Legal update on Information and Communication Technology – July 2013

, , , , and , 01 July 2013

Google's AdWords

Ocker appeal win:  In February this year Google won a significant appeal in Australia when the High Court of Australia (the highest court) ruled that Google was not responsible as publisher for misleading advertising produced by its search site and its AdWords service.  The Australian Competition and Consumer Commission (ACCC) had issued proceedings alleging that Google was liable as publisher for the misleading conduct of its advertisers when they used competitors' trade marks as part of Google's AdWords service.  The High Court held that ordinary and reasonable users of the internet would not regard Google as endorsing sponsored links but would recognise that these links were made by Google's advertisers.

Trade mark policy change:  Apparently on the back of this appeal decision, Google has significantly changed its AdWords trade mark policy for a number of territories, including Australia and New Zealand, with effect from 23 April 2013.  Google will no longer prevent advertisers from selecting a third party’s trade mark as a keyword in ads targeting New Zealand or Australia.  Previously, if your competitor used your registered mark as a keyword in the AdWords service you could use a Google procedure to object and if successful Google would remove the offending keyword.  Google's site says that trade mark owners "will still be able to complain [to Google] about the use of their trade mark in ad text".  That said, Google does "encourage trade mark owners to resolve their disputes directly with the advertisers, particularly because the advertisers may have similar ads running through other companies' advertising programs."  From now on, particularly in relation to use of its mark as a keyword, a trade mark owner will have to take legal action directly against the offending advertiser.

'.kiwi' domain names incoming

ICANN (The International Corporation for Assigned Names and Numbers) has formally approved the new generic top-level internet domain designation '.kiwi'.  This will be an alternative to the existing '.nz' top level domain designation.  From around mid-August this year, registered trade mark holders will have a chance to register '.kiwi' domain names before they are made available to the general public.  The wholesale price for each '.kiwi' domain name will be $25, and $2.50 of that will be donated to assist in the rebuild of Christchurch.

Lord McAlpine wins first round in hearing for Twitter libel case

The High Court in England has ruled that a tweet by Sally Bercow, linking Lord McAlpine (a retired British politician) to a report that an unnamed conservative politician was implicated in historic child sex abuse, was defamatory.  The case is an important reminder that comments on social media can have serious consequences. 

The proceedings followed a Newsnight report alleging that an unnamed conservative politician had been involved in the sexual abuse of boys in care.  Following the news report, a number of tweets linked Lord McAlpine to the report.  BBC, ITV and a number of other tweeters apologised for their part in the story, and the BBC and ITV both paid Lord McAlpine six figure settlements, presumably to avoid proceedings and damages for defamation.

The tweet by Sally Bercow at the centre of this case read "Why is Lord McAlpine trending? *innocent face*".  Sally Bercow maintained that her tweet was not defamatory.  The Judge in the High Court held that the ordinary meaning of the tweet was that Lord McAlpine was a paedophile who was guilty of abusing boys in care, as it was the final piece of the puzzle linking Lord McAlpine to the Newsnight report.  The Judge rejected an argument from Sally Bercow's counsel that Twitter was simply a place to share random thoughts without necessarily meaning anything. 

This case reiterates that social media is just like the real world - the normal rules relating to defamatory comments apply.  It is also a reminder of the very public nature of social media.  While a comment made to a few friends is unlikely to result in liability for defamation, a comment made on Twitter is shared with the world.

New Zealand High Court likes Tamiz v Google Inc

A High Court decision on defamation in the context of social media has clarified the parameters of liability for hosts of third party content on the internet.  As was suggested in our recent analysis of Payam Tamiz v Google Inc, the Tamiz decision has provided the signposts for dealing with issues of third party content in New Zealand.

In Wishart v Murray, Courtney J used the 'noticeboard' analogy, approved by the Court of Appeal in Tamiz for the hosts of blogging platforms, to consider the liability of Facebook page hosts as publishers of third party content. 

Mr Wishart, together with Macsyna King, co-wrote Breaking the Silence a book about the case against Chris Kahui for the murder of Mr Kahui and Ms King's twin boys.  Mr Murray was the creator of a Facebook page entitled Boycott the Macsyna King Book.  Mr Wishart sued Mr Murray and other defendants for, among other statements, comments left by third parties on Mr Murray's Facebook page.  The question for the New Zealand High Court was whether Mr Murray was the publisher of the third party content left on the Facebook page.

Applying the analysis carried out by the Court of Appeal in Tamiz to the host of a Facebook page, Courtney J held that the host of a Facebook page has the power to both delete postings and block users and could not be seen as a passive instrument or mere conduit of the information posted on the page.  As such, if a host of a Facebook page knows, or should reasonably know, that defamatory material is posted on their page, they will be regarded as the publisher of that information.

The Wishart decision is consistent with the growing trend for hosts of Facebook or other social media pages to be held accountable for content posted by users.  Most organisations are by now well aware of their responsibilities to monitor and remove content that might breach advertising codes of practice (though the ASA's Social Media Guidelines are limited to where the brand has 'solicited' content), but the Wishart decision reminds us that those using social media for brand promotion should be alive to their potential liability for defamation as well – which carries the potential for far greater financial and reputational damage.

Agoraphobic? Rationalising a fear of open source software

For many CIOs, CEOs and in-house lawyers, the use of open source software (OSS) in their organisations has long been put in the too-hard basket.  The risks (real or perceived) of inadvertently tainting proprietary code with the fuzzy, permissive terms applying to OSS are not well understood by many people, and even fewer have been willing to tackle them head-on.

The philosophy underlying OSS is that source code (usually jealously guarded and heavily protected as valuable IP) wants to be free.  Early proponents of OSS tended to be inspired by concepts of freedom of property, and were inherently against the restrictive nature of intellectual property rights – a philosophy that didn't blend well with Microsoft, Oracle and the other software giants as they rose to power in the 1980s.

Today, the term 'open source software' generally means that the source code (ie the human-readable portion of computer code) can be seen, modified and redistributed by the public without paying any royalties or licence fees – resulting in a continuing cycle of open and collaborative improvement for the benefit of society in general.

There is however a catch.  Despite a common misperception that OSS means 'licence-free', users of OSS are still subject to a software licence, just as users of proprietary, commercial software are.  OSS licensors still use copyright law to control the behaviour of users; but rather than using it to curtail or restrict what a user might otherwise be able to do (ie copy or distribute software), they use the powers they have as copyright owners to ensure that the OSS remains 'free', and that users aren't able to impose on it their own restrictions.

The principal fear relating to using OSS arises from a concept known as 'copyleft' (as in the opposite of copyright), which arises in some – though not all – OSS licences.  More pejoratively known as 'viral' licences, copyleft licences (the most well-known of which are the GPLv2 and its successor GPLv3) provide that the terms that apply to original OSS are inherited by any subsequent software developed using the original OSS.  In practice, this means that if an organisation wishes to redistribute software which includes elements of OSS, then it may have to make available the source code to all of that software under the terms of that licence, including elements of the code which it might have thought were proprietary.

This of course leads to a significant grey area – determining exactly when a "work is based on the [OSS] Program" (in the words of the GPLv2).  Answering that question will require a detailed working knowledge of the code in question, and how the derivative work or adaptation came to be – but it is a question that only needs to be asked in relatively few circumstances.  Copyleft provisions are generally only triggered if a licensee distributes the OSS – so if it is only ever used internally within an organisation, then those provisions shouldn't cause any problems.

The GPLv3 also clarifies that making software available as a software-as-a-service (SAAS) offering does not constitute 'distribution' of the software.

The problem is that for many potential users, the relatively rare and avoidable effects of copyleft licences can distract from the obvious benefits that OSS can offer – zero licensing fees, reduced development costs, flexibility across software solutions and vendors as well as regularly (and freely) available fixes and updates through the collaborative OSS community.  The majority of OSS licences (including the MIT, BSD 2.0 or Apache 2.0 licences) do not contain copyleft provisions – and for that reason, tend to apply to the most popular OSS products. 

There is also a huge amount of reputable, mature, and well supported OSS already in use by a large number of businesses (a 2011 Gartner survey put the figure at more than half of surveyed organisations) – including the Android and Linux operating systems, applications like Mozilla Firefox web browser, and server software like Apache or database software like MySQL.

This doesn't mean that problems can't arise.  Pre-acquisition due diligence of an organisation distributing software should ensure that any applicable OSS licences have been complied with, and – as would be the case with any other software – confirm that the downstream licence rights granted by the target haven't exceeded the rights it has been granted by the original licensor.

It may also be worth investing in a code scanning service to verify the extent of any OSS in a target's software product.

For organisations considering procuring a solution that includes OSS, very little can be expected in the way of warranties, and a clear understanding of exactly which OSS licences apply will be needed.  It may also put more pressure on contracted support services if something goes wrong, and some would argue that a supplier of OSS support services has less commercial incentive to get to the bottom of a problem than someone who has invested a lot of time and money in developing and marketing proprietary software.

Regardless of an organisation's own views on the open source philosophy, the reality is that the use of OSS is on the rise.  The perceived risks may or may not be acceptable, but understanding those risks and setting down an organisation's stance in a formal internal OSS policy can help to manage any issues before they arise, as well giving to potential investors or acquirers the same peace of mind given to in-house counsel.

This article first appeared in the April edition of Australasian Legal Business.

Bitcoin in e-commerce – does it make cents?

The first half of 2013 has certainly been tumultuous for the world's largest cryptocurrency.  Announcements of ever-larger businesses accepting bitcoins as payment (the Internet Archive will even pay portions of staff salaries in bitcoins) together with financial troubles in the EU and Cyprus, offset by software issues, cyber attacks, regulation by FinCEN, and most recently, the seizure of the assets of Mt Gox (the world's largest bitcoin exchange) for failing to register as a money transmitter in the US, have resulted in huge volatility.  Prices of bitcoin have fluctuated as high as $266 and as low as $50, sometimes halving or doubling in value within hours.

With all these ups and downs, it seems like a good time to reflect on bitcoin's ongoing usefulness from an e-commerce provider's perspective.

For those who aren't already paying their Friday night bar tab in bitcoins, bitcoin is a virtual currency that can be exchanged for cold, hard cash online via a bitcoin exchange.  You can also create (or 'mine') bitcoins yourself using a software program that runs complicated mathematical problems and (occasionally – sort of like mining gold) generates a bitcoin as a result.  Initially, anybody could mine bitcoins but these days, the competition for bitcoins is so intense (with entire server farms being dedicated to the task) that the chances of striking gold are exceptionally small.  Bitcoins are stored in 'wallets' that can either be downloaded to your PC or stored in the cloud.  Bitcoin relies on p2p networking and encryption for integrity, and was launched by the mysterious Satoshi Nakamoto (a pseudonym) in 2009 as an answer to a perceived lack of trust in governments, banks and other institutions to maintain the value of currency and conduct secure anonymous transactions. 

From an e-commerce provider's perspective, the main advantage of bitcoin is that processing transactions is fast and cheap.  The cost of receiving payments in bitcoins is a fraction of a credit card transaction fee, making it feasible to receive very small payments (eg 50 cents).  There have also been suggestions that bitcoin could become a centralised currency for virtual worlds and online gaming. 

Another promoted advantage is the anonymity and security of bitcoin transactions, since transactions are linked to a bitcoin address that is apparently anonymous.  For this reason, bitcoin has become very popular for online gaming, and it is the currency of choice in the internet underworld.

However, recent analyses have shown bitcoin's anonymity to be vastly overstated.  All bitcoin transactions are recorded on a public register, so if a person uses the same bitcoin address for multiple transactions, these can all be linked together.  Further, participants in a bitcoin transfer will generally be told the other party's bitcoin address.  Combined with information posted in user forums and social media, this means that with some relatively simple techniques, a significant portion of consumer-type bitcoin users (ie those that don't go out of their way to preserve anonymity) can be identified. 

There are services (eg bitcoin mixers) and techniques that can be used to counter these anonymity problems.  Although it will take some time before bitcoin gets big enough for privacy breaches to become a real problem, businesses trading in bitcoins regularly should start thinking about protecting their privacy now, in order to keep details of their finances, supply chain and spending habits away from prying eyes.

Where in the world is your information?

In February the Office of the Privacy Commissioner published its privacy checklist for small businesses thinking of using cloud services, called Cloud computing: A guide to making the right choices (to view the whole checklist click here).  The checklist sets out key privacy issues that businesses should consider and questions those businesses should ask cloud providers before handing over any personal information. 

At a high level, the checklist covers the following key areas:

  • What is personal information? If it is about an identifiable individual, it is personal information.
  • What is the business responsible for? The business is responsible for ensuring that the information is stored safely, can be provided if the person who is the subject of the information wishes to see it, and can be destroyed when no longer needed.
  • What does the business have to do to keep information secure? It recommends that all personal information be encrypted in transit and businesses should consider what security measures or certifications the cloud provider has.
  • What happens if it all goes wrong? It recommends checking the proposed contract to determine what obligations the cloud provider has and what remedies are available in the event of a security breach.
  • What should you tell customers? It recommends that businesses tell people upfront if their information will be held offshore and, if so, where.
  • How are customer requests to see and correct the information handled? It recommends that businesses consider an alternative cloud provider if the business cannot not access personal information when needed to comply with information requests.
  • Does location matter? The checklist discusses issues relating to conflicting privacy laws and the ability under certain laws for other agencies to access personal information held in those countries.  It recommends locating information in countries with similar privacy laws to New Zealand.
  • How much information does the cloud provider see? The checklist recommends businesses find out which of the cloud provider's staff get access to the business' information and how that access is controlled and monitored.
  • How do you get the information out? Can the information be retrieved or deleted if the contract comes to an end?  The checklist sensibly says you need to be able to get your information out in an appropriate format when the contract ends and that you are able to verify the provider doesn’t retain copies of your information on its servers.

The key message for businesses using cloud services is that the business remains responsible for protecting personal information - whether that information is held on the company's own computers or in a shared data centre in New Zealand or offshore.

The new United States' 'Six Strikes' Copyright Alert System

What is it?

In late February of this year, the 'Six Strikes' Copyright Alert System (CAS) was rolled out in the United States.  The scheme is the latest adaptation of the international concept of a 'graduated response program' – a framework for media owners to address alleged online copyright infringements with computer users through their internet service providers (ISPs). 

The CAS was established by the Center for Copyright Information (CCI), a coalition made up of big industry players: the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA) and the five major ISPs in the United States - AT&T, Cablevision, Comcast, Time Warner, and Verizon.  The focus of the scheme is educating the public about copyright policies in the digital age, signalling a new approach to the deterrence of online piracy.  It is aimed at everyday, casual file-sharers – and presumes that 'hardcore pirates' are beyond detection because of their use of Virtual Private Networks or proxies that help conceal their identity.

How does it work?

Rights owners monitor downloading of their copyright material online by joining peer-to-peer networks and locating content that they own.  If they notice that a file is being shared illegally, they notify the appropriate ISP who, in turn, issues a Copyright Alert to the relevant account holder.  No personal information is shared between the rights holder and the ISP at this stage. 

The purpose of issuing Copyright Alerts is to:

  • Make an account holder aware that unlawful content sharing may have occurred on their account
  • Educate account holders on how they can prevent copyright infringement from happening again
  • Provide account holders with information about ways to access digital content legally.

The CCI is of the view that after receiving one alert, most account holders will take the appropriate steps to avoid additional alerts.  The system allows an account holder to receive multiple alerts detecting online piracy before more serious action can be taken.

After an account holder has received three warnings, 'mitigation measures' can be taken by the ISP.  These repressive measures may include a temporary reduction in internet speed, a temporary downgrade in internet service tier, or redirection to a landing page for a set period of time, until an account holder contacts the ISP or completes an online copyright education program.  Each ISP has the ability to decide what measures they will take, although no ISPs have indicated that they will permanently disconnect repeat infringers as part of the scheme.

ISPs have wide discretion as to what mitigation measures to take.   They also have wide discretion as to when to take these mitigation measures against an account holder – more severe measures may be taken at different stages as appropriate.   However, if the ISP has not taken any mitigation measures after six alerts, it must do so at this stage.   The ISPs will not release any personal information about the account holder during this process, unless the MPAA or RIAA decide to sue that person and obtain a court order requiring the ISP to disclose the account holder's information.

How effective is it?

In a recent blog report, the CCI claimed that initial responses from consumers in the three months since the launch of the new system have been both productive and positive.  ISPs have been able to actively help account holders take the necessary steps to protect their accounts from being used for illegal behaviour.  At this early stage, however, the jury is out on how wide reaching the scheme's effectiveness will be long term.  In New Zealand, where our system is based on penalising illegal conduct rather than education, only 20 cases were received by the Copyright Tribunal in the 12 months before February 2013, eight of which were withdrawn.  It will be interesting to see which approach is the more successful in deterring online piracy over time.