Andres Guadamuz

Last week I attended an event at the University of Sussex (organised by Charles Meredith and other students) discussing the potential legal implications of Brexit, and I was tasked with looking at some of the aspects that may affect Intellectual Property and Information Technology. Here are a few of my notes regarding the potential implications of Brexit.

General points

Firstly I need to point out that I am not able to vote on the referendum, so please take these notes with a pinch of salt. I do not want to tell anyone how to vote, but personally I would definitely vote to stay in the EU if I was able to do so.

Secondly, we still do not know a lot of the legal detail of a potential Brexit vote. Article 50 of the Lisbon Treaty allows member states to unilaterally leave the Union and establishes a procedure for such exit. The member state has to notify the European Council and then there will be a period of negotiation with the intention of publishing a withdrawal agreement. Failing that, the exit will take place two years after notification. This means that the legal detail will have to be ironed out at a later date, leaving several open questions about the status of existing legal instruments.

It is of particular importance to know what will happen with existing directives that have been transposed to UK law, and also what will happen with the Court of Justice of the European Union (CJEU) case law. I’ve been reading some interesting legal opinions, but the reality is that there are still many uncertainties. For the purpose of this analysis, let’s assume that most of the existing European law will remain on the books until it is repealed or amended. This could be a substantial political battle after the vote, and I would argue that there are a lot of rights gained through European law that should be protected.

We’ll now discuss some specifics.

Intellectual property

Most substantive aspects of intellectual property law are harmonised at international level through international treaties administered by the World Intellectual Property Organization (WIPO), and the WTO’s own TRIPS agreement. This means the basic substantive elements would remain unchanged.

However, a lot of the detail is harmonised at the European level, particularly when dealing with registration of patents and trade marks. There are two European IP institutions: the European Patent Office (EPO, non-EU), and the Office for the Harmonisation of the Internal Market (OHIM, EU).

Our EPO membership would remain intact, but unless something happens during the negotiation process, we would lose our membership status in the European trade mark system, and this could be detrimental to the UK. The practical result of such a withdrawal would be that UK enterprises would have to apply separately to the OHIM for a trade mark. At the moment, this is something that can be done at the UK IP Office by applying for a Community Trade Mark (CTM).

However, things are further complicated by the fact that soon we will get a unitary European patent and a unitary patent court as part of the EU system. The unitary patent will considerably reduce costs of applying for patents across Europe, and while these will be operated by the EPO, the system is part of the EU. It is not clear what will happen to the unitary patent in case of a Brexit vote, but analysts tend to agree that this will delay the implementation.

One of the main areas of concern for me is what will happen to the CJEU case law. We have a good number of cases that in my opinion enhance various concepts of IP protection, and that bring balance to areas such as copyright enforcement. The concept of originality itself depends on a number of CJEU decisions, such as Infopaq and Painer. Will UK move away from these decisions, or will they continue to be informed by them? Then we have important enforcement cases, such as SABAM, Promusicae, and Svensson, just to name a few.

Information Technology Law

IT law is not harmonised at an international level in the same way that IP is, so a lot of the harmonisation is regional, or imposed by bilateral agreements. The main effect of a Brexit vote is that we would immediately lose coordination on important subjects. While many things would depend on the terms of the withdrawal agreement, we will assume that most of the directives would stay in place, but this would still leave a lot of open questions.

The main piece of legislation in the area is the E-Commerce directive, which is vital for the safeguard of intermediaries by limiting their liability. We would hope that this would remain in place in UK law, but the questions is what would happen to the many interpretations that have been performed by the CJEU over the years (eg L’Oreal). We would also need to know what happens with the latest ECHR rulings on this subject (Delfi and MTE).

But my main concern is with regards to data protection law. The Data Protection Directive has been one of the most important legal developments in the area of IT Law for a generation, and it has spawned a complex system of protection that includes the creation of data protection authorities across Europe. These are tasked with safeguarding the information self-determination of European citizens. Although it would be assumed that the DP Act would remain in place, the data protection regime is about to be overhauled with the enactment this year of the General Data Protection Regulation (GDPR). we do not know what would happen to the GDPR in case of a Brexit vote, and it will all depend on the terms of withdrawal. My hunch is that it will be incorporated as UK law. Yet another possible complication leading to more legal uncertainty.

My other main concern is what will happen to the recent ground-breaking CJEU data protection cases, namely Schrems and Google Spain (of “right to be forgotten” fame). I strongly believe that the right to be forgotten has been a good development, and while there is a version of the RTBF present in the GDPR, everything would depend on whether this is incorporated into the law or not. Schrems causes even more questions. The main result of that litigation was to strike down the existing Safe Harbor agreement between the EU and the US allowing for the export of European citizens’ personal data. This has now been replaced with the so-called Privacy Shield. So here is a fun scenario for you to consider. What if we vote to stay out, and also pass the Investigatory Powers Bill currently in from of parliament? It would be possible, as some argue, that the IP Bill would be in breach of Privacy Shield requirements, so UK-based technology companies would not be allowed to host European personal data.

The result would probably be a mass migration of tech companies to EU countries, a disaster for the economy! Emily Taylor says:

“If it becomes law, a post-Brexit UK would be unlikely to meet the standards required for Privacy Shield status. This would prohibit cross border data transfers between UK and EU. Even if there is some cobbled together agreement, Britain may find its former EU partners less willing to jump to the negotiating table to rescue UK economic interests. British business would continue to face barriers, and British citizens would end up with fewer protections than EU citizens against UK government intrusion.”

Concluding

There are too many uncertainties, but for now it seems like the prospects are mostly negative. Increased legal uncertainty, push-back against acquired rights, possible migration of tech businesses, political fight over existing legislation… the list goes on.


Source: Technollama

Andres Guadamuz

The European Commission has finally published the text of the programme called Privacy Shield, the name of the agreement reached with the United States to safeguard the export of personal data from European citizens across the Atlantic. This is in response to the CJEU case of Maximiliam Schrems v Data Protection Commissioner, which declared invalid the previous agreement called Safe Harbor (our take on the case here).

Understanding the Schrems case is vital to understanding Privacy Shield. The case involves Austrian law student and privacy advocate Maximilian Schrems, who initiated legal proceedings against the Irish Data Protection Commissioner because as a European Facebook user, he signed up to the terms of use set by Facebook Ireland, the European subsidiary of the US company. Because he lives in Europe, he was concerned that his personal data would be sent to the United States, and he wanted European regulators to stop such a transfer.

The European Data Protection Directive contains a principle stating that personal data from European citizens can only be transferred to a third country if the recipient territory provides an adequate level of protection for that data. The level of adequacy will take into account several circumstances, such as “the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.” It soon became clear that the United States could not comply with this principle, and as a lot of data was sent across the Atlantic, a solution had to be found. European institutions came up with a so-called ‘Safe Harbor’ allowing the transfer of personal data to the United States without having to declare that US law complied with data protection requirements. The agreement reached in 2000 allowed the transfer to companies in the US that signed up to the “Safe Harbor Privacy Principles”, a condensed version of the provisions contained in the Data Protection Directive. The companies also agreed to be held responsible for keeping to those principles by the US Federal Trade Commission (FTC) or other oversight schemes.

The system had been working for 15 years without incident, but after Edward Snowden provided evidence of complicit actions by US tech companies on the mass-surveillance apparatus, Schrems alleged that this was evidence of a violation of the data protection principles. Therefore, Schrems wanted the courts to declare the Safe Harbor agreements invalid. The case made it all the way to the CJEU, which carefully considered the different rights involved, and decided to agree with Schrems, and declared the existing Safe Harbor invalid because it clearly did not protect European citizens adequately. The Court considered that the Data Protection Directive had given Member States the power to create national authorities tasked with the obligation to determine how personal data is being used. By relying on the Safe Harbor decision, the data protection authorities would not have the power to examine claims lodged by data subjects, which would erode the very core principles behind the data protection regime.

The declaration of invalidity of Safe Harbor sent shocks through the entire system, data exports are necessary for the functioning of a lot of data-driven industries. The Commission immediately started negotiating a new agreement that would pass the Schrems test.

Enter Privacy Shield.

The agreement is based on a declaration by the United States that in order to facilitate the enactment of the Privacy Shield initiative (which sounds like something out of The Avengers), it will enable more safeguards towards EU citizens. They did that by enacting the Judicial Redress Act, which will enable European Union citizens to seek remedies for alleged privacy violations by the federal government in U.S. courts. This was a very important element of the Schrems decision. Coupled to that, the Privacy Shield will further attempt to ensure the protection of European citizens. The statement from the Commission contains the following 4 points:

Strong obligations on companies and robust enforcement: the new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. The new rules also include tightened conditions for onward transfers to other partners by the companies participating in the scheme.

clear safeguards and transparency obligations on U.S. government access: for the first time, the U.S. government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data. U.S. Secretary of State John Kerry committed to establishing a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State, who will be independent from national security services. The Ombudsperson will follow-up complaints and enquiries by individuals and inform them whether the relevant laws have been complied with. These written commitments will be published in the U.S. federal register.

Effective protection of EU citizens’ rights with several redress possibilities: Complaints have to be resolved by companies within 45 days. A free of charge Alternative Dispute Resolution solution will be available. EU citizens can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism ensuring an enforceable remedy. Moreover, companies can commit to comply with advice from European DPAs. This is obligatory for companies handling human resource data.

Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. The Commission will draw on all other sources of information available, including transparency reports by companies on the extent of government access requests. The Commission will also hold an annual privacy summit with interested NGOs and stakeholders to discuss broader developments in the area of U.S. privacy law and their impact on Europeans. On the basis of the annual review, the Commission will issue a public report to the European Parliament and the Council.

All of these seem directly answering the Schrems case, and might make it more difficult for Privacy Shield to receive the same fate as its predecessor, but we will just have to wait and see. Schrems himself has made a statement that he does not think this is enough, particularly pointing out that the above does not even begin to address misuse of personal data by private entities on behalf of the US intelligence services.

I have a different doubt about the Privacy Shield. The European Union will be implementing this year the General Data Protection Regulation (GDPR), an overhaul of the Data Protection regime. Of particular interest, the GDPR contains a new set of principles to create a regime of privacy by design. Art 23(2) of the Regulation reads:

“The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.”

This sets out an a priori regime where privacy must be built into the system for any operation that processes personal data. However, the Privacy Shield is mostly relying on a posteriori system where EU citizens will be able to seek remedies for possible violations. In short, I tend to agree with Schrems that the system might not be enough to soothe the Court of Justice. I am sure that we will find out, I imagine swift action will be brought in front of the data protection authorities very soon.

I do not know what may be the result, but let’s just bask in the fact that data protection authorities will now be Agents of Shield.


Source: Technollama

Dr Andres Guadamuz

The history of Internet Law is littered with bad legislation and legislative proposals. From the infamous SOPA and PIPA, to the Draft Investigatory Powers Bill, there is no shortage of badly-conceived legislation dealing with the Internet. Sometimes the bad law is the result of powerful lobbying, sometimes it is caused by ignorance of the technology, sometimes it is done for political reasons, such as trying to cater to political fads and concerns of the day. And sometimes bad law arises from miscalculation and trying to guess legal developments that will take place in the future. Does anyone remember electronic signatures?

But of all of the pieces of legislation dealing with the Internet, few annoy me as much as the so-called European Cookie Law. The regulation of cookies arose in the 2002 ePrivacy Directive, amended in 2009 by the Directive 2009/136/EC, Art 5(2) of the amended directive requires consent for “storage or access to information stored on a subscriber or users terminal equipment”. In other words, the law demands the consent of users for the storage of a cookie in their computer.

Cookies are small files that websites store in your computer with all sorts of information, such as the last settings that you used to view a site, or allow you to remain logged in to a service. They can be very useful, the capacity of a site to remember settings is particularly helpful. However, cookies can also be used to potentially infringe on a user’s privacy by storing information such as sites visited.

So one would think that regulating such a practice is a good thing, right? The law serves to protect our privacy after all. The answer is that in principle, the idea of regulating this technology has good intentions, but I would argue that the end result actually affects privacy.

The main implementation of the law is that it encourages nagware pop-ups that ask you to click to comply with the cookie settings. This I believe is detrimental because it has the effect of making people believe that their privacy is somehow secure because the sign gives them a choice. But this is of course a false choice, as most people do click OK to make the message go away. Those who do not cannot user the site to its full capabilities. So we just click Yes and forget about it. In other words, this is regulation by nagging.

The other problem has come to light recently. Malwarebytes Labs is a site specialising in cyber-security, and they have warned that “rogue actors” are now using the cookie law to “clickjack” websites, making users click on content that they were not intending to. They describe the operation like this:

“A legitimate ad banner is loaded via an iframe and placed right on top of the warning message. However, that ad is invisible to the naked eye because of a parameter within that iframe which sets its opacity to zero.

To that effect, when a user clicks anywhere on the pop up message it acts as though they clicked on the ad banner itself, which loads the advertiser’s website.”

Clickjacking_flow

This is a very worrying development. Users in Europe have become used to clicking on the pop-up messages almost without thinking about it, so this is extremely effective scam as it generates ad revenue for the scammer. I believe that it would be possible to have even more malicious uses, such as making the click install malware itself.

I think that the way to regulate cookies is not at the browser level, which can be misused as you can see, but to have robust regulators that pursue privacy breaches at the point of origin. Regulators should really look at clickjacking seriously, as it is detrimental to privacy as a whole.


Source: Technollama

Xkcd 1348

John Perry Barlow’s A Declaration of Independence of Cyberspace was published 20 years ago. While it is something that tends to concern mostly Internet regulation theorists, it is surprising just how relevant it continues to be. The text usually deserves a mention in some of the most cited works on Internet regulation, even if it is to criticise it. Why is the text so enduring? Why is cyber-libertarianism still a powerful idea that continues to inspire new generations?

It is fun to read the Declaration again, and it would be fair to say that it has not dated well. Perhaps it is the grandiose tone, or the Random Capitalizations. Perhaps it is the assumption that governments are evil entities of the past. Perhaps it is the presumption that Barlow dared to speak on behalf of everyone who was online in 1996, or the claim that the Internet is not concerned with ‘matter’. Or perhaps it is the fact that it declares its inhabitants immune from governmental sovereignty as long as they are online.

Many people have made well-informed criticism of the Declaration over the years, and of these my favourite remains ‘Foucault in Cyberspace‘ by James Boyle. He recognised that there was a very libertarian slant in the discussion of Internet regulation, fuelled by resentment of governments, but also caused by erroneous assumptions that the State was powerless with regards to Cyberspace. He then goes to cite the various avenues that could be used to regulate online behaviour, including the fact that cyber-libertarians tend to misunderstand law. Boyle also correctly predicted that technology would be used to regulate, and he also admonished that the view that regulation was only a matter of governments versus individuals was wrong, as private entities also regulate.

There are many other problems with the Declaration. Firstly, it portrays a very small, Western-centric Internet. It is no coincidence that a white male could assume to talk on behalf of the Internet, as back then it was still a relatively small community consisting mostly of white males. When Barlow talks about an Internet that can make decisions on its own, he is really talking about the small technocratic elites he had access to. For him, and many other cyber-libertarians that have come after him, the Internet seems to be a small playground, and they resent anyone messing with it. This Western-centric reality remains, and it is the reason why many US commentators seem baffled by India’s refusal to allow Facebook to plant its colonial flag on the country. The reality of course is that the Internet is richer, more diverse, and even more tribal than cyber-libertarians expect. Social Justice Warriors, gamer-gaters, “Black Twitter“, Beliebers, missionals, Arabs, K-pop, foodies, furries, 4channers, academics… does Barlow really pretend to speak on behalf of all? There are plenty of Internet users who appreciate regulation, and even call for government intervention, they would beg not to be included in sweeping generalisations.

Secondly, the Declaration serves to propel the myth that the Internet is some sort of ethereal realm with little contact with the real world. The reality is that the Internet has a real, tangible presence in the world. Servers, people, cables, antennas, routers, all of these are real. Servers can be shut down, computers can be confiscated, drives can be seized, people can be arrested, communications can be intercepted. While enforcement can be difficult, it does not mean that the regulations do not exist.

Thirdly, when the reality of regulation hits, the Declaration is often presented as an ideal to strive for. While I am as critical of stupid regulation as the next person, it is undeniable that at least at present there are good reasons to call for some sort of regulation. Cyber-libertarians like to imagine an Independent Republic of Cyberspace, ruled by self-moderation, benign venture capitalists, and Bitcoin. The reality is one of fraud, hacking, and abuse that should not go unregulated.

Because of all of the above, for years I have agreed with Boyle’s criticism of the Declaration, and yet its allure continues to attract attention, even after all of these years. Every year I teach Barlow’s text as an introduction to regulation theories, and every year I see nodding heads whenever I read the text. The 20th The anniversary has been met with a lengthy reflection in Boing Boing by Barlow himself, and he answered questions in a Reddit AMA, where new generations of cyber-libertarians congratulated him, and praised his ideals.

The reason for this endurance may be easy to explain. We are undergoing an unprecedented erosion of trust for traditional political institutions. For those priced out of the property ladder, with growing unemployment and shackled with student debt, the Declaration reads like an adequate representation of the contempt with which many hold their own governments. Cyberspace becomes a promised land free of regulatory control where everyone has a start-up idea that will disrupt the status-quo. Similarly, cyber-libertarianism plays to those who think of the Internet as a reflection of their own small digital tribe: “governments, keep your hands off my Facebook!”

Then again, Barlow himself has an answer to his critics:

“And then my Declaration largely faded from general consciousness, though it has been perennially fashionable for representatives of the Old Order to trot it out as an example of the sort of wooly- headed hippie thinking we could entertain in more innocent times, but certainly not now with all these Boogie Men cavorting online, whether ISIL, Pirate Bay, Anonymous, and leakers of all sorts. Most of the excellent personages who hold it up for ridicule have either not read it or still failed to understand it when they did. And thus they might be forgiven for not knowing what it said. […] I do not believe that the Nation State, for all its efforts to bring the Net to heel, has really succeeded.”

I can assure you that I am not a representative of the Old Order, but that is besides the point. I think that Barlow here is moving the goalposts. I do not think we can claim that the Internet has been completely brought to heel, this is not what the Declaration said. The Declaration is clear, governments have no role in Cyberspace, their laws and rules do not apply to the realm of the Mind. Here Barlow is saying that the Declaration is still relevant because governments have not been completely successful and there are still some spaces of resistance to the rule of the State. Just because the Internet in China is not absolutely 100% controlled, it doesn’t mean that regulation is not possible. Regulation does not mean total control all the time.

Having said that, I have to agree with Barlow’s general sentiment that openness is good. It’s too bad that he continues to think of this in terms of government vs individual, when more often than not we are presented with an issue of a type of control and regulation by private parties that is more invasive than anything a government could ever think of. By focusing on the government, cyber-libertarians continue to ignore and even condone private abuse.

In my view, history has proved that Boyle was correct, and I am looking forward to the 20th anniversary of Foucault in Cyberspace.


Source: Technollama

Budapest_Kettenbrücke

The European Court of Human Rights (ECtHR) has revisited the issue of liability for Internet intermediaries in the case of Magyar Tartalomszolgáltatók Egyesülete and Index.Hu v Hungary. This is the second time in less than a year that the ECHR deals with this issue, as it had already produced a controversial decision in the case of Delfi v Estonia, where the court had ruled against news intermediaries and declared them liable for abusive comments posted by users. I have to say that I was rather apprehensive about the Magyar case, but I’m glad to report that the ECHR has produced a more nuanced decision that fits better with existing practice and law.

The applicants are the Hungarian association of Internet service providers (Magyar T.E.), which monitors content on behalf of its members, and Index.hu, one of the largest news portals in Hungary; the respondent is the Hungarian state. Back in February 2010, Magyar T.E. posted an article highlighting unethical business practices by a real estate company, which prompted negative comments towards the firm, some confirming the unethical behaviour. A couple of other websites, including Index.hu, reproduced the articles. An anonymous user in Index posted the following comment:

“People like this should go and shit a hedgehog and spend all their money on their mothers’ tombs until they drop dead.”

I personally find the imagery quite evocative, but I’m sure it sounds more poetic in Hungarian.

The real estate company objected to these comments, and shortly after it brought a civil action against the websites claiming that the “content was false and offensive, and the subsequent comments had infringed its right to good reputation.” The websites responded by immediately removing the comments, but the civil action continued. The lower court sided with the claimants with regards to the comments, and ruled that the company’s reputation had been damaged because these expressions were “offensive, insulting and humiliating and went beyond the acceptable limits of freedom of expression”. However, the court ruled that the news content itself was fine. Both parties appealed, and the Budapest Court of Appeal upheld the first decision with a baffling modified reasoning; it declared that the E-Commerce Directive did not apply to this case because the comments did not involve a commercial transaction, thus completely missing the point of the Directive. The decision was then appealed all the way to the Hungarian Constitutional Court, which in a seriously damaging decision declared that the fact that there were anonymous comments online meant that the news portals were liable for everything posted. In a situation similar to that found on Delfi, Magyar T.E. and Index.hu decided to make their application to the ECtHR arguing that the decisions by the Hungarian courts infringed the right of freedom of expression protected in Article 10 of the European Convention on Human Rights.

After Delfi, many suspected that we were in for another disappointing decision, but thankfully the ECtHR has pleasantly surprised us. One of the most prevalent principles when it comes to the liability of service providers for content uploaded by their users has been to maintain a system of notice-and-take-down, whereby intermediaries will remove content after offended parties have notified them that it might be defamatory/infringing/illegal, and in return the ISP will receive a limited immunity from liability. In Delfi, the ECtHR decided that a news portal had not taken the content promptly enough, and that the nature of the comments was excessive, and therefore the intermediaries were liable.

In this case, the ECtHR has decided to side with the intermediaries, as it considered that the actions of the Hungarian courts amounted to a violation of freedom of speech. A big part of this apparent change of heart has come because the ECtHR acknowledged the principles of intermediary liability contained in the notice-and-take-down regime. They comment:

“In the case of Delfi AS, the Court found that if accompanied by effective procedures allowing for rapid response, the notice-and-take-down-system could function in many cases as an appropriate tool for balancing the rights and interests of all those involved. The Court sees no reason to hold that such a system could not have provided a viable avenue to protect the commercial reputation of the plaintiff.”

The Court then goes to make a clear distinction between the types of comments involved in both cases. They said that the user comments in Delfi were excessive, as they took the form of “hate speech and direct threats to the physical integrity of individuals“. But the comments in Magyar T.E. were not excessive, they were at most “vulgar and offensive“, as Judge Kūris puts it in his concurring opinion. The Court then is saying that removing vulgar and offensive comments violates freedom of speech, but removing hateful speech does not. While I do not completely agree with this, at least we get a much more rational line.

So what is going on? I agree with the opinion that the ECtHR is re-writing Delfi. I have the theory that maybe the ECtHR was surprised by the very negative response that Delfi received. Many of us felt that Delfi is what happens when mainstream lawyers look at Internet regulation subjects for the first time, often ignorant of the long history of cases and debates surrounding a subject. To many of us, Delfi was a throwback, a return to the crazy rulings of the 90s in a time before safe harbors and take-down notices. In Delfi, the ECtHR practically shouts to national courts to hold intermediaries accountable for abusive comments. The rest of us had moved on from those positions, but then the Human Rights court discovered the negative consequences of holding intermediaries liable, as it stifles genuine debate. In MTE v Hungary, the ECtHR has drawn a line that is more akin to common practice.

However, the battle is not  over. Judge Kūris warns that MTE should not be taken by intermediaries as a free pass:

Consequently, this judgment should in no way be employed by Internet providers, in particular those who benefit financially from the dissemination of comments, whatever their contents, to shield themselves from their own liability, alternative or complementary to that of those persons who post degrading comments, for failing to take appropriate measures against these envenoming statements. If it is nevertheless used for that purpose, this judgment could become an instrument for (again!) whitewashing the Internet business model, aimed at profit at any cost.”

Somehow, I do not think we have seen the last of this debate.


Source: Technollama

Monkey takes photos on camera

A judge in California has dismissed a copyright case brought by People for the Ethical Treatment of Animals (PETA), where the animal rights organisation claimed that it represented the monkey that took the famous selfie depicted above. The case is that of Naruto v Slater, where PETA sued British photographer David Slater for copyright infringement, claiming to be acting on behalf of Naruto the monkey.

I had written an opinion about the case when it was first filed, and I am glad to report that the decision has not produced any surprises. As most legal analysts predicted, the judge dismissed the case based on the fact that the monkey has no standing, as it cannot be considered an author for the purposes of the law and therefore it does not have copyright, so PETA cannot act on behalf of the monkey. The decision makes perfect sense according to US law, but I still argue that those who claim that the picture is in the public domain are right in the US, but wrong in Europe, and the current case does not affect my European analysis. Allow me to elaborate based on the decision and the facts of the case.

PETA argued in their complaint that Naruto had taken the picture and that he “has the right to own and benefit from the copyright in the Monkey Selfies in the same manner and to the same extent as any other author“. They argued that photographer David Slater, the owner of the camera used to take the selfies, had infringed such copyright when he had used a self-publishing online tool to produce a book called Wildlife Personalities, which included the famous monkey selfie picture. The lawyers representing Slater answered the claim with a motion to dismiss based solely on the fact that the monkey did not have standing because it could not sue for copyright. This is quite interesting, while this strategy is the easiest way to obtain a dismissal, I find what is missing from this motion as important as what is there. There is no mention of jurisdiction, and there is no mention of Slater as the copyright owner. I think this is on purpose, as I shall explain a bit later.

Judge Orrick pretty much agrees wholeheartedly with the defendant in his decision. Both the judge and the defendant decided to take the facts of the case as told by the plaintiff as true for the purpose of the dismissal, these facts are that Naruto is a crested macaque who lives in a reserve on the island of Sulawesi, Indonesia; that he is highly intelligent, and that he took the pictures by “independent, autonomous action” in 2011. The judge then dismisses the complaint with the simple argument that animals do not have standing in a court of law, and therefore cannot sue for copyright. The judge clearly states that the US Copyright Act does not extend the concept of authorship to animals and therefore Naruto is not an author.

I completely agree with this interpretation, and with those who see this as a victory for sanity in copyright law. However, I also think that the case of ownership and authorship of the pictures is not closed, and here I disagree with the always excellent Techdirt, as I think that there is a very strong case to be made for ownership by Slater in Europe, and I think that the PETA suit does not close the argument about ownership.

Firstly, the facts of the case as discussed in this instance are disputed by the defendant, who calls them “fundamentally erroneous”, but Slater’s lawyers decided not to argue them as a legal tactic, as even the facts presented by PETA were enough to warrant a quick dismissal. But the facts as told by Slater are important in a European analysis of the case. As I have mentioned elsewhere, European law is less concerned with who actually pressed the button, and it places more emphasis on whether the work reflects the personality of the author (see Infopaq), and whether the photographer made important decisions about aperture, lighting, camera settings, and even placing a tripod (see Painer). In most of the accounts of the origins of the selfie, it is clear that Slater had considerable control in the setting of the conditions that led to the monkey taking the picture, and also selected the pictures afterwards, an action that reflects his personality. All of these actions would be enough to give him authorship as the creator of an original work. 

Secondly, we have not even started to consider the potential jurisdictional issues of the case. The picture was taken in Indonesia, and Slater is a British citizen, so why would a US court have jurisdiction over the dispute? PETA argued that they could sue in California because Slater had used US-based company Blurb to publish his book, but this in itself is not enough to give the court jurisdiction, as the website has a UK version, and if Slater used that it would mean that the US jurisdictional claim would be weak.  To me the fact that Slater’s lawyers did not make a jurisdiction argument is quite telling, as they may be reserving this for future cases.

Thirdly, Judge Orrick’s decision is very narrow. Slater’s lawyers filed a very concise motion to dismiss that is solely based on the fact that animals cannot sue for copyright, and Judge Orrick’s decision mostly deals with that fact. While the Judge makes a valid declaration that the monkey cannot sue because he cannot own the copyright, he never rules on whether Slater is the owner of the picture, as this was never a part of the proceedings. The case is only whether Naruto is a copyright owner, and here the judge decided correctly. But the judge was never asked to rule if the picture is in the public domain, or if the Slater is the author. This was cleverly left out by the defendants, so to me the question is still legally open to interpretation.

Concluding, I always felt that PETA filed the suit as a publicity stunt attempting to further the issue of animal rights. Their case was interesting, but legally weak, as evidenced by the quick dismissal. However, in my opinion it doesn’t close the debate of whether Slater can claim copyright over the pictures, and it certainly does not close the argument from a European perspective.

I do not think that we have heard the last of this case. The monkey selfie may very well be the gift that keeps on giving.

Edited to add: Interestingly, Slater had the pictures registered by the US Copyright Office in 2012! This is a requirement for copyright litigation in the US. The plot thickens.


Source: Technollama

reading_on_train

In his great documentary The Century of the Self, Adam Curtis explores topics such as consumerism and social control of the masses, but at its heart it is an exploration of collectivism and individualism. It describes the second half of the 20th century as struggle between collective ideals, and the consumer as the ultimate expression of the individual self.

The 21st century is shaping up to have a different type of struggle, and it is that of how our individual and collective selves navigate technological intermediation. It is trite to point out that the Internet has changed society, but the biggest impact to our daily lives is actually not the network itself, but the devices that connect us to the network. The smartphone has come to change us in ways that we did not foresee, and the way in which we continue to use the technology to communicate with others may have more lasting effect than anything else in the past two decades.

I just came back from holiday in Costa Rica, and while I spent a good portion of my vacation lying on the beach or hiking through national parks, I noticed something that had never happened to me before while on vacation: even in the most remote parts of the country, be it at the canals of Tortuguero, the cloud forest of Monteverde, or the beaches of Guanacaste, I was almost always carrying my phone. This may not seem odd in itself, but I was really shocked by just how difficult it was to completely forego the smartphone even if I tried. We had made a conscious decision to minimise Internet contact for the duration of the holiday, and I initially thought that it would be easy to leave the phone at the hotel as I have a digital camera. But as my watch ran out of battery, the phone became vital for keeping time, and also for mapping and GPS functions. Then there were other uses: the nifty panoramic view function, the need to check places to eat and visit on TripAdvisor, looking for instructions on how to get to the most beautiful hidden beach in Costa Rica, and the occasional post to Instagram and Facebook. My attempt to disconnect was easily defeated.

And the more I was ashamed of my failure to stay offline, the more I noticed that other people were similarly attached to their phones. This is not so surprising in itself, as the mobile phone has substituted digital cameras for most people, so it makes sense that many tourists would use their devices to take pictures. But I started to notice that the phone was used as much more than a camera. There were the father and daughter in our hotel in Tortuguero who managed to never say a word to each other in public, using the phones to kill the awkwardness. There was the family in a restaurant in Monteverde who studiously avoided each other during an entire meal, buried in their respective phones and only talking to order food. There was the woman in Samara who spent at least 30 minutes taking selfies while friends enjoyed around her. There were the countless groups of young people walking on the beach with nothing but their swimwear and phone, stopping to take selfies as often as possible. There was the young couple in the astoundingly beautiful San Juanillo beach who took out their phones as soon as they arrived, never really caring to look up from the screen, ignoring the incredible place around them.

2060: The gregarious superintelligent AI, happily talking its way out of a box, is fast becoming a relic of the past. Today's quantum hyper-beings are too busy with their internal multiverse sims to even notice that they're in boxes at all!

I know that complaining about mobile phone use puts me in the same category as grumpy old men and Luddites everywhere, but please hear me out. I honestly believe that the way in which smartphones have permeated almost every aspect of our lives is a fundamental change in how we interact with one another that goes beyond the mere loss of conversation at the dinner table. The picture of people reading their newspapers on the train is often used to imply that tablets and phones are nothing new, but there is clearly a quantum leap in engagement. It is not only reading stuff, or listening to music, the smartphone allows us to do almost everything, with communicationan almost incidental aspect of the technology.

On the one hand, the smartphone has untold benefits. We have information at our fingertips, we can communicate to friends and family everywhere, we can take and send pictures with ease, sharing our thoughts whenever we wish. On the other hand, we have become addicted to curating our digital lives, generating social anxieties previously unknown. The wish to document every aspect of a life with selfies is an alien concept to me, and it seems to speak of vulnerabilities that we are starting to comprehend.

But the most interesting aspect for me is whether our social media obsession makes us more connected, or more isolated. The common understanding of social media is that it allows us to talk to each other in different ways, making us more connected and bringing us together. Having friends accessible on text, Snapchat, Twitter, Facebook, Whatsapp, Yik Yak and whichever other technology you can think of is supposed to make us more connected, but it would seem to enhance the need to create a false digital identity. We are connected, but only show a fake and idealised version of ourselves that does not really exist. I have long suspected that nobody really likes my holiday pictures on Facebook, and when I post one they really secretly hate me.

So instead of creating communities, social media could be isolating us more and more. Hell is other people’s walls. You try to assert individuality through the imposition of the selfie on the world. What matters is not the actual place, but that you can turn the phone and prove that you were there.

But nobody cares.

BbLTVODCIAEyUwR

An optimist’s view is that the technology really is connecting us, making us feel closer to other people. The pessimist view is that we are isolated, islands lost in front of a screen, oblivious of the world around us. You don’t need to engage with your surroundings when you visit a new place, all you need is to have a clear view for the perfect selfie. You don’t need to support a cause in real life, just sign the petition and share it to your friends on social media. The digital consumer is the ultimate island, forever alone, no matter how many likes you get.

I hate to admit that I share the pessimist’s view.

There is no solution in sight short of complete digital detox, people will not give up their smarphones easily. They are too useful! Interestingly, I think that the solution may be in the technology. I have been a great believer in augmented reality, and I strongly believe that it could prove to be the solution to our self-imposed digital isolation. Devices like Google Glass get a bad rap because of possible privacy implications, yet everyone is walking around with a camera and a screen at all times. I see augmented reality devices as a less intrusive interface that would allow us to continue to engage with “real life” in real time, but permitting us to maintain the useful benefits of connection. Need a map?, there it is at the corner of your sight, no need to look down to the screen on your hand, just follow the directions.

And the greatest advantage of augmented reality devices is that they could send the selfie back to the fiery chasm from whence it came. One can always dream.


Source: Technollama

I mean, it's not like we could just demand to see the code that's governing our lives. What right do we have to poke around in Facebook's private affairs like that?

Over the years I’ve had a love-hate relationship with Facebook: I love to hate it. As an early adopter, I always have felt that my interaction with the social network was very different to what other people were using it for, and the change in the platform has only made my interaction with FB much more difficult. Some years ago I even publicly quit Facebook for almost 2 years, only to come back after it became overwhelmingly prevalent in society.

But I still hate it.

There are things we all hate. The pretentious pictures, the passive-aggressive pictures, the badly-used memes. But for me the main reason why I loathe Facebook is the fact that it has morphed into the place where you are supposed to connect with your real friends and family, while other social networks fulfil different functions. It has been a long-running joke that Twitter is where you follow people you’d wish you’d know, while on Facebook you follow people you wish you didn’t. LinkedIn is just weird, strictly for business, and it has gained a reputation for being a bit creepy at that.

I'd like to add you to my professional network

But Facebook started as a very different proposition, you used to add absolutely everyone you had ever met, even if you had just met them at a conference. Now it has become a bit more touchy social issue of who to follow and who not to, with the unwritten understanding that you only follow real friends. But the legacy aspect has left me following a whole bunch of people who I have no idea who they are. This festive period my timeline was suddenly filled with people I don’t know, and I kept asking myself why a social media intended to connect to close friends was full of strange faces. I started going through my “friends” list and there was a significant portion of people who I had no idea who they were, or where I had met them. I could guess in many cases thanks to the other shared friends, but in many instances I really couldn’t remember if we had even spoken in real life.

All of the above has continued to upset me over the last year, and it is part of a larger problem with the type of content that I get. A good number of my connections on FB are from high school and university, and I have simply become much more different person than the Costa Rican social norm. Many old friends have aged into conservatives, which filled my timeline with political, religious and social commentary absolutely alien to me. Many of these former friends and acquaintances hold views that I despise, and while I spent last year filtering quite a large number of people, I am still constantly angered by stuff I read on Facebook.

It is no secret that I am more of a Twitter person, I like the casualness and unilateral nature of the communication, while Facebook has morphed into a mix of a popularity contest and a Trump rally. So my FB became extremely impersonal, I don’t have my actual picture in my profile, and I tend to share very vague stuff, and lots of duck pictures, which I’m sure many people may find incredibly annoying.

So, what to do? I started thinking of the various options:

  1. Quit. This is tempting, but there are still a few useful ways to use FB. I like to use it to connect to family and friends, and there are also a few people that I absolutely love to follow. The common thread of these is that they tend to use it more like a very personal Twitter. So I won’t be quitting for now.
  2. Remove everyone but a few close people. This seemed like the best next option other than quitting, but I felt that if I do that I might as well quit.
  3. So I have opted for a compromise, I will first remove everyone I can’t remember where I met them, or who I have only met once. Then I will see what my timeline looks as a result. Then I’ll start following interesting people and news sources in the same way one follows people on Twitter. My plan is to remove over the next few days at least half of my “friends” list.

One thing is clear, life is short and I cannot continue to allow Facebook to become a constant source of annoyance. I will let you know how the experiment goes.


Source: Technollama