Cloud Computing Regulation

Last Wednesday was the excellent one day conference on Cloud Computing: Legal, Organisational and Technological Issues, organised by the Commercial Law Research Unit at UWE, Bristol. There was a mixed audience of service providers, lawyers and academics. I presented a development of my active matrix theory designed to highlight the problems of gatekeeper control in cloud computing. The slides used are below.

Basically my argument is thus. We already know that there are powerful regulatory controllers in network regulation - viz Latour, Foucault, Luhmann etc. We also know the peculiar regulability of digital network systems - Lessig, De Hert etc. When one thinks about the uniquely powerful positions that gatekeeper nodes such as cloud computing providers put themselves in we must ask what costs will be extracted by them for the services they provide? 


Will they exert only economic costs? Unlikely for as other gatekeepers such as Facebook and Google have shown the value of data is quite alluring - so democratic, social and personal costs are likely in terms of data flows and data mining. The key is in the recognition of these gatekeepers and the peculiar role they play for they are likely to be key regulators in the future.

UPDATE: Media Cat v Adams

A lot has been written on the recent Media Cat v Adams decision (otherwise known as the ACS: Law decision). Few of those writing have actually read the decision in full so here is my take on it having done so - the decision may be read here .

Volume litigation is discussed in Chapter 10 (at 10.2.7) and only received three pages of coverage in the book. Since then much has happened, most of it fuelled by the actions of Andrew Crossley and ACS: Law. This blog has several entries on this - see Not a Good Week for Andrew Crossley and Volume Litigation Issues to catch up while I also wrote a longer piece on the activity for the Journal Computers and Law.  Throughout I bemoaned the lack of a full hearing on the activity, noting that whenever an action was defended the pursuit would be dropped. I'm pleased to say eventually that Railli Solicitors and Lawdit Solicitors (operated by the excellent Michael Coyle) finally forced a hearing. What happened next has been covered extensively by the media. ACS:Law ceased operations and Andrew Crossley sought to have the cases discontinued. He claimed he had been the target of death threats including bomb threats and criminal attacks including the famous Anonymous ACS:Law hack - interestingly on a related note the Information Commissioner last week found he need take no action against BT over leaked customer details handed over to ACS:Law - see here .The more cynical may observe that Andrew Crossley sought to discontinue the cases to avoid a precedent being set in case he ever wanted to return to this valuable cash cow. In any event HH Judge Birss was having none of it. He decided as the copyright holders were not in court the case had to continue and continue it did (and indeed does) and on the 8th of February he issued his judgement in the matter.

Media Cat v Adams

The most important part of HH Judge Birss's judgement is his views on the connection of IP addresses and infringers. As I have discussed before the fulcrum of the volume litigation model is to link an IP address to an individual user using a Norwich Pharmacal order. So the enforcement organisation (in this case Media Cat) capture IP addresses which they pass on to their legal representatives (here ACS:Law) who then seek a Norwich Pharamacal order against ISPs forcing them to reveal customer account details relating to that IP address. As has been pointed out by myself and others an IP address is though an address of a device not a person - you can identify a router but now who was using it. ACS:Law have claimed that the operator of a router has some form of "owner liability" to ensure that anyone using their router is not acting unlawfully. I have repeatedly pointed out that the Copyright, Designs and Patents Act has no such provision.

Judge Birss seems to have come down squarely on my interpretation of the CDPA. He notes (at paras [28-31]):

28. All the IP address identifies is an internet connection, which is likely today to be a wireless home broadband router.  All  Media CAT’s monitoring can identify is the person who has the contract with their ISP to have internet access.  Assuming a case in Media CAT’s favour that the IP address is indeed linked to wholesale infringements of the copyright in question (like the Polydor case), Media CAT do not know who did it and know that they do not know who did it.  The Particulars of Claim are pleaded in a way to address a problem which is very old and very well known in intellectual property cases (see e.g. The Saccharin Corp v Haines (1898) 15 RPC 344).  There the patentee had patents on all known methods of making saccharin and so, even though the patentee did not know how it was made, the defendant’s saccharin must be infringing one way or another.  Such saccharin type points arise  frequently when a claimant contends that despite a lack of information about some aspect of the matter, one way or another the defendant is liable for infringement.

29. Media CAT’s case on this is in two parts.  Of course Media CAT cannot know who actually used the P2P software, so in paragraph 3 of the Particulars of Claim they plead that the software was used either by the named defendant who was identified by the ISP, or by someone they authorised to use the internet connection or someone who gained access to the internet connection “due to the router having no or no adequate security”. Then in paragraph 5 the plea is that “in the premises” the defendant has by himself, or by allowing others to do so,  infringed.  So taken together these two paragraphs show that the Particulars of Claim is pleaded on the basis that one way or another the defendant must be liable for the infringement which is taking place.

30. But the argument is based on equating “allowing” and  “authorising” and on other points.   What if the defendant authorises another to use their internet connection in general and, unknown to them, the authorised  user uses P2P software and infringes copyright?  Does the act of authorising use of an internet connection turn the person doing the authorising into a person authorising the infringement within s16(2)?  I am not aware of a case with decides that question either. Then there is the question of  whether leaving an internet connection “unsecured” opens up the door to liability for infringement by others piggy backing on the connection unbeknownst to the owner. Finally what does “unsecured” mean?  Wireless routers have different levels of
security available and if the level of security is relevant to liability - where is the line to be drawn?  No case has  decided these issues but they are key to the claimant’s ability to solve the Saccharin problem and say – one way or another there is infringement here.

31. Notable again is the contrast between the letter of claim and the Particulars of Claim.  The letter simply asserts that the defendant has infringed “either directly yourself or by you authorising (inadvertently or otherwise) third parties to do the same”.  The letter makes no mention of unsecured internet connections.  It does not face up to the Saccharin point. Again the Particulars of Claim is rather more frank than the letter.
The Particulars of Claim faces up to the difficulty and tries to put a case which deals with it, but it all based on untested legal and factual propositions and issues of technology.

Where does this leave us. Well Judge Birss has to be careful. He cannot say the use of an IP address as a proxy for a user is not possible as he has not had a full hearing on the evidence, hence the carefully couched language. But reading between the lines he is saying it would have to be pretty spectacular evidence before he would even consider such a statement. He is also pointing out that ACS:Law is saying one thing in letters to alleged infringers and another in their statements of claim. This he seems to be suggesting is al least bad practice at worst bad faith.

He concludes his views on the practice of connecting IP addresses to claims at para. [91]:

91. First, the nature of the case itself raises many questions.  I have mentioned some of them above.  The issues are as follows:-

(i) Does the process of identifying an IP address in this way establish that any infringement of copyright has taken place by anyone related to that IP address at all.
(ii) Even if it is proof of infringement by somebody, merely identifying that an IP address has been involved with infringement then encounters the Saccharin problem.  It is not at all clear to  me that the person identified must be infringing one way or another.  The fact that someone may have infringed does not mean the particular named defendant has done so. Perhaps the holder of the account with the ISP has a duty to assist along the lines of a respondent to another Norwich Pharmacal order but that is very different from saying they
are infringing.

He goes on from this central point to, in a quite extraordinary judgement, attack the practice of volume litigation more generally. In paragraph [21] he discusses the menacing tactics of the volume litigation model:

21. Perhaps many, maybe more of the recipients of these letters have been squarely infringing the copyright of [the copyright holder] on  a major scale and know that they have been doing exactly that.  They may think £495 is a small price to pay and settled immediately. That is a matter for them.  However it is easy for seasoned lawyers to under-estimate the effect a letter of this kind could have on ordinary members of the public. This court’s office has had telephone calls from people in tears having received correspondence from ACS:Law on  behalf of Media CAT. Clearly a recipient of a letter like this needs to  take urgent and specialist legal advice.Obviously many people do not and find it very difficult to do so. Some people will be tempted to pay, regardless of whether they think they have actually done anything, simply because of the desire to avoid  embarrassment and publicity given that the allegation is about pornography. Others may take the view that it all looks and sounds very official and rather than conduct a legal fight they cannot afford, they will pay £495.  After all the letter refers to an order of the High Court which identified them in the first place. Lay members of the public will not know the intricacies of the Norwich Pharmacal jurisdiction. They will not appreciate that the court order is not based on a finding of infringement at all.

At paragraph [23] he attacks the claimants for trying to dispose of the actions without allowing the respondents the chance to be heard:

23. In any event over a period from August to November 2010 Media CAT commenced 27 cases before the Patents County Court for copyright infringement.  In November they applied for default judgment in 8 of them using a procedure almost unheard of in intellectual property cases called a request for judgment (RFJ).  It is withott notice to the defendant.  These came before me  on paper and were dealt with without a hearing.  On 1st December 2010 they were rejected (see  Media CAT v A [2010] EWPCC 017).  The judgment questioned whether the RFJ procedure was appropriate for complex copyright cases of this kind.  One feature of the RFJ procedure is that it is designed for claims for specified sums of money (and certain other claims) where no judicial decision is required (see The White Book at 12.0.2).

The coup de grace is delivered in three final withering comments:

At paragraph [91(iii)] he questions the level of damages claimed:

The damages claimed deserve scrutiny. If all that is proven is a single download then all that has been lost is one lost sale of one copy of a work. The sort of sum that might represent would surely be a small fraction of the £495 claimed and the majority of that sum must therefore be taken up with legal costs. If so, a serious question of proportionality arises but again this has not been tested. Clearly if the defendant has infringed on  a scale as in the Polydor case then would be a very different matter but there is no evidence of such infringement here.

At paragraph [99] he questions the whole tactics of Media Cat/ACS:Law

Media CAT and ACS:Law have a very real interest in avoiding public scrutiny of the cause of action because in parallel to the 26 court cases, a wholesale letter writing campaign is being conducted from which revenues are being generated.  This letter writing exercise is founded on the threat of legal proceedings such as the claims before this court.

Finally at paragraph [22] he highlights the unwillingness of the claimants to back up their letter writing campaign with legal claims:

One odd thing is that if tens of thousands of letters have been sent threatening legal action, where are all the legal actions? The Patents County Court is clearly an appropriate court to bring a claim against an individual for copyright infringement and yet there are only 27 cases pending.  Surely out of 10,000 letters it cannot be that only 27 recipients refused to pay.

Unfortunately this is unlikely to be the last we will see of the practice of volume litigation, for as Judge Birss noted himself (at [100])

The information annexed to Mr Batstone’s letter refers to ACS:Law having “recovered” £1 Million.  Whether that was right and even if so whether it was solely in relation to Media CAT or other file sharing cases I do not know.  Simple arithmetic shows that the sums involved in the Media CAT exercise must be considerable.10,000 letters for Media CAT claiming £495 each would still generate about £1 Million if 80% of the recipients refused to pay and only the 20% remainder did so.  Note that ACS:Law’s interest is specifically mentioned in the previous paragraph because of course they receive 65% of the revenues from the letter writing exercise.  In fact Media CAT’s financial interest is actually much less than that of ACS:Law.  Whether it was intended to or not, I cannot imagine a system better designed to create disincentives to test the issues in court.  Why take cases to court and test the assertions when one can just write more letters and collect payments from a proportion of the recipients?

Freedom of Information in the WikiLeaks Era


Sorry for the long silence. I have been busy though and more frequent posts should follow. I have a couple of upcoming seminars/symposia which like this one I will post on after the event. On Friday I'm speaking at the TILT/Academie voor Wetgeving Symposium "Regulation by Technology" in The Hague and on 23rd February I'm speaking at the UWE event "Cloud Computing: Legal, Organisational and Technological Issues".

This post though is about an event I attended on Monday evening. the rather excellent BIICL debate on Freedom of Information in the WikiLeaks Era. Surrounded on all sides by expert ex tempore speakers, and given that as an academic I can only speak in 50 minute blocks I decided to write down my talk in advance. It was still a little long so thanks to Joshua for allowing me a degree of freedom. Those of you there on the night heard an edited version to get it (nearly) to 10 minutes. Below is the full unedited version.

Freedom of Information in the WikiLeaks Era – The Need for Balance

Introduction

I am pleased to be here tonight among a panel of expert commentators. I believe the role of the academic on occasions such as this is to provide the broader viewpoint that is afforded by the freedom of not having to support either a client viewpoint or a professional one. Although all the panellists tonight are speaking a private capacity their views are always going to be the product of their experiences and one of the vital roles of academia is academic freedom to explore the unsaid and sometimes unsayable. Thus I start, I suspect from a radically different position to the many of the others on the panel. 

My starting point is Wikileaks is bad for democracy, bad for freedom of information and generally an example of the type of behaviour in the information society which fails to comply with socially normative behaviour outside of a small self‐referential grouping as predicted by Cass Sunstein in his book Republic.com. With my position clearly set out I should say I will also try to position myself within the panel but of course at the time of preparing this I had not had the benefit of the presentations of the other speakers – hence why I have no doubt been scribbling notes in the margins during the preceding presentations.

Wikileaks, Cablegate and Freedom of Information

Let me begin by turning to the two things which are at the focus of this evening’s event: the nature of Wikileaks; and the legal principles of Freedom of Information.

Wikileaks describes itself as “a not‐for‐profit media organisation [whose] goal is to bring important news and information to the public.” They employ a simple mechanic: “We provide an innovative, secure and anonymous way for sources to leak information to our journalists (via an electronic drop box).” The site then goes on to (in a very self congratulatory way) describe the value and importance of Wikileaks noting: “WikiLeaks has sustained and triumphed against legal and political attacks designed to silence our publishing organisation, our journalists and our anonymous sources. The broader principles on which our work is based are the defence of freedom of speech and media publishing, the improvement of our common historical record and the support of the rights of all people to create new history. We derive these principles from the Universal Declaration of Human Rights. In particular, Article 19 inspires the work of our journalists and other volunteers.”

Let’s step back for a minute and look at how Wikileaks works. Material is placed in their care (anonymously); Wikileaks then investigates that material to check veracity and accuracy. Then assuming the material passes these tests it will be published usually alongside a journalistic article about the material. Where does this material originate from? From anyone, anywhere globally, for as Wikileaks acknowledges: “we operate a number of servers across multiple international jurisdictions and we do not keep logs. Hence these logs cannot be seized. Anonymisation occurs early in the Wikileaks network, long before information passes to our web servers.”

With this in mind with whose legal norms apply? And whose social norms? Legally they are making use of what Post and Johnson called the “borderless nature of the internet”. As they indicated, as long ago as 1996, “Cyberspace radically undermines the relationship between legally significant (online) phenomena and physical location. The rise of the global computer network is destroying the link between geographical location and: (1) the power of local governments to assert control over online behaviour; (2) the effects of online behaviour on individuals or things; (3) the legitimacy of the efforts of a local sovereign to enforce rules applicable to global phenomena; and (4) the ability of physical location to give notice of which sets of rules apply.” This allows for an effect called regulatory arbitrage, where online organisations or even individuals may effectively absent themselves from the legal or social norms of any individual state (or even bloc of states) by the use of remote servers, mirrors and other tools.

Let us look at the role Wikileaks plays against this backdrop. Wikileaks claim they are a media organisation with free speech at their heart. It is of course trite to state that freedoms are won not given, and that freedoms are earned not expected. One of my favourite quotes is that found in the work of comic book artist Stan Lee “with great power comes great responsibility”, itself a reworking of the biblical quote “much will be required of the person to whom much is given” from Parable of the Faithful Servant

This is a statement media organisations must remember as they do not operate outwith legal or social norms. A UK‐based media organisation may make use of many tools to ensure that “publishing improves transparency”. They may make a Freedom of Information Request under the FOIA. Generally under s.1 of the FOIA: “Any person making a request for information to a public authority is entitled: (a) to be informed in writing by the public authority whether it holds information of the description specified in the request; and (b) if that is the case, to have that information communicated to him.”

Now of course we are well aware of a number of restrictions to this. For example under s.27 the information may be prevented from being released if “its disclosure under this Act would, or would be likely to, prejudice (a) relations between the United Kingdom and any other State, (b) relations between the United Kingdom and any international organisation or international court, (c) the interests of the United Kingdom abroad, or (d) the promotion or protection by the United Kingdom of its interests abroad.” Thus the Embassy Cables would probably have been exempt from a FOIA request in the UK. What about whistle‐blowing defences? The Public Interest Disclosure Act made amendments to the Employment Act 1996. This protects certain forms of disclosure where the employee believes illegal or harmful activity is taking place and where they fear victimisation or concealment of evidence by their employer. This is an extremely strict defence and usually requires the employee to speak to their employer, an external prescribed person (such as a regulator) or their legal counsel before public disclosure is justified. Wikileaks seems not to be a whistle‐blowing site in the traditional sense of the term as we would use it in UK legal normative language.

What is Wikileaks then in legal normative terms? It seems to me it is an Information Society Service Provider. In other words it is an online information provider. It is not (in my view and one I accept may be challenged by others) a media outlet. Why not? In my view a key characteristic of a media outlet is that it complies with legal and social normative principles: that is it submits itself to the courts in claims of defamation, invasion of privacy, copyright infringement etc. and to the necessary regulatory body – the PCC perhaps – in other matters. It seems to me that Wikileaks subverts both forms of regulation, legal and social‐normative by exploiting the regulatory arbitrage effect. Now, in the second half of my talk I will argue this is potentially harmful and damaging to society and we need to revisit this.

States and Privacy

We must start from the principle that there are no absolute freedoms. My right to privacy may be subverted in the interests of national security, or criminal investigation or to collect taxation etc. Similarly my right to free expression does not encompass a right to language likely to cause immediate harm – shouting “fire in a theatre”, which incites hatred or violence, which libels or which infringes another’s copyright. Sticking with these two “basic” rights – one of which Wikileaks brings to the fore and another it relegates to the background, we find that there is a natural tension between the two. Our right to free expression has a natural tension with our right to privacy – see Von Hannover, Campbell v MGN or Mosley v News Group Newspapers. The balance is struck in a democratic society by a mixture of legal and social norms with the preponderance of weight being on the legal norms. Social norms though do play a role: see for example the different way illegally obtained material is covered by the majority of media outlets. Material illegally obtained by the News of the World via phone hacking in breach of the Regulation of Investigatory Powers Act and the Data Protection Act is (rightly) vilified by columnists in popular newspapers; while material (probably) illegally obtained by Private Bradley Manning forms the focus of a widespread series of publications by a number of leading global newspapers and is lauded generally by press outlets – why? The only distinction seems to be the socially normative distinction – the first is not socially acceptable as it involves the illegal interception of personal communications while the second involves communications between states. Maybe as other panellists or audience members would like to point out this may be a legal normative distinction as under Art.8 of the ECHR “Everyone has the right to respect for his private and family life, his home and his correspondence.” i.e. the legal normative right is a personal right and not open to states‐actors.

Seven years ago I predicted exactly this issue would arise (at that time in relation to blogs and rolling news as I could not foresee then Wikileaks) when I wrote a paper entitles “Should States Have a Right to Informational privacy?”. We think of states as being non‐human actors. As such they do not benefit from traditional privacy rules designed to protect individuals, but is this so? The internet society is markedly different from days past where the Westminster Lobby or the Whitehouse Press Corps worked closely with government (admittedly often too closely) to protect the government from the full glare of scrutiny while policy was made and deals were done. Why do we protect individual privacy? The best work on this in my view is Alan Westin’s 1967 work “Privacy and Freedom”. Here he argues that “man’s need for privacy may be rooted in his animal origins”; “the animal’s struggle to achieve a balance between privacy and participation provides one of the basic processes of animal life. In this sense, the quest for privacy is not restricted to man alone, but arises in the biological and social processes in all life.”

Such a definition of privacy suggests that the need for individual and group privacy is a bio‐social function: in part a biological response to certain stimuli such as a reaction to bereavement or a precursor to procreation. Also it is societal: reflecting the social norms of the community, family and individual. As Westin says, “limits are set to maintain a certain degree of distance at certain crucial times in his life.” This definition seems to offer little scope for extending protection to non‐human actors such as States. As non‐biological actors, States do not possess the necessary biological element. This suggests it would require an accepted social norm, to extend privacy protection to States. Although historically there appears to be little demand to do so, it my contention that it may be time to reconsider our social contract with the State. As Westin himself had noted, there is a need for privacy protection to be offered to organisations as well as individuals. In particular privacy is necessary during the early stages of policy formulation, or in Wdstin’s terminology “their staging processes”. The danger is that with the changes to society brought about by the rise of the information society we may now not be affording the necessary level of privacy protection to State actors to allow them to properly carry out this staging process.

Prior to the advent of digital media, the relationship between the State and its citizens was well defined by a clear social contract. Representatives were elected to carry out the wishes of the public. These representatives were primarily scrutinised by other elected, and in the case of the House of Lords unelected, representatives. External scrutiny came from a variety of sources, all of which were to a greater or lesser degree in a symbiotic relationship with representatives. Primarily, this external scrutiny was effected by the Fourth Estate. Media organisations, be they print or broadcast media, employed lobby correspondents: the relationship between representatives and lobby correspondents being a closely defined one. If a journalist failed to respect the privacy of any representative, particularly a member of the government, sanctions would quickly follow. As editors had a duty to protect their lobby correspondents, they would often self‐censor any story which breached this relationship of trust. In this fashion the social contract was respected by both the State and the media. Secondly, a degree of information would be put into the public domain through publications such as Hansard and through official reports and papers. Such reports and publications, though widely available in public libraries, were little read. Expensive to buy, individuals wishing to read such documents usually had to obtain them through their library, frequently encountering a delay should the report prove popular. In effect these reports were mostly only read by two sets of interested parties. The first of these were journalists, who as already discussed were required to respect the privacy of representatives in order to cultivate access. The second were academics. Scholarly comment on government initiatives and policy implementation would in time follow from professors of politics, sociology, government and law. Such comment was though of little impact upon the privacy rights of the State for three reasons. Firstly, they were usually generated by reference to such publicly available documents as those discussed above: thus the data carried little privacy implications. Secondly, the extended time before publication of such reports usually meant that the “staging process” had long since concluded and finally, they were overwhelmingly comment written by academics for academics: the readership of such commentaries being on the whole extremely narrow.

The advent of the always on, digital society has blasted this social contract wide open. Maybe this is a good thing – the expenses scandal showed how the agreement had arguably got too cosy, but just because we can point to one positive example does not make a statement proven. The Wikileaks cables have arguable undone a considerable amount of goodwill and diplomacy. Wikileaks argues that “Publishing improves transparency, and this transparency creates a better society for all people.” Not necessarily. Publishing may lead to greater obfuscation. In future records may not be kept at all or may be “spun” to give a different impression should a leak occur. This we have already seen. In response to the “greater transparency” of 24 hour news the UK Government has employed more “communications directors” and staff and less civil servants. We know their names: Alastair Campbell, Charlie Whelan, Damian McBride, Andy Coulson. All are massively controversial individuals. All did the same job: spin the news to suit their masters. Spin is the natural response of governments to invasions of their privacy. Spin does not improve transparency. We cannot know what harm the cable gate issue may do. Already there is evidence it may have harmed a carefully nurtured position with Beijing over North Korea, more harm will undoubtedly have been done though. We should not publish because we can but because it is in the interests of society to do so. This means complying with legal and social normative principles.

 In terms of the UK position I believe Wikileaks fails to comply with the former; its compliance with the latter is a matter for debate.