Monday, October 20, 2008

E-banking, online security and ID databases: getting the picture right

It has been widely reported that fraudsters have hacked the online account of French President Nicholas Sarkozy and there were also mentions to the hacking of Sarah Palin’s personal email account, which all has been linked to the raise in online banking fraud, but, were they really hacked? There are probably too many meanings of hacking and they all refer back to hacker as that who “uses his skill with computers to try to gain unauthorized access to computer files or networks” (English Oxford Dictionary), so the question is whether we are confronting an army of skilled computer geeks trying to make millions (which deserves a particular policy and legal response) or if we are actually dealing with a large (very large) group of inept users being conned by common thiefs using common techniques (which would imply a completely different policy and legal answer).
The press and some public officials have jumped to the bandwagon of tougher measures and more control over the activities people carry out online but it seems that we need more information to be able to engage seriously with the topic and devise a propery policy and legal answer. The information provided in the Sarkozy’s case is more than insufficient, but does not seem to lead to what people commonly understand as hacking: it seems that the criminal got their hands on the President’s password in the same way the they were able to guess Governor Palin’s secret question, which does not suggest any use of a particular computing skill or breach of any netwrok’s security measure (if you loose the key to your house and somebody uses it to enter and steal things, you can claim that the person entered unlawfully but not the he/she picked yout lock). Of course somebody may point out that the news don’t specifically say that the electronic security systems were hacked, but the news are normally closely related (and linked) to the rise in online banking fraud and the need of tighter online and offline ID schemes. But they may actually prove the opposite…
A proper report on how the crime is committed can be found in an Argentine newspaper and there you see that this type of crime has nothing to do with the use of online banking but with pure and old crooks and too much data in the wrongs hands. The link takes you to an audio report, which, lossely translated, refers to the crime been committed by intercepting people’s correspondence (bank statements), having an insider in the section of the Police dealing with IDs who would make copies of passports, bugging the telephone line of the account holder to listen the conversations with the bank, disconnecting the customers’ phone line and replacing it by one of the criminal’s phone, requesting the transfer of the balance to the criminal’s bank account by phone, sending by fax proof of ID and, once having the money in the criminals' accounts, reconnecting the original customer’s phone line. So, it seems that it is a little more complicated than “hacking” a bank account and that the proposed policy and legal responses are not quite the ones needed. For example, tt can be argued that if the whole transaction was conducted online and no bank statements had been sent, no telephone conversations carried out and no central ID data base existed, the whole scam wouldn’t work. However, these are the types of news used to justify national IDs and security services rights to monitor/interfere electronic communications. One may argue that taking into account the perceived unreliability of Argentine security forces and their past behaviour they are not a good example to be used to judge developed countries’ policies, but that argument would be fatally flawed due to ignorance (the security forces are quite more efficient than many in developed countries taking into account the resources they have) and due to the fact that one of two criminal inside the organization copied national IDs cannot be compared to the many times that personal data, even sensitive personal data, has been “lost” in, for example, the UK. Furthermore, if the president of one of the powers of the world or his security services cannot keep his password safe, you can imagine how much we can rely on them keeping our data out of unfriendly eyes’ sight…So, a president and a governor’s loss may make good headlines, but it seems to be bad guideline to judge online security and the need of stricter measures to identify people…

Monday, October 13, 2008

IP in the Times of the Crunch

Some 20 years ago the English translation of Nobel Prize winner Garcia Marquez work El Amor en los tiempos del colera (Love in the Time of Cholera) was greeted with all the expectation and enthusiasm that a translation of a great (superb?) novel was supposed to generate. And it did not disappoint its fans. The novel dealt with universal issues as love as disease (both emotional and physical), aging and death and suffering for love and ones’ love, having the cholera as literal background in the form of the speciality of the main character’s husband and as metaphorical tread that assimilated love as a cholera-like disease.
It was also in 1988 that the world of IP saw some developments that planted the seeds for current situations that spread around the globe in following years, and also with pandemic proportions. In the Uruguay Round of GATT the parties failed to reach and agreement on the topics that the then proposed Agreement on Trade Related Aspects of Intellectual Property Rights, TRIPS, should have, and was one of the last times that the developing countries would stick together and refuse to agree to a legal instrument too focused on the rights holders side of the equation and not on the users of intellectual property rights, which implied going to the Montreal meeting the following year without any agreement. In the domestic side, the UK Parliament passed the Copyright, Designs and Patents Act 1988, which reformed intellectual property rights in the UK in quite radical form, doting right holders with more and stronger rights. The twenty years that followed have been a never-ending story of giving more and stronger rights to rights holders and one of a modification of the collective unconscious from the realization that IP rights are a state-given privilege towards the fictitious situation where they are recognized as almost real property.
All that comes together when twenty years later we are going through a period where a credit crisis of pandemic proportions seems to propagate and affect the weak and the strong as a cholera epidemic would do. In time of the crunch everyone gets affected, even those that have taken care of their health and have made preparations for it. It could be argued that, as with the cholera, those that are stronger and fitter stand better chances to survive it, but it seems unlikely that even them would leave the situation unscathed. And this refers to IP rights holders too.
One of the first victims of the credit pandemic is greed and the twisted ethics that it is fine to make any amount of profits without caring of the social impact of the business/economic decisions. In addition to the sensation of having been ripped off by banks and bankers (many times, if not most, this sensation matches the reality), since it is society the one that will have to bail out those that have lived as if there were no future and spending dozens of thousands in champagne per night (a gross generalization but there have been plenty of cases like that) it seems only fair that from now on (at least for a long while) every business decisions would have to be vetted for social impact more than for profitability (in any case society will pay for the losses anyway). This will clearly affect IP rights holders and it is very likely that society would look for the social value of a right and, expectedly, request stronger evidence from those claiming that stronger IP rights do encourage innovation and creativity resulting in a benefit to society. It seems that after bailing out those that have been claiming that they were leading society in wealth creation, society will be right to expect that anyone looking for using the law to extract profits that its business model does not seem to guarantee anymore should give very compelling evidence on that respect. So, if the first casualty is greed the second would/should be the current low standard of proof for claims of social benefit from those ripping fortunes with help from the law.
Another likely effect on the IP rights holders from the current crisis could be seen in the risk-aversion that investors will have to show from now on. There are several reasons for this but we could focus on the losses that investors may suffer for taking risks and the potential lawsuits from institutional investors even when the investment has been sound. IP rights were used by rights holders as both defensive and offensive weapons and many companies would recognize having a vast number of, for example, patents, in order to force competitors to negotiate non IP rights issues with the threat of litigation. In a risk-adverse scenario, investors would run away from companies that base their business strategy in litigation (or the threat of), which would imply that IP rights holders will have to do what IP rights were supposed to encourage: be creative and innovative if they want a market advantage and not using IP rights to stifle creativity and innovation in the market.
The credit crunch may also mean that resorting to litigation becomes the very last resort. Many companies will have to sharpen their pencil to make sure that they can survive in a cash-dry environment and putting a lot of it into a lawsuit and lawyers’ fees may not seem very advisable. It is also unlikely that companies will be able to get financing as the one available until not long ago to bear the financial cost of litigation. It could be suggested that the crunch may induce companies to defend their IP rights even in stronger fashion, but that logic may hit the wall of a new reality where cash is rationed for anything outside the core operations of a firm.
Finally, the summits that we are seeing between the leaders of developed countries, which will soon probably incorporate some of the most advanced developing countries, are been heralded as leading towards a Bretton Woods II and including topics of finance and trade. It seems implausible that, based on the previous reasons, governments would scorn one group of greedy businesspeople to keep giving a carte blanche to other one (and the impact of the later goes from access to knowledge to public health).
In time of the cholera it is important to stay clean and healthy and you may still fall ill; and in time of the crunch it is likely that you may fall ill even while being clean, but to get the necessary help you may need to look cleaner than pristine, and there the IP rights holders have a lot of work to do…

Thursday, October 09, 2008

TelePresence. A technology to beat the credit crunch and global warming or having a third party peaking at your meetings?

Today’s Financial Times runs an article referring to the benefits of using TelePresence technologies, to both cut costs and reduce companies’ carbon footprint. The technology seems quite amazing and gives users the opportunity to carry out meeting that seem real while the participants are scattered around the globe. By using this technology, millions are saved in travelling cost and workers’ time, keeping the vilified use of planes and cars to a minimum (I stress vilified because despite the huge media fuss, if we forget the costs, airlines produce only 3% of CO2 emissions in Europe). The idea is that big companies, that can afford it, will buy the whole system (hardware and software) while smaller ones will either lease it or pay per use in dedicated TelePresence centres, and here is where things get complicated. I have spent some time looking for the terms of service without finding any reference to anything looking like legal issues, and these legal matters could be quite serious for companies using the technology by leasing it or on pay per use basis.
The first and most obvious issue relates to data protection, privacy and security. Will the provider of the service put in place the technological and legal safeguards to make sure that only the participants of the meeting have access to the data that the meeting generates? Will the company paying for the services have access to such a data? If that is the case and some of the participants are in England, will the company have to inform the meeting participants about such monitoring and data retention as requested by RIPA 2000? Just a general notification or one each time that a meeting starts?
It seems unlikely that companies using the service as lessee or on pay per use basis would accept the owner of the system to monitor the meeting and/or retain the data resulting from it, but it the provider of the service does not do so and the system is used for illegal purposes, would the provider be liable? While the answer seems to be no, we are facing a very strong attack against third party’s immunity, which may end in making intermediaries liable for almost anything that happens in their systems.
Other important issue relates to the differences between the need of a warrant to bug a real-life meeting and the potentially easier access that the authorities would have to tap into electronic communications (without mentioning the possibilities of hacking).
I have always suggested that one of the ways to deal with rising costs and rising emissions is the use of technologies like the proposed, but unless there is a clear message towards stronger privacy and third party/intermediary immunity laws, we may better start planting more trees…

Monday, October 06, 2008

Girls Aloud blogger on trial: a case of obscene prosecution?

Some newslets have carried the news that Darryn Walker is being prosecuted under the Obscene Publications Act 1959 for “posting a comment on a fantasy [erotic website] which allegedly described the kidnap, mutilation, rape and murder of Girls Aloud members Cheryl Cole, Nadine Coyle, Sarah Harding, Nicola Roberts and Kimberley Walsh”. All the posts refer to allegations and it seems that none of those writing have actually read the post in question, excepting the Internet Watch Foundation that has made the complaint (it will be good to know if the fact that the foundation’s CEO has been member of the Obscene Publications Branch at Scotland Yard has had any bearing on the unit taking action in this case), so we can talk about it in very general terms (if you have time to look for it within all the archives of the site, let us know).
Starting with the law, most reports mention that the test under the OPA 1959 (section 1) is whether an article’s “effect or (where the article comprises two or more distinct items) the effect of any one of its items is, if taken as a whole, such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it.” The current statutory provision has been taken from earlier common law, as in R v Hicklin (1868) where it was defined as tending “to deprave and corrupt those whose minds are open to such immoral influences, and into whose hands a publication of [that]sort may fall”. So, there is no need to actual depravation or corruption but a tendency to do so and that has proven, rightfully, to be quite problematic. The first problem is that it assumes a patriarchical view that those reading a material are not depraved or corrupted already, to then follow it with the patronizing principle that people are easily corrupted and depraved by either images and/or written words. Strangenly enough, if the publication in question causes shock and disgust, that would constitute a defence under OPA 1959 because a shocked and disgusted person is unlikely to be corruped and depraved by the same material.
Again, we haven’t seein the blog in question, but it is difficult to imagine that it would go further than Marquis de Sade’s Justine (also know as Good Cutoms Well Chastisised or the Misfortunes of Virtue), and we don’t hear much about prosecuting publishers or sellers (this book, as all the other Marquis de Sade’s books, are available at, which is subject to English jurisdiction). Does the fact of using real people in a fictional setting make the issue more serious? (we need to remember that more serious here means only more likely to tend to corrupt and deprave).
It is hard to see any argument, at least under OPA 1959, saying that the use of real life characters may imply a greater likehood of tending to deprave and corrupt. There may be other causes for action, including copyright infringement, but the basis of fan-fiction, real person fiction and, taking out the homosexual connotations, slash fiction is that readers know that is fiction and that no depiction of reality is pretended. Here the argument could be that the killings have the potential of encouraging a real will-be-killer to carry out the act, but there have been many works of fiction talking about killing real characters, including the current president of the US. Can a fantastic story targetted to adults, carried out on a fantasy porn site, tend to deprave and corrupt readers? (taking into account the nature of the site, only adults should be able to access it). Or wer are in front, once again, to another case where activities that are otherwise allowed are persecuted due to be carried out online?
Without even mentioning the fact that there is a very strong argument that there are far more obscene things being shown in Internet (famines, bombings, carnage, corrupt politicians and a long list of etceteras) and nobody seems to care…