On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Wednesday, 6 October 2010

ACS:Law part three - the private data police

[part one] [part two]

It's a recipe for disaster.  The law regulating internet surveillance is a shambles and there's a growing army of unregulated private firms watching our actions and gathering evidence against those who share music and video online.

When Poole borough council stood accused of spying on families to check if school application rules had been broken there was outrage.

The council was using powers originally designed to tackle serious crime in order to investigate minor civil transgressions.  Rights groups and MPs (and not just the Lib Dems) denounced the snooping as disproportionate to the alleged offence and undermining our liberty.

Now similar fears over proportionality are surfacing as firms like ACS:Law use third-party agencies including Swiss copyright enforcement firm Logistep and German-based Digiprotect to watch net activity in order to detect and gather evidence on those who infringe other people's copyright.

Regulation and oversight

At least the more traditional surveillance undertaken by public bodies like Poole borough council is regulated by law under the Regulation of Investigatory Powers Act 2000 (RIPA).

But RIPA is a law written mostly using pre-internet concepts - fixed line telephony - with language fudged to cover ISPs and data networks as if the internet was just an extension of analogue telephony.

The law covering electronic surveillance and what becomes of the data gathered actually falls between three pieces of legislation and three disparate enforcement bodies.  In addition to RIPA there's the Privacy in Electronic Communications Regulations 2003 (PECR) and the Data Protection Act 1998 (DPA).

On the enforcement front there's the Information Commissioner's Office (ICO), with powers to fine but not imprison for breaches of the DPA and PECR; the Investigatory Powers Tribunal at the office of the Interception of Communications Commissioner, who oversees RIPA - but only when used by public bodies; and the police, who can investigate criminal breaches of RIPA but to date have proved reluctant to do so.

The analogue-telephony-centric language of RIPA and the overlap between two laws - RIPA and PECR - adds to the confusion, leading for example to the conflicting views on whether listening to a voice mail which has already been heard by the recipient constitutes a breach of RIPA in relation to the ongoing News of the World phone hacking saga.

Not surprisingly the EC is now taking the UK to the European Court of Justice for failure to properly implement European directives protecting consumers from electronic surveillance, brought to light when advertiser Phorm watched thousands of internet connections at ISP BT in order to sell adverts based on the websites people visit.

Also under the spotlight is not just how private data is gathered but how it's stored.  I've already explored the case for better legal protection for sensitive personal data in light of the ACS:Law leak.

Privacy and the surveillance society

The concept of living a life under constant surveillance goes far beyond than the debunked adage "nothing to hide, nothing to fear".

Surprisingly the concept of privacy has very little to do with keeping personal details totally private and far more to do with freedom and choice.

There are some details we are comfortable sharing with our close friends but not wider acquaintances.  There are also facts we share with close friends but not our family.  As as a friend once put it in a now-deleted blog post "It may not be illegal, but I sure don't want my Mum to find out!"

At this point, debate often veers towards the rights and wrongs of secrets and duplicity, especially within relationships.  Of course there's "bad" privacy but there's also a lot of "good" privacy. Just like my views on censorship I believe the good (in opposing censorship) far outweighs the bad.  Incidentally the excellent TV series Lie to Me comes highly recommended for its exploration of deception from both the criminal and personal perspectives.

The ability to tailor our personality to maintain multiple social relationships is in the most part a good thing.  It aids co-operation and cohesion as we focus on shared common ground, putting aside views and behaviour that could offend.

Add to this - as the sayings go - we're only human and none of us are perfect, being forced to live our lives under a microscope knowing every minor transgression is being recorded and could have further consequences I feel is both cruel and dangerous.

Just as Godwin mocked comparisons with the Nazis during online discussion, it's reasonably well established that any blog mentioning surveillance contains an obligatory mention of Orwell, so here comes. 

Constant surveillance inhibits development as pushing at the boundaries and bending the rules is just part of our creative and adventurous nature that advances society.  Of course Orwell illustrates this beautifully in his futurist novel 1984(!).

Quality of evidence

ACS:Law and before them Davenport Lyons have sent thousands of warning letters, most if not all containing an "opportunity" to settle out of court for a mere £500 per infringement.

Yet there's only been one successful court case to date.  Reported at the time as contested (14th paragraph) it now appears as though this was a default judgement as TorrentFreak report one of the many emails leaked from ACS:Law indicates the accused failed to show up in this case.

An ISP account holder accused of copyright infringement may be innocent for one of a number of reasons, including:
  • A computer compromised by a virus, trojan or other malicious programme was under the control of a 3rd party without the knowledge of the account holder.
  • Someone else at the property may have used the net connection.  So long as the account holder was not complicit nor could be expected to anticipate the infringement he would not be liable for the infringement by a third party (although this changes when the Digital Economy Act comes into force).
  • The "infringement" detected could be fair use, or even a licensed use.
  • A mistake could have been made at some point in the evidential chain. The evidence will not be tested until the first contested case hits the court, but the following should be examined:
     - Proof that the IP address specified was actually hosting the infringing material. Is this simply the word of the private copyright enforcement agency against the word of the accused, or can details be independently verified?
     - Verification that the date and *precise* time of infringement is accurate - important because dynamic IP addresses are often redistributed by ISPs
     - Verification that equipment used by the ISP to record IP address allocation can be relied upon to give an accurate and definitive record of which account is using a given IP address at any given time, especially for dynamically allocated IP addresses
Questions about the evidential chain are not helped by secrecy.  The BBC reports that Gallant MacMillan have asked for details to be kept from open court when its case against British Telecom, owners of ISP PlusNet resumes in January.  The case was brought by Gallant MacMillan to request details for account holders where copyright owned by record published Ministry of Sound is alleged to have been infringed.

It won't be until all these issues have been addressed in open court that I'll have any confidence in the assertion that an ISP account holder can be help liable for an alleged infringement "detected" on his or her connection.


[part one] [part two] 

1 comment:

Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.