The estimable Alex Wade - author of the Swordplay blog and the Times's Surf Nation blog - has today written a nice piece in the Times about blogging by lawyers in the UK with some kind comments about Naked Law and other UK bloggers. I had an interesting chat with Alex while he was researching the article.
Two recent cases have given guidance on who has the rights to a profile on social networking sites.
In Hays Specialist Recruitment (Holdings) Limited and Another v Ions and Another the court held that Hays had “reasonable grounds for considering that” Mr. Ions had used LinkedIn, a social networking site specifically aimed at linking business contacts, to copy and retain confidential information belonging to Hays.
Hays alleged that Mr. Ions had, whilst still an employee of Hays, copied and then retained confidential information concerning clients and contacts of Hays. They then say he used that information in his subsequent business thereby breaching the restrictive covenant in his contract of employment. Hays was granted an order for the pre-action disclosure of documents which evidenced the uploading of business contacts and evidenced dealing with those contacts after Mr. Ions had left employment.
Mr. Ions contended that Hays knew he had uploaded contact details onto LinkedIn and, indeed, was encouraged to use the site to gain potential business. He claimed that once these contacts were loaded and the LinkedIn invitation accepted the information was no longer confidential.
Whilst the Judge was not asked to rule on this particular issue he did say that “even if [Mr. Ions] uploaded [the contacts] with authority, it is difficult to imagine that the authority was not limited to using them in the performance of his duties as an employee of Hays”.
This case would lead to the conclusion that your LinkedIn profile if used in the course of your employment might not belong to you but to your employer. If this is the case then as Talent Technology Blog point out what do you do when you move employer? Do you have to delete all recommendations from ex-clients? Do you have to remove all work contacts? What happens if those contacts are also personal contacts? Watch this space and maybe we will have an answer.
On a slightly related note it would appear that the situation on Facebook may be different. In the recent case of Firsht v Readman, Mr. Firsht successfully sued for defamation and libel. Mr. Firsht discovered that a false profile of him had been generated on Facebook and that it contained private information about him purporting to include details of his sexual orientation and preferences and his political and religious beliefs.
The court found that the IP address used to set up the profile belonged to the home computer of a Mr. Grant Raphael, who was an ex-friend of Mr. Firsht. The court then went on to find that the material uploaded was defamatory and libelous.
Even though the profile was removed by Facebook within 16 days of it first appearing, Mr. Firsht was awarded £22,000 in damages including aggravated damages.
Mr. Firsht was able to obtain a successful prosecution due to the fact that Mr. Readman had used his own computer; if Mr. Readman had used a computer in an internet café the situation may have been very difficult.
Nominet's new Dispute Resolution Policy and Procedure come into force today. A summary of the changes is available here.
The most significant change is the introdution of a new "summary decision" option. If the domain name owner does not respond to the complaint, the complainant can opt (for £200 plus VAT) to have an expert's decision on the key issues of whether the complainant has rights in the domain name and whether there has been an abusive registration. If the expert finds in favour of the complainant, the domain name is transferred.
What you don't get for your money is the full, reasoned decision of the expert - but presumably most aggrieved complainants would be happy with just the transfer.
This new procedure seems to me to be a great idea. Savvy cybersquatters have been all too aware of the higher cost of the full expert decision (£750 plus VAT) and choose to "offer" their domain names for sale for a slightly cheaper sum. And in many cases this is successful and genuine rights holders pay up, because it still costs less than going down the official route. Hopefully this new procedure will help to alleviate this.
Of course, unscrupulous individuals will no doubt seek to capitalise on the new procedure where possible and this has led to concerns of reverse domain name hijacking - where someone issues a complaint, counts on the domain name holder failing to reply and then effectively "buys" the domain name for the £200 fee. I am not wholly convinced of this - the hijacker would still need to pay out to get the name, which seems counter-intuitive when there are so many freely available names out there. However, the message for genuine domain name holders is to ensure your contact details are kept up to date with Nominet and make sure you deal promptly with any complaints.
Skype have finally reneged on their ongoing challenge to the validity of the GPL2 open source software licence.
Skype had used open source software (Linux) licensed under the GPL2 in Skype-phones, but didn't comply with the requirement to supply the source code of the software with the phone. GPL compliance enforcer extraordinaire Harald Welte brought a case against Skype before the German Courts, who deemed this a breach of the GPL2 licence terms in August 2007. Skype initially decided to appeal against this decision.
Commenting on the issue of GPL2’s requirement to make source codes available, in possibly one of the more esoteric analyses of open source software terms, one of the judges stated:
“If a publisher wants to publish a book of an author that wants his book only to be published in a green envelope, then that might seem odd to you, but still you will have to do it as long as you want to publish the book and have no other agreement in place.”
This seems to me to imply that open source software licensing is really weird (at least to a German judge), but that an open source software licensee must still comply with the terms of the licence. Which is probably correct, albeit using a rather strange example.
Skype’s decision to withdraw from the Appeal (as opposed to being ruled against) sadly leaves us with no definitive legal decision to add any clarity (although we still have the first instance decision). It does, however, indicate that, at least in Germany, GPL licence terms are taken seriously.
How much sweeter is a perfume when it is supplied by a selected distributor? Dior, Guerlain, Kenzo and Givenchy have clearly placed their marker in the French eBay case (in the perfume claims), where they have apparently succeeded in having eBay fined for permitting the auction of genuine branded products, because they were not being supplied through the appropriate distribution channels established by Dior, Guerlain, Kenzo and Givenchy for (as well as for counterfeit products in the handbag claims, discussed in my earlier post). Of course, if the brand holders are right that no branded products for which there is an established exclusive or selective distribution network can be supplied through eBay, it could also solve the problem of counterfeit sales at a stroke, at least where the brand name is mentioned. Establish a network and eBay can exclude all such products from its auctions.
However, this does, as ipKat notes, seem to raise some rather odd questions. Where did these products originate from in the first place? If they were on the market in the EU, then the brand owners rights should have been exhausted. And presumably they were being supplied by the brand owners or distributors within the brand owners' network. If so isn't there some breakdown in this network- unless network members are supplying large enough quantities for these to be resold on eBay, in which case the brand owner has already been paid? Shouldn't the brand owners take action against them? Or more profoundly, do we seriously think that selective distribution networks are justified for something like perfumes and many other branded goods, other than as a means for maintaining high prices? I can't remember when I have been helped by a store assistant in buying a perfume.
Do the French eBay decision and the US Google decision mark a real turning point in the very long legal honey moon for internet businesses? The early years of the internet were often described as a Wild West where laws did not apply. Of course, only partly true. Often too many laws applied; but few were applied. And an environment thrived which has created not just large and successful businesses, but new business models which now underpin the modern economy.
However, while politicians and legislatures have recognised the value of such an economy, and provided harmonisation and light touch regulation, established businesses have seen their business models undermined, frustrated at the impotence of existing rights and enforcement regimes to provide meaningful protection. Now perhaps the tide is turning. Despite the electronic commerce directive (which is intended to provide freedom for ISPs from regulation) a French Court has fined eBay (in the handbag claims) for failing to take adequate action to remove counterfeit handbags from auction sale.
The Directive is intended (amongst other things) to ensure that ISP hosts do not have burdens placed on them to keep track of what is going on and prevent it. If a host is notified of an alleged infringement it should take suitable steps to remove it; but shouldn't that mean just to stop that (specific) act of alleged infringement, not any other ones which are like it? If a take-down notice can properly apply to a range of potential infringements other than the specific one identified then effectively the host has a monitoring requirement imposed on it, which is not permitted under the Directive; on the other hand, if it only applies to the individual identified act of infringement then a rights holder has a monumental task to police possible infringements.
There has always been a concern that if a host does more than just host - eg provides some monitoring - that it may find that it is no longer protected under the Directive. It is unclear whether eBay has ironically fallen foul of this in its attempt to provide rights holders, through its VeRo programme, with tools to assist them identifying potential infringement, or perhaps with its other restrictions such as control over who may auction trade mark goods, and the types of auction they may enter. Or is this, a French judge being persuaded to protect a French institution - the fashion industry - just evidence of the Establishment rallying its forces more effectively against e-Commerce? If not a change in sentiment within the French court system - one could be forgiven for not being very surprised that a French court has decided this way - perhaps an astute choice of forum to make the point.
Even so, there are strong signs that political pressure, even if not public sentiment, is everywhere shifting towards much more rigorous protection of intellectual property rights, and even perhaps a trace of an idea that the incumbent e-commerce service providers would not be too unhappy with some shift now that they are incumbent. Either way there are clearly some very interesting battles to be fought out here because the interests of a very free and open market which lowers the costs of intermediaries (the cost of "doing the deal") is very much in tension with the fact that making it easy to do the deal makes it easier to do the illegal deal. Some changes will undoubtedly be on the way, but let us hope that they are not ones which stifle innovative new businesses.
Privacy and data protection appears to be the topic of the moment, with many new cases being reported on, and publicity surrounding data protection breaches. We have mentioned a number of these cases on our blog over the past few weeks.
The BBC has reported last week on some complaints being made about the positioning of Google's privacy policy. Prompted by this, I wanted to see just how accessible Google have made their policy. I discovered that at the bottom of the i-Google home page there is a link to the policy: however the page reached from clicking on that link is not actually the policy but a 'privacy notice' which then links to a 'privacy policy' with a further one or two clicks depending on the link selected.
The complaints about Google's site have been made in the US, and in the context of compliance with the online privacy protection act 2003 applicable in California. Not being a US lawyer, I am not going to comment on whether Google comply or not in this case. But I thought a brief mention about privacy policies and why they are so important to include on websites might be useful to readers.
Anyone who runs a website needs to be aware of the legal requirements surrounding the use of personal data, as these not only come into play where the site actually asks users to enter personal information about themselves. Even the use of cookies to track on-line movements of users of the website, and other data obtained about traffic using the site including location data, and browsing activities, could amount to what's known as 'processing of personal data'. Under UK law, users of any website should be informed if their personal data is going to be 'processed', and how the information obtained about them will be used and stored. The best way of notifying users is by including an easily accessible privacy policy on your site, with clear and obvious links to it from your home page. The privacy groups in the US were complaining that Google had not got this right under US law.
Under UK law, website owners must also be careful to be data protection compliant with what they do with the data, and consent is required to be obtained from individuals before certain types of processing can be undertaken (for example use for direct marketing by email, disclosure to third parties) of personal data. It is important to note that inclusion of a privacy policy of itself if not sufficient to ensure compliance with the Data Protection Act 1988.
We’ve probably all heard recent reports about Phorm’s “Webwise and Open Internet Exchange” products. These employ a technology which utilizes ISP data to target users with tailored advertising; ISPs with whom Phorm has done a deal so far include Virgin, TalkTalk and BT. As Virgin is my provider, my immediate reaction to hearing the news was indignation at the thought of being snooped on in this way, not to mention misery at the thought of my screen being flooded with still more unwanted ads.
The Foundation for Information Policy Research, in an open letter to the Information Commissioner’s Office (“ICO”), gave voice to some of the same fears. It argued, in particular, that the use of the software would entail breach of the Data Protection Act 1998 because it would involve “sensitive personal data” such as search terms used (which would reveal details of things like political, religious, sexual preferences and health issues). If the Phorm software does indeed entail the “processing” of sensitive personal data, it would find itself having to comply with the data protection regime of notification and consent.
There are two other potential legal angles for Phorm to worry about; The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“Privacy Regulations”) and the Regulation of Investigatory Powers Act 2000 ("RIPA 2000").
The Privacy Regulations apply to commercial communications made by email, fax or phone. They require users to be informed if cookies are stored on their computers and to be given the opportunity to stop the storage. They also require ISPs to get customer consent before they use their traffic data to market their services. RIPA 2000 regulates the interception of communications without prior informed consent; for these purposes, web-hosts are deemed to be “communicating” their web pages to the end user.
In response to these concerns, the ICO last month issued a press statement analyzing whether the technology Phorm proposes complies with the data protection and privacy laws; it declined to comment on RIPA 2000 since the Home Office has responsibility for enforcement of that law.
On the data protection point, the ICO said that the Phorm technology did not involve the processing by Phorm of personal data. This is because each user profile built by the software is based on a randomly allocated identification number which is held only on the user's terminal and by Phorm itself and it is impossible for its employees to locate particular user ID profiles on its system. However, the ICO acknowledged the possibility that the ISP itself, which undertakes the actual profiling of users, might be able to link particular user profiles with their IP addresses leading to the creation of a data trail by which it might be possible to identify individuals. If so, ISPs who handle Phorm profiles may be processing personal data. However, Phorm intends to ensure compliance with data protection act rules by presenting users with an unavoidable statement about the software and asking whether they wish to be involved in its use; that users will have easy access to information on how to change their mind about opting in; and that they will be free to opt in or out of Phorm at any point. This statement will also contain the required information about cookies as is required by the Privacy Regulations.
So far, it was looking good for Phorm, until that part of the ICO statement which states that, in order to comply with the Privacy Regulations' rules on obtaining user consent to use of their internet traffic data, Phorm will probably have to operate its system on an "opt-in" basis, so as to ensure that it has users' consent to the use of their traffic data to provide value-added services and profile-driven marketing. This was not what Phorm wanted, having hoped to get the ICO's blessing for a mere "opt-out" clause (which would deem all users to have given consent unless they expressly withheld it).
This is obviously a commercial disincentive which is likely to much reduce the number of users whose usage can legally be tracked in order to target advertising. If required to actively sign up to “targeted marketing” then users are instinctively likely to decline the offer, unless Phorm can really persuade us all that opting in would replace the irrelevant advertising we have to submit to already rather than adding even more advertising to the web page than there is at the moment.
One also wonders why websites would want to sign up for the software which is quite likely to more accurately push their competitors’ sites in front of their customers? For example, if I mainly look at the BBC news website, wouldn’t Phorm “understand” this and so push adverts for other news and current affairs sites at me, to the BBC’s detriment? We’ll have to wait and see how it works in practice, I guess.
It has been reported that a Welsh blogger has been fined £150 (plus costs) for posting 'menacing messages' on his blog about a police officer who originally interviewed him.
Gavin Brent is reported to have been found guilty under the Telecommunications Act of posting menacing messages. I suspect this is an erroneuous reference to the Communications Act 2003 S. 127, which provides that it is an offence to make improper use of a public telecommunication network. A person who 'sends by means of a public electronic communications network, a message or other matter that is grossly offensive, or of an indecent, obscene or menacing character' is committing an offence.
The offender here wrote something which could be construed as offensive in relation to the police officer's family. Another cautionary tale to all bloggers out there.
