of CDs in France via an unconnected UK website).

So like the smile on the Cheshire Cat, jurisdictional harm seemed to float free, decoupled from any specific territorial infringement alleged against the defendant. That was not a promising start for keeping damage-based jurisdiction on the internet within sensible bounds.

Pez Hedjuk concerned photographs published on a German .de website. The copyright owner sued in Austria.  Again the precise basis of the infringement allegations is not entirely clear from the CJEU judgment.  It seems likely that the claim was for making available to the public in Austria from the German website, thus infringing Austrian copyright.

In Pez Hejduk causation was less tenuous than in Pinckney.  The Court identified a specific causal event as giving rise to the alleged damage: “the activation of the process for the technical display of the photographs on that website”. Even so the CJEU could have gone on to find that, for the purpose of jurisdiction under Article 5(3), a website operator does not cause damage in Member States that it has not targeted.  But it did not do so.

The CJEU held that the mere fact that the .de website was accessible in Austria was sufficient to establish damage under Article 5(3), where (as would inevitably be the case) the photographs were protected by copyright in Austria as well as in Germany. There was no basis in Article 5(3) for limiting jurisdiction to cases where the German site had targeted Austria.

Article 5(3) is supposed to be a strictly limited special derogation from the general rule under the Regulation that a plaintiff must sue in the defendant’s Member State. But for the internet mere accessibility comes close to turning the exception into the rule. Unless the site or content is geo-blocked a plaintiff can, based on mere accessibility of the site, sue in parallel in any number of Member States (albeit limited in each case to damage caused within the Member State in which it sues).

The twin prongs of mere accessibility and Pinckney’s broad causation brush are a recipe for jurisdictional overreach.

The Pinckney approach is odd when one considers that a plaintiff relying on Article 5(3) can sue only for damage caused within that Member State. How can the existence or likelihood of relevant damage (a jurisdictional issue) be evaluated if no attention is paid to the causal link between the specific infringement alleged and the harm relied upon?

The unwillingness of the Court in both Pinckney and Pez Hejduk (in each case rejecting the recommendations of the Advocate General) to align Article 5(3) more closely with the scope of the substantive right by way of targeting is difficult to understand, given that it has already gone down the path of interpreting Article 5(3) differently for different rights:

“the meaning of [Article 5(3)] may vary according to the nature of the right allegedly infringed…” (para 29).

eDate/Martinez (defamation/privacy), Wintersteiger (trade mark) and Pinckney (copyright) are all examples of this.  The Court may be making an implicit distinction between the nature of the right (which it allows can affect the interpretation of Article 5(3)) and its substance (which cannot). Whether the two are separable is open to question. Can the nature of a right be characterised without regard to its substance? What is the basis for distinguishing between relevant and irrelevant aspects of a right?

The Court in Pez Hejduk also relied on the lack of mention of targeting in Article 5(3):

“It is clear from [Pinckney] that, unlike Article 15(1)(c) … Article 5(3) does not require, in particular, that the activity concerned be ‘directed to’ the Member State in which the court seised is situated ...”.

It is true that unlike Article 15(1)(c), Article 5(3) makes no mention of directing activities. But nor does it mention mere accessibility; nature of the right versus substance; centre of interests of the plaintiff (edate/Martinez); limitation of damage to that caused in the Member State; country of registration of the trade mark (Wintersteiger); or any of the other glosses that the CJEU has placed on Article 5(3).

Perhaps the most persuasive reason relied upon by the Court in Pez Hejduk is that the Member State court best placed to exercise jurisdiction is the one that will apply its own law:

“The courts of other Member States in principle retain jurisdiction, in the light of Article 5(3) … and the principle of territoriality, to rule on the damage to copyright or rights related to copyright caused in their respective Member States, given that they are best placed, first, to ascertain whether those rights guaranteed by the Member State concerned have in fact been infringed and, secondly, to determine the nature of the damage caused …”.

However where the claim is copyright infringement by the presence of content on a website the most likely basis of a cross border claim will be making available to the public. As a matter of substantive EU copyright law (applying Sportradar to copyright) there can be no infringement and so no damage caused by a tort if the site is not targeted to that Member State. That will be the same throughout the EU. In those circumstances it is hard to see what practical purpose is served by allowing mere accessibility rather than targeting to be the jurisdictional threshold.