Computer Law & Security Report (Volume 21 Issue 5) 0-19-9274479

Citation preview

Computer Law & Security Report (2005) 21, 357e358

EDITORIAL

Definitive digital maps pose a challenge for e-Government

For some time now the Government has been extolling the virtues of the digital environment. This has extended in all kinds of ways into policy development and been given the label e-Government. In 2004 the e-Government Unit was established, based in the Cabinet Office, to work with departments ‘‘to deliver efficiency savings while improving the delivery of public services by joining up electronic government services around the needs of customers’’. Much of what this is about concerns public procurement in providing technology that will enhance the experience of customers when interacting with Government. The Head of the Unit, Ian Whatmore, is to be a ‘thought leader’ and ‘catalyst for change’ in the adoption and management of technology in Government and to develop best practices in technology adoption across Government. One of the challenges here is to actually translate these aspirations into better products and services. One area, in particular, concerns the potential of using digital maps to define the legal boundaries of common land, public rights of way and national parks etc. Ordnance Survey which operates as a Government agency, with substantial control of its budget and spending has, in recent years, developed OS MasterMap e an intelligent digital map designed for use with geographical information systems (GIS) and databases. Building upon this, in 2001, the OS announced the launch of the ‘digital national framework’ as a model for the integration of geographic information of all kinds. As such this will assist a wide range of businesses and organisations seeking a referencing system to link business with geographic information.

This is to be welcomed but what has not happened yet is the linking of definitive information about the location of public rights of way, common land etc. into digital map format. This is a big issue for landowners, farmers, environmentalists, planners and policy makers who want to reap the benefits that technology can offer in terms of access, accuracy and cohesiveness of the dataset that an online version could offer. Currently, the paper based versions of such mapping data are inadequate, incomplete and out-ofdate e a fact brought home to Government in 2001 during the outbreak of ‘foot-and-mouth’ disease in cattle when no up-to-date online national grid of public rights of way existed to assist the authorities to manage public access to the areas badly affected by the disease. Currently, the Commons Bill (HL), which updates the law on the registration of common land and town or village greens is proceeding through its Parliamentary stages. It provides for commons registration authorities to continue to keep registers and for the appropriate national authority to establish commons associations with powers to protect and promote sustainable agriculture on common land etc. Clause 24 of the Bill enables the appropriate national authority to make regulations permitting or requiring commons registration authorities to maintain commons registers in an electronic form. Converting evidential data as to exact boundaries of different types of land presents complex challenges, as the digital copy must stand up to scrutiny in a court of law. It is precisely this type of issue that e-Government policies must address if the long-term strategy of building on the digital revolution is to be realised

0267-3649/$ - see front matter ª 2005 Dr Stephen Saxby. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.08.011

358

Editorial

within Government. The explanatory note to the Bill puts the position succinctly: ‘‘The digitisation of the register maps of common land undertaken by the Countryside Agency and the Countryside Council for Wales for the purposes of the statutory right of access under Part I of the Countryside and Rights of Way Act 2000 has highlighted the difficulty of translating the information contained in old, relatively small scale Ordnance Survey register maps held by commons registration authorities into a modern electronic mapping database, and particularly in determining and locating accurate boundaries to registered land where the register maps are poorly drawn, indistinct or based on out-of-date mapping.’’ More work need to be done to co-ordinate this task. It is going to involve a long-term consolidation of the definitive map and a resolution of the backlog of disputes and appeals that have built up over time. Up to now the only broad based provision supporting the e-Government agenda in this respect have been Sections 8e9 of the Electronic Communications Act 2000 (Ch.c.7). These sections enable the appropriate minister to issue regulations to authorise or facilitate the use of electronic communications or electronic storage, where previously other forms of communication or storage were required to satisfy evidential requirements. It is going to take some time to resolve these challenges but, in the long term, it is only by tackling such problems that the real breakthrough can be achieved in fully embracing the potential of the digital revolution. Stephen Saxby E-mail address: [email protected]

New Report Correspondents Roger Clarke Roger Clarke is joining the Panel in order to augment CLSR’s technical and executive perspectives. Roger

is based in Canberra, Australia. His consultancy work focuses on strategic and policy aspects of eBusiness, information infrastructure, and data surveillance and privacy. He has been associated with universities throughout his 35-year career in the information technology industry. Most relevantly, he is a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W. in Sydney. He is also a Visiting Professor at the Australian National University, and the University of Hong Kong. In the e-Business area, he will apply his expertise in technology evaluation, architecture, trust, security, e-consent, privacy, authentication, digital signatures, public key infrastructure and biometrics. He has long experience in privacy impact assessments, particularly in government contexts. He has a specific interest in e-Publishing, including discovery strategies and metadata, but importantly also copyright, digital rights management, information management, and information policy. Because of his academic and government involvements, he has paid particular attention to open source, open content, and the open access/ e-Prints movements. He also works in Internet architecture and governance, ‘growing pains’ (such as spam, cookies, censorship, malware, evidence of identity and location, domain-names, P2P and digital property rights), cyberculture, collaboration technologies, and the history of the Internet. He has provided expert evidence in a variety of patent cases (regarding smart cards and Internet commerce), and in relation to defamation on the web (including for Dow Jones v. Gutnick), domain-names, privacy, and P2P technology. David Taylor has joined the correspondents’ panel. David holds a Masters in Engineering and PhD in Physics. Having retrained as a solicitor, David now works in the Lovells Intellectual Property, Technology and Media practice in Paris, advising on many aspects of e-commerce and intellectual property rights on the Internet, including domain names, for which Lovells offers Anchovy, a global online brand management and protection service. David is a member of the WIPO Arbitration and Mediation Centre’s Domain Name Administrative Panel and is a panelist for .fr with CMAP (Centre de Me ´diation et d’Arbitrage de Paris).

Computer Law & Security Report (2005) 21, 359e377

CLSR BRIEFING

News and comment on recent developments from around the world Compiled by Stephen Saxby, editor

United Kingdom LSE identity card report published The London School of Economics, in partnership with Enterprise Privacy Group (EPG) an information consultancy, has published a report on the Identity Cards Bill. This follows a six months’ wide ranging research project intended to examine a number of issues raised by the Government when it first proposed its national identity system. The report concludes that the establishment of a secure ID card scheme will have the potential to create significant though limited benefits for society. It notes, however, that the proposals currently being considered by Parliament are neither safe nor appropriate. Stakeholders involved in the report indicated that the proposals were ‘‘too complex, technically unsafe, overly prescriptive and lacking a foundation of public trust and confidence’’. The report, therefore, considers alternative models for an identity card scheme that the research indicates may achieve the goals of the legislation more effectively. The report notes that many of the public interest objectives of the Bill might be more effectively achieved by other means. For example, it suggests that preventing identity theft may be better addressed by giving individuals more control over the disclosure of their own personal information, while the prevention of terrorism ‘‘may be more effectively managed through strengthened boarder controls and increased presence of borders, while allocating adequate resources for conventional police intelligence work’’.

The report also criticises the technology envisioned for the scheme which it suggests is largely untested and unreliable. It notes that no scheme on this scale has been undertaken anywhere else in the world but smaller and less ambitious systems have encountered substantial technological and operational problems. The use of biometrics gives rise to particular concern because this technology has never been used on such a scale. The report also indicates that the likely cost of a ten year role out of the proposed scheme will be between £10.6 billion and £19.2 billion with a median of £14.5 billion. This figure does not include public or private sector integration costs and takes no account of any potential cost overruns. The report suggests that any system that supports critical security functions must be robust and resilient to malicious attacks. With the size and complexity of this system security measures are likely to result in substantially higher implementation and operational costs than originally estimated. It notes that the proposed use of the system for a variety of purposes and access to it from a large number of private and public sector organisations will require unprecedented attention to security. The report concludes that the success of a national identity system will depend on ‘‘a sensitive, cautious and co-operative approach involving all key stakeholder groups including an independent and rolling risk assessment and a regular review of management practices’’. The researchers state that they are not confident that these conditions

0267-3649/$ - see front matter ª 2005 Dr Stephen Saxby. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.08.010

360 have been satisfied in the development of the present Bill. It concludes on a serious note that the risk of failure in the current proposals is ‘‘magnified to the point where the scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals’’.

Editor’s note The London School of Economics Report is available at http://is.lse.ac.uk/idcard/

Public sector ICT abuse still a major risk ICT fraud and abuse are still posing major problems to public sector organisations and those who use their services, an in-depth survey shows. New technologies, like the use of handheld devices (PDAs) and wireless networking, are creating fresh risks that public services are only slowly reacting to. And, despite better ICT security systems, a ‘culture of complacency’ and a failure to ensure that staff understand the rules is undermining the effectiveness of ICT security arrangements. The survey, carried out in 2004 by the Audit Commission, is based on the responses of more than 400 public sector organisations, including NHS trusts, local authorities, police and fire authorities. Two hundred cases of ICT fraud and abuse were identified in the survey. The results are published in the report An Update on ICT Fraud and Abuse 2004. Since the last survey in 2001, the new report points to some improvement in ICT security, with security policies in place at 96% of organisations. It also records a fall in the incidence of ‘business disruption’ (viruses or other deliberate acts aimed at denying users access to systems), making up only 20% of cases in the 2004 survey compared with 39% in 2001. But the report does reveal:  a 13% growth in reputational risks, including staff accessing pornography or other inappropriate material (52% of cases in 2004 compared to 39% in 2001);  financial risks continuing to mount (28% of cases in 2004 compared to 22% in 2001); and  evolving technology (like wireless networking) presenting a challenge that organisations do not fully appreciate (64% of respondents put wireless networking in the low/medium risk category). The report focuses on the key role staff play in ICT security. Yet only 50% of organisations initiate staff

CLSR briefing training in ICT security systems, and only a third of organisations inform their staff about their ICT security policy and what staff should be doing. Alongside the report the Commission has produced a self-assessment questionnaire for chief executives and other senior managers to use when considering their own organisation’s susceptibility to ICT fraud and abuse. Steve Bundred, Chief Executive of the Audit Commission said: ‘‘The growth in new technology e through PDAs and wireless networking, for example e coupled with the greater sophistication of hackers and fraudsters mean that the risks remain significant. ICT security is only as effective as the staff within the organisation, and too often we are finding that staff are unsure of their role. If we fail to get this right we risk eroding the confidence of citizens in the electronic systems that underpin public services. We recommend that chief executives and other senior staff review their organisations against the set of questions we’ve developed.’’ To help local government and health bodies tackle ICT fraud and abuse, the Commission has developed the Your Business at Risk (YBAR) database, against which organisations can compare their ICT security measures against a range of other organisations. To use YBAR, local government and health bodies should contact their appointed auditor.

Editor’s note The seventh ICT fraud and abuse survey was carried out during OctobereNovember 2004. Four hundred and seven bodies completed the survey, including local government, police and fire authorities, NHS bodies, central government departments, non-departmental public bodies and agencies. See further: www.audit-commission.gov.uk

Public needs should drive digital innovation Transforming society through technology is in danger of happening too quickly and leaving the public behind, according to the Institute for Public Policy Research (IPPR) which today published a manifesto for a digital Britain. It concludes that government has prepared the UK well for the 21st century but remains seduced by vague notions of a ‘‘knowledge economy’’ and is too often driven by innovation for its own sake. The report argues for directing technological advance to meet social and economic benefits and

CLSR briefing ensuring that legal and constitutional priorities e including privacy and democratic participation e are not undermined. It concludes that people are more likely to embrace technology if they have more choice about how and when it is used to store information and access services. Modernising with Purpose: A Manifesto for Digital Britain recommends:

361

Modernising with Purpose: A Manifesto for Digital Britain by Will Davies is available to buy from www.ippr.org

2004. Member States are required to implement the Directive by 29 April 2006. The Commission submitted their original proposal for a Directive to ensure the enforcement of intellectual property rights in March 2003. The European Parliament’s Committee on Legal Affairs and the Internal Market agreed their report on the Directive in November 2003, and informed the Council of Ministers that they hoped the Directive could be adopted at First Reading. Following the European Parliament’s report, there were intensive negotiations in the Council Working Party and Permanent Representatives Committee which resulted in a compromise proposal that was adopted after a First Reading in April 2004. Significant changes were made in the adopted Directive compared to the Commission’s original proposal. The Directive is broadly consistent with the current UK framework for the enforcement of intellectual property rights and provides a basis for harmonising civil measures available to enforce intellectual property rights across the European Community. The Commission’s original proposal included criminal sanctions, but most Member States (including the UK) considered it inappropriate to include them in such a Single Market measure intended to encourage the free movement of goods. IP crime has a serious economic effect in the UK and across the European Community, and the Patent Office is continuing to adapt its role in helping fight intellectual property crime. Its IP Crime Group published the first National IP Crime Strategy in August 2004 and the first National Enforcement Report was produced in 2005. The Commission’s current work programme also includes two new proposals for criminal sanctions for intellectual property infringements, which it expects to finalise shortly. The consultation includes a Partial Regulatory Impact Assessment that concludes that the implementation proposals strike the right balance between effective enforcement of intellectual property rights and over-regulation. The Patent Office believes this is particularly important bearing in mind the Better Regulation Action Plan announced by the Chancellor of the Exchequer (Gordon Brown) last May.

Consultation on UK implementation of the IP Enforcement Directive

Editor’s note

The Patent Office has launched a consultation setting out proposals for implementing the Directive on the enforcement of intellectual property rights 2004/48/EC which was adopted in April

The consultation on EC Directive 2004/48/EC will run until 7 October 2005. Further information from: www.patent.gov.uk/about/consultation/ enforce05/indec.htm

 Privacy Impact Assessments: all government departments should perform a Privacy Impact Assessment when developing new legislation to help service providers decide when to share data. This could be modelled on the generic Privacy Impact Assessment being developed by the Department for Constitutional Affairs (DCA).  Targeted ICT training: the Government should investigate how Sure Start can be used to improve the IT skills and media literacy of parents. Initiatives like giving access to medical records online risk failure if parents do not have the right skills to access them.  New e-government targets: these would be based more explicitly around user satisfaction and include calculations of time savings and service quality. William Davies, IPPR Senior Research Fellow and report author said: ‘‘Government has done well on issues like rolling out broadband and getting computers into schools. However, there is a danger that in the name of modernisation, policy is informed by a blind faith in technology and an imagined digital future rather than a clear sense of purpose. People need to believe that technology is something we can harness rather than something that just happens to them. Innovation has to be lead by the needs of the public, rather than vice versa. This is as much a challenge for industry as it is for Government.’’

Editor’s note

362

Ofcom publishes annual report for 2004e2005 Ofcom has published its Annual Report and Accounts for the period 1 April 2004 to 31 March 2005. In 2004/2005 Ofcom sought to deliver against four key priorities. These were:  to put in place swift and effective solutions to remove unnecessary regulation, resolve market distortions, reduce prices and take action to protect consumers;  to make significant progress in Ofcom’s strategic reviews of the sector;  to consolidate the post-merger efficiency gains of the prior year of establishment in order to improve effectiveness; and  to do all of this with an operating budget 8% lower in real terms than the operating budget for 2003/2004. The Report notes that unnecessary regulation imposes costs on business, stifles innovation and provides a barrier to market entry, increasing prices and diminishing choice for consumers as a consequence. Ofcom therefore would seek to be a deregulating regulator where feasible, operating under a bias against intervention and with a commitment to seek the least intrusive regulatory mechanisms to achieve specific policy objectives. The Report lists specific examples of targeted deregulation. With regard to regulatory activity, during the period under review, Ofcom’s four strategic reviews e in telecommunications, spectrum, public service broadcasting and radio e either reached their conclusion or passed important milestones. Ofcom also took immediate steps to further market development and to protect the interests of citizens and consumers. In telecommunications, Ofcom:  took action to support lower prices and greater competition in broadband, including a 70% reduction in local loop unbundling wholesale rental costs;  took action to protect consumers from abuse of sales and marketing techniques, such as misselling and slamming, in fixed-line telecoms;  required a reduction in mobile phone network termination charges, leading to lower prices for consumers;  took action in the premium rate services market to strengthen consumer protection

CLSR briefing and increase confidence in the governance of the industry. In spectrum, Ofcom:  took action to support progress towards digital switchover in television, including clarity on timing, the establishment of SwitchCo and incorporation of switchover obligations in commercial public service broadcaster licences. In broadcasting, Ofcom:  finalised the new Broadcasting Code, with simplified rules and greater protection for children and protection of freedom of expression for adults;  completed research into the role of television advertising in the context of the wider public debate on childhood obesity and took action to strengthen rules governing television advertising of alcohol;  agreed measures to ensure broadcasters meet statutory obligations to provide access services such as subtitling and audio description; and  launched the UK’s new third tier of radio e community radio e for local groups interested in not-for-profit broadcasting with a simple, low-cost licence. Commenting Ofcom Chairman David Currie said: ‘‘The communications sector underpins the UK’s economic prosperity and our political democracy. Effective regulation plays a key role in ensuring those benefits flow to every consumer, business and community.’’

Editor’s note Further information from www.ofcom.org.uk

Mobile content classification e will it make a difference? At last we have a classification framework for mobile content! Published on 7 February by the newly formed Independent Mobile Classification Body (‘‘IMCB’’), the ‘‘Guide and Classification framework for UK Mobile Operator Commercial Content Services’’ is the first of its kind in the world. Whilst this is clearly a welcome development in the campaign to protect children from accessing unsuitable content via mobile phones will it make any difference in practice?

CLSR briefing How will it affect Content Providers? Under the framework Content Providers must selfclassify visual content (i.e. still pictures, video and audioevisual content, including mobile games) to identify content which is suitable only for adults (18 years plus). They face a number of challenges in doing so. As this framework is a world ‘‘first’’ they will have to decide where the boundaries lie in those difficult borderline cases without having a body of accepted industry practice to refer to. Although the IMCB is offering a non-binding advice service, it may charge for this. Hardly the incentive Content Providers need to take classification seriously. The inherent ‘‘subjectivity’’ involved in classification makes the process harder. Although the framework lists certain types of content which must be 18 rated (i.e. content featuring strong and foul language; sex; nudity; violence; drugs; horror and imitable techniques), it acknowledges that an 18 classification may not be appropriate in all cases. Just because a piece of content contains violence doesn’t necessarily mean it is unsuitable for children. One only has to consider the violent antics depicted in ‘‘Tom and Jerry’’ cartoons to appreciate that the context and way the material is presented are also relevant to the assessment. Content Providers cannot ignore other regulations or codes of practice because they have self-classified their content. If the content is being delivered by a premium rate service mechanism they will also need to comply with the ICTIS Code on Premium Rate Services. Also, there is scope for Operators to require more detailed classification than the simple 18 plus benchmark in the framework. Most significantly there are no formal sanctions for ‘‘misclassifying’’ content and it is left to the Operators to police this though their contracts with Content Providers. It is unclear how this will work in practice. What incentives will there be on Content Providers to take classification seriously? Shouldn’t Operators also take some responsibility? After all they decide and control ultimately what is published on their decks? What does it mean for parents? From a parent’s perspective one has to ask ‘‘Does the framework go far enough’’? It does not address the area of greatest risk; that of children accessing unsuitable content via Internet connections and WAP applications on their mobile devices. It only applies to content containing visuals or graphics. Text, audio and voice services only are outside its scope despite the fact they could contain equally unsuitable content. In addition there is nothing to stop your 10 year old downloading the most violent

363 of mobile games whilst you are ‘‘roaming’’ on holiday abroad. The framework only applies to content which is to be provided to UK customers of UK mobile Operators. How many parents have heard of the IMCB or know the classification framework exists? A classification guide can only be effective if it is actually used and the boundaries of what is and is not suitable tested and challenged. Parents need to be informed of the framework and their rights to complain to their Operator, the IMCB and ultimately its appeal body if they consider an item of content has been misclassified. Conclusion On its own the framework is unlikely to make a difference. Other measures are required if we are to find an effective solution to protect children from accessing unsuitable content via mobile devices. Yes, the framework is helpful. Yes, it will help focus the minds of those responsible for distributing content as to what should be restricted. However, if Content Providers are to take classification seriously they need incentives to do so. Also, we need effective technical solutions to ensure that when content has been classified as ‘‘restricted’’, access to it is ‘‘in fact’’ restricted. On this front we can learn from measures being taken elsewhere. Children in Belgium have been the first to be issued with new ‘‘smart’’ identity cards to protect them in the online environment and prevent paedophiles posing as children in online chat rooms. Perhaps this could be applied to the mobile Internet environment. Most importantly parents and children need to be informed of the classification scheme and educated about the responsible use of mobile devices. Mathilde Heaton Solicitor, DLA Piper Rudnick Gray Cary UK LLP

New division to tackle business over personal information The Information Commissioner’s Office has established a new division devoted to protecting personal information held by businesses. The new Regulatory Action Division will use the Commissioner’s powers to regulate the behaviour of organisations and individuals that collect, use and keep personal information, to ensure compliance with the Data Protection Act 1998. Assistant Commissioner (Regulatory Action) David Smith said: ‘‘Changes in the structure of the Information Commissioner’s Office that have come into effect this

364 week are designed to make life tougher for the minority of businesses that don’t take their data protection obligations seriously. Previously complaints were handled by a compliance team, but now for the first time the ICO has teams of specialists devoted solely to using the Commissioner’s powers to bring about compliance with the law. Negotiation will usually be our first option, but we won’t hesitate to take legal action swiftly against businesses where the circumstances warrant it.’’ There has been a recent ‘explosion’ in the number of businesses holding personal information, and with that surge, an increase in the potential for the information to be misused. The Regulatory Action Division will use powers, including criminal prosecution, non-criminal enforcement and audit to ensure that personal information is properly protected. It will take action wherever data protection obligations are ignored, examples need to be set or issues need to be clarified. This will include acting against organisations which are required to register with the Commissioner’s Office, but fail to do so.

Editor’s note Forms of Regulatory Action available to the division include:  Criminal prosecution: available where there has been a criminal breach of the Data Protection Act (Section 61).  Caution: an alternative to prosecution where a criminal offence has been admitted but a caution is a more appropriate response.  Enforcement notice: a formal notice requiring an organisation or individual to take the action specified to bring about compliance with the Act.  Application for an enforcement order: an order issued by a court requiring a person to cease its behaviour which is harming to consumers.  Audit: the organisation assents to an assessment of its practices of processing personal data to ensure it follow good practice.  Negotiation: will be used widely in order to bring about compliance with the Act and related laws. The Division is made up of four units:  Remedies unit: works towards the negotiated resolution of non-criminal cases.  Audit unit: systematically checks a business’ compliance.  Enforcement unit: responsible for non-criminal enforcement action in cases where negotiated resolution is inappropriate or not possible.

CLSR briefing  Investigations unit: brings professional investigatory skills, particularly in relation to criminal cases. Further information from: http://www.infor mationcommissioner.gov.uk/

Asylum Bill raises privacy dangers from passenger surveillance says the Law Society Government Plans for the routine and comprehensive capture and retention of passenger and crew information for all air, sea and rail travellers into and out of the United Kingdom are disturbing according to the Law Society. Proposals in the Immigration, Asylum and Nationality Bill debated before the summer recess in the House of Commons provide the legislative framework for the Government to award a contract for e-Borders technology. As well as allowing the authorities to routinely capture and share all passenger and crew information it would also give them the power to retain reservation and payment data to build up a picture of people’s travel itineraries. Clauses 23e36 of the Bill provide a legislative foundation for the Government’s ‘‘e-Borders’’ programme. Routine and comprehensive data capture and sharing powers are proposed in respect of passengers, crew, service and freight arriving or leaving the United Kingdom. Passenger data will be retained and, along with reservation data, will be profiled. The Government acknowledges that much of the detail is to be decided in secondary legislation and that precise costs, and who will bear them, have not yet been settled. It anticipates that carrier check-in transaction times will be extended and has said that it is doing work to establish the practicality of charging passengers a fee to cover costs. Janet Paraskeva, Law Society Chief Executive, is urging the Government to reveal more about its plans: ‘‘The creation of passenger audit trails and the use of data profiling raise serious privacy issues. In light of complementary Government initiatives, like the proposed National Identity Register, we would echo concerns about the dangers of a move towards a surveillance society.’’ The Government acknowledges much of the detail of its proposals will be left to secondary legislation that costs are uncertain and may fall on passengers and that check-in times will be

CLSR briefing affected. The Law Society believes that the history of Government IT failures does not bode well for the practical implementation of an initiative that seeks to handle hundreds of millions of arrivals and departures to and from the UK. The Government should pause for thought, engage in a wider debate and, in future, subject such proposals to full and independent Privacy Impact Assessments.

Editor’s note The Law Society regulates and represents the solicitors’ profession in England and Wales and has a public interest role in working for reform of the law.

Magistrates to access new database to track down missing offenders Magistrates’ courts across England and Wales are to gain electronic access to one of the country’s largest databases to help track down missing offenders who ignore fines and other court penalties. The partnership between the Department for Constitutional Affairs and the Department for Work and Pensions means that courts’ staff will be able to instantly check the latest whereabouts of missing offenders who have changed address without notifying the courts, by accessing the DWP’s electronic Customer Information System (CIS). Whilst the database contains extensive records on about 85 million people, including defaulters who have moved abroad or died, magistrates’ courts will only be able to access basic personal details such as name, address, date of birth and national insurance number. Constitutional Affairs Minister Rt. Hon. Harriet Harman QC MP said: ‘‘One of the problems with fines enforcement is that it’s difficult to get up-to-date information on where criminals are staying so it’s hard for magistrates’ courts to track them down quickly. But the courts will soon have access to a whole lot of information that they can’t get any other way. This means they can catch up with offenders who have moved house and refuse to obey the court much more quickly and easily.’’ National rollout of the database should be complete by mid September. It is anticipated that dedicated courts’ staff will make up to 340,000 enquiries in total each year. Magistrates’ courts have already been given access to a credit reference agency database to help track down offenders.

365 Access to existing databases is part of a concerted effort to give courts the intelligence they need to track offenders’ movements and make them comply. It is also regarded as cost effective.

Editor’s note Whilst magistrates’ courts have previously been able to access the Department for Work and Pensions’ (DWP) database to crack down on people who willfully ignore court orders, the manual process was inefficient and ineffective. The Customer Information System (CIS) is also linked to Inland Revenue’s databases and includes personal data records for those in employment, in receipt of Child Tax or Working Families Credit as well as state benefits and pensions. Access to the credit reference agency Equifax database occurred on 5 November 2004. More than 95% of criminal cases begin and end in magistrates’ courts.

Survey shows IT profession see risk of removable media but turn a blind eye! According to a survey on ‘‘Removable Media in the Workplace’’ companies’ information security expenditure could all be for nothing as they turn a blind eye to the threat of removable media. The research, conducted by mobile security specialists Pointsec, shows that removable media devices, such as media players and USB flash drives, are now routinely used by a huge number of employees in the vast majority of UK businesses, but with little regard to the security threat they pose. A surprising two-thirds of IT professionals who use USB flash drives themselves at work admitted that they did not protect them with encryption even though they are aware of the associated dangers. The survey highlights that a large number of organisations are yet to address the problem of removable media. With removable media plummeting in price, memory capacity soaring and more people using them at work, companies need to be aware of how easy it is for staff to use them, lose them or take competitive information away on them, all in the palm of their hands. If lost or stolen, vast amounts of valuable company information could seriously expose a company to extortion, digital identity fraud, or damage to their reputation, integrity and brand. Some of the headline statistics from the survey, conducted amongst 300 UK IT professionals

366 (many of whom are IT security managers), reveals that:  removable media devices are being used in 84% of companies;  on average 31% of employees within a company are utilising them in the office;  90% of those surveyed were aware of the potential danger that removable media presents;  a third of organisations state that removable media is being used within their company without authorization;  41% of IT professionals are not aware how easy it is to protect the data on a removable media device. Martin Allen, Managing Director of Pointsec UK said: ‘‘There seems little point in companies spending vast sums of money on information security if at the same time they’re letting their staff use these devices at work which allow them unhindered access to download vast quantities of sensitive company information. Storing information on devices is not a new problem e not so long ago it would have been information stored onto a 1.5 mb floppy disk, however, now the problem is a much greater storage problem and therefore, needs to be dealt with in the security policy. Organisations need to introduce strict guidelines on the use of removable media devices in the workplace, as well as investing in encryption software which will allow administrators to force the encryption of all data put onto a mobile device. Using this type of software is just as vital and inexpensive as using anti-virus software, yet only a fraction of organisations have woken up to the problem.’’ The proliferation of high capacity media players and USB flash drives on the market makes it possible to save anything up to 100 GB’s of information on one. This means an employee could download four million documents of valuable data on what appears at first sight to be just an entertainment tool. USB pen drives and USB memory sticks can now store 4 GB’s of memory which equates to around 160,000 documents. In addition, employees could unintentionally expose their organisation to infection from viruses, worms or other types of malware when these devices are used to transfer data from non-company controlled computers to the user’s computer at work. To secure your company from the security implications associated with removable media and mobile devices Pointsec recommend that you:

CLSR briefing  deploy user mobile guidelines or ensure that your corporate IT security policy includes corporate directives that state the importance of proper handling of mobile devices such as removable media;  ensure that all members of staff are aware that their employment does not allow non-company devices to be used within the company network;  use encryption software which enables centralised policy enforcement of strong encryption of all data stored at mobile devices and removable media;  use policies to control the amount of login attempts that people may use to try and get at information they shouldn’t;  have methods in place which enables encrypted data to be decrypted in a controlled way outside the corporate network;  the encryption process should be transparent and quick to the user, so that it does not interfere with their work or put any extra requirements on the user; and  have methods (independent of the end user) which enable decryption of all encrypted data within the company network. Pointsec argues that preventing people bringing removable media devices into the office is an extremely difficult problem. However, although they are fun and convenient, they are very easy to lose or abuse and therefore a real security threat. If companies are to prevent breaking new legislation such as Sarbanes Oxley, Basel 2, The Data Protection Act, as well as not falling victim to the havoc these tiny portable devices can cause, companies need to rapidly get to grips with the risks associated with removable media and protect themselves against these risks.

Editor’s note Further information from www.pointsec.com

United States Distributors of ‘‘file sharing’’ software can be liable for secondary copyright infringement MetroeGoldwyneMayer Studios Inc. v. Grokster Ltd (No. 04-480 US Supp. Ct. 27 June 2005) The United States Supreme Court in a land mark ruling has held that one who distributes a device

CLSR briefing with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by third parties. Justice Souter delivering the unanimous opinion of the court in respect of respondents Grokster Ltd. and StreamCast Networks Inc. (defendants in the original trial) who distributed free software products allowing computer users to share electronic files through peerto-peer networks. These are so called because users’ computers could communicate directly with each other, instead of through central servers. As such they needed no central computer server to mediate the exchange of information or files among users enabling high-bandwidth communication capacity to be dispensed with as well as the need for costly server storage space which was eliminated.

Background to the case As well as their popular use for music distribution the benefits and security cost in efficiency meant that peer-to-peer networks were employed to store and distribute electronic files within universities, government agencies, corporations and libraries among others. Other users of peer-to-peer networks included individual recipients of Grokster’s and StreamCast’s software. Although the networks they enjoyed through using the software could be used to share any type of digital file, such users prominently employed those networks in order to share copyrighted music and video files without authorization. A group of copyright holders (MGM and others) sued Grokster and StreamCast for their users’ copyright infringements, alleging that they knowingly and intentionally distributed their software to enable users to reproduce and distribute the copyright works in violation of the Copyright Act, 17 U.S.C. Section 101 et seq. MGM sought damages and an injunction. Although Grokster and StreamCast did not know when particular files were copied a few searches, using their software, would show what is available on the networks the software reaches. MGM commissioned a statistician to conduct a systematic search and his study showed that nearly 90% of the files available for download on the FastTrack system were copyrighted works. Grokster and StreamCast disputed this figure and also argued that potential noninfringing uses of their software were significant in kind and even frequent in practice. As for quantification, MGM’s evidence gave reason to think that the vast majority of users’ downloads were in fact acts of infringement. It was

367 also clear that well over 100 million copies of the software in question was known to have been downloaded and billions of files were being shared on the FastTrack and Gnutella networks that respectively supported the operation of the Grokster and StreamCast software. Grokster and StreamCast conceded the infringement in those downloads and it was uncontested that they were aware that users employed their software primarily to download copyrighted files, even if the decentralised FastTrack and Gnutella networks failed to reveal which files were being copied and when. Following successful litigation against Napster Inc. by copyright holders in A & M Records, Inc. v. Napster, Inc. (114 F. Supp. 2d 896 ND Cal. 2000) (aff’d in part, rev’s in part, 239 F. 3d 1004 CA9 Cir. 2001) StreamCast sought to attract large numbers of former Napster users consequent on that company being shut down by court order. The evidence that Grokster sought to capture the market of former Napster users was sparser but interesting since Grokster launched its own OpenNap system called Swaptor inserting digital code into its Website so that computer users using Web searching engines to look for ‘‘Napster’’ or ‘‘free filesharing’’ would be directed to the Grokster Website where they could download the Grokster software. Finally, there was no evidence that either company made an effort to filter copyrighted material from users’ downloads or otherwise to impede the sharing of copyright files. Although Grokster appeared to have sent emails warning users about infringing content when it received threatening notices from copyright holders it never blocked anyone from continuing to use its software in that way. StreamCast not only rejected another company’s offer of help to monitor infringement, it blocked the Internet Protocol addresses of entities it believed were trying to engage in such monitoring on its networks.

Court rulings prior to Supreme Court At first instance the District Court limited its consideration to the asserted liability of Grokster and StreamCast for distributing the current versions of their software, leaving aside whether either was liable ‘‘for damages arising from past versions of their software, or from other past activities’’. The court held that those who used the Grokster and StreamCast’s Morpheus software to download copyrighted media files directly infringed MGM’s copyrights, a conclusion not contested on appeal. But the court nonetheless granted summary judgment in favor of Grokster

368 and StreamCast as to any liability arising from distribution of the then current versions of their software. This gave rise to no liability in the court’s view because its use did not provide the distributors with actual knowledge of specific acts of infringement. This was affirmed by the Court of Appeals (380 F. 3d 1154 CA 9th Cir. 2004). In the court’s analysis a defendant was liable as a contributory infringer when it had knowledge of direct infringement and materially contributed to the infringement. But the court read Sony Corp. of America v. Universal City Studios, Inc. (464 U.S. 417 1984) as holding that distribution of a commercial product capable of substantial noninfringing uses could not give rise to contributory liability for infringement unless the distributor had actual knowledge of specific instances of infringement and failed to act on that knowledge. In the Ninth Circuit’s view the fact that the software was capable of substantial noninfringing uses meant that Grokster and StreamCast were not liable because they had no such actual knowledge owing to the decentralised architecture of their software. The court also held that the respondents did not materially contribute to their users’ infringement because it was the users themselves who searched for, retrieved, and stored the infringing files, with no involvement by the defendants beyond providing the software in the first place. Applicants MGM and many of the amici criticised the Court of Appeal’s holding for upsetting a sound balance between the respective values of supporting creative pursuits through copyright and promoting innovation in new communication technologies by limiting the incidence of liability for copyright infringement: ‘‘The more artistic protection is favored, the more technological innovation may be discouraged; the administration of copyright law is an exercise in managing the trade-off’’ (see Sony at 442). In the court’s view the tension between the two values was the core subject of the case, with its claim that digital distribution of copyrighted material threatened copyright holders as never before, because every copy was identical to the original, copying was easy, and many people (especially the young) used file sharing software to download copyrighted works. The very breadth of the software’s use would draw the public directly into the debate over copyright policy. On the one side there was concern that the use of copying songs or movies using software like Grokster’s and Napster’s fostered disdained copyright protection. This was offset by a different concern

CLSR briefing that imposing liability, not only on infringers but on distributors of software (based on its potential for unlawful use), could limit further development of beneficial technologies. In weighing up the issue the argument for imposing indirect liability in this case was, however, a powerful one, given the number of infringing downloads that occurred every day using StreamCast’s and Grokster’s software: ‘‘When a widely shared service or product is used to commit infringement, it may be impossible to enforce rights in the protected work effectively against all direct infringers, the only practical alternative being to delegate a distributor of the copying device for secondary liability on a theory of contributory or vicarious infringement (see In re Aimster Copyright Litigation, 334 F. 3d 643, 645e 646 CA 7th Cir. 2003).’’ One infringed contributorily by intentionally inducing or encouraging direct infringement (see Gershwin Pub. Corp. v. Columbia Artists Management, Inc., 443 F. 2d 1159, 1162 CA 2nd Cir. 1971). Vicarious infringement occurred by profiting from direct infringement while declining to exercise a right to stop or limit it (Shapiro, Bernstein Co. v. H.L. Green Co., 316 F. 2d 302, 307 CA 2nd Cir. 1963). Although the Copyright Act did not expressly render anyone liable for infringement committed by another (See Sony Corp. v. Universal City Studios 464 U.S. at 434) these doctrines of secondary liability emerged from common law principles and were well established in law (id., at 486). The Supreme Court’s analysis In analysing the issue the Supreme Court declared that it had dealt with secondary copyright infringement in only one recent case: ‘‘because MGM has tailored its principal claim to our opinion there, a look at our earlier holding is in order.’’ In Sony Corp. v. University City Studios, (supra) this Court had addressed the claim that: ‘‘secondary liability for infringement can arise from the very distribution of a commercial product. There, the product, novel at the time, was what we know today as the videocassette recorder of VCR. Copyright holders sued Sony as the manufacturer, claiming it was contributorily liable for infringement that occurred when VCR owners taped copyrighted programs because it supplied the means used to infringe, and it had constructive knowledge that infringement would occur. At the trial on the merits, the evidence showed that the principal use of the VCR was for ‘time-shifting’ or taping a program for later

CLSR briefing viewing at a more convenient time, which the court found to be a fair, not an infringing use (id., at 423e424)’’. There was no evidence, therefore, that Sony had expressed the object of bringing about taping in violation of copyright or had taken active steps to increase its profits from unlawful taping. However: ‘‘Because the VCR was ‘capable of commercially significant noninfringing uses’, we held the manufacturer could not be faulted solely on the basis of its distribution. This analysis reflected a patent law’s traditional staple article of commerce doctrine, now codified, that distribution of a component of a patented device will not violate the patent if it is suitable for use in other ways’’ (see 35 U.S.C. Section 271(c); Aro Mfg. Co. v. Convertible Top Replacement Co., 377 U.S. 476, 485 1964). Where an article was ‘‘good for nothing else’’ but infringement, there was no legitimate public interest in its unlicenced availability, and there would be no injustice in presuming or imputing an intent to infringe. On the other hand the doctrine absolved the equivocal conduct of selling an item with substantial lawful as well as unlawful uses, and limited liability to instances of more acute fault than the mere understanding that some of one’s products will be misused. It left breathing space for innovation and vigorous commerce: ‘‘The parties of many of the amici in this case think the key to resolving it is the Sony rule and, in particular, what it means for a product to be ‘capable of commercially significant noninfringing uses’ (Sony at 442)’’. MGM had advanced the argument that granting summary judgment to Grokster and StreamCast as to their current activities gave too much weight to the value of innovative technology, and too little to the copyrights infringed by users of their software, given that 90% of works available on one of the networks was shown to be copyrighted. Assuming the remaining 10% to be its noninfringing use MGM argued that this should not qualify as a ‘substantial’ use. The Court should therefore qualify Sony to the extent of holding that a product used ‘‘principally’’ for infringement did not qualify. Grokster and StreamCast replied citing evidence that their software could be used to reproduce public domain works and they pointed to copyright holders who actually encouraged copying. Even if infringement was the principal practice with their software today, they argued that the noninfringing uses were significant and would grow.

369 Findings on Sony The Supreme Court agreed with MGM that the Court of Appeals had misapplied Sony which it read as limiting secondary liability quite beyond the circumstances to which the case applied. Sony had barred secondary liability based on presuming or imputing intent to cause infringement solely from the design or distribution of a product capable of substantial lawful use, which the distributor knew was in fact used for infringement. The Ninth Circuit had read Sony’s limitation to mean that: ‘‘whenever a product is capable of substantial lawful use, the producer can never be held contributorily liable for third parties’ infringing use of it; it read the rule as being this broad, even when an actual purpose to cause infringing use is known by evidence independent of design and distribution of the product, unless the distributors had ‘specific knowledge of infringement at a time at which they contributed to the infringement, and failed to act upon that information’ (380 F. 3d at 1162)’’. Because the Circuit had found the StreamCast and Grokster software capable of substantial lawful use, it concluded on the basis of its reading of Sony that neither company could be held liable, since there was no showing that their software, being without any central server, afforded them knowledge of specific unlawful uses. In the Supreme Court’s view this reading of Sony was in error converting the case from one about liability resting on imputed intent to one about liability on any theory. Because Sony did not displace other theories of secondary liability, and because the Supreme Court had found that it was error to grant summary judgment to the companies on MGM’s inducement claim, the court had not revisited Sony further as MGM has requested to add a more quantified description of the point of balance between protection and commerce when liability rested solely on distribution with knowledge that unlawful use would occur. In the Court’s view it was enough to note that the Ninth Circuit’s judgment rested on an erroneous understanding of Sony and to leave further consideration of the Sony rule for a day when that may be required. The Court went on to say, however, that Sony’s rule limited the imputing of culpable intent as a matter of law from the characteristics or uses of a distributed product. But nothing in Sony required courts to ignore evidence of intent if there was such evidence, and the case was never meant to foreclose rules of fault-based liability derived from the common law. Thus, where evidence when

370 beyond the product’s characteristics or the knowledge that it might be put to infringing uses and showed statements or actions directed to promoting infringement, Sony’s ‘‘staple-article’’ rule could not preclude liability. The court interpreted this to mean that one who distributed a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, was liable for the acts of infringement by third parties. The court was mindful of the need to avoid trenching on regular commerce or discouraging the development of technologies with lawful and unlawful potential. Mere knowledge or inducement Just as Sony failed to find intentional inducement, despite the knowledge of the VCR manufacturer that its device could be used to infringe, so mere knowledge of infringing potential or actual infringing uses could not be enough here to subject a distributor to liability. Nor would ordinary acts incident to product distribution, such as offering customers technical support or product updates, support liability in themselves. The inducement rule, instead, premised liability on: ‘‘Purposeful, culpable expression and conduct and thus does nothing to compromise legitimate commerce or discourage innovation having a lawful promise’’. To satisfy this requirement MGM needed to adduce evidence which StreamCast and Grokster communicated an inducing message to their software users. The classic instance of inducement was by advertisement or solicitation that broadcast a message designed to stimulate others to commit violations. MGM claimed that such a message was shown in this case. It was undisputed that StreamCast had beamed onto the computer screens of users of Napster-compatible programs advertisements urging the adoption of its OpenNap program. This was designed, as its name implied, to invite the custom of patrons of Napster, then under attack in the courts for facilitating massive infringement. Those who accepted StreamCast’s OpenNap program were offered software to perform the same services, which a factfinder could conclude would readily have been understood in the Napster market as the ability to download copyrighted music files. Grokster distributed an electronic newsletter containing links to articles promoting its software’s ability to access popular copyrighted music. Anyone whose Napster or free file-sharing searches turned up a link to Grokster

CLSR briefing would have understood Grokster to be offering the same file-sharing ability as Napster and to the same people who probably used Napster for infringing downloads. Assessing the evidence each company had shown itself to be aiming to satisfy a known source of demand for copyright infringement, the market comprising former Napster users. Second, the evidence of unlawful objective was given added significance by MGM showing that neither company attempted to develop filtering tools or other mechanisms to diminish the infringing activity using their software. While the Ninth Circuit had treated the defendants’ failure to develop such tools as irrelevant because they lacked an independent duty to monitor their users’ activities; ‘‘we think this evidence underscores Grokster’s and StreamCast’s intentional facilitation of their users’ infringement’’. Third, there was a further complement to the direct evidence of unlawful objective. Both StreamCast and Grokster made money by selling advertising space, by directing ads to the screens of computers employing their software. As the record showed, the more the software was used the more ads were sent out and the greater the advertising revenue became. Since the extent of the software’s use determined the gain to the distributors, the commercial sense of their enterprise turned on high-volume use, which the record showed was infringing. The unlawful use was therefore unmistakable. In addition to intent to bring about infringement and distribution of a device suitable for infringing use, the inducement theory required evidence of actual infringement by recipients of the device, the software in this case. As the account of the facts indicated: ‘‘there is evidence of infringement on a gigantic scale, and there is no serious issue of the adequacy of MGM’s showing on this point in order to survive the companies’ summary judgment requests. Although an exact calculation of infringing use, as a basis for a claim of damages, is subject to dispute, there is no question that the summary judgment evidence is at least adequate to entitle MGM to go forward with claims for damages and equitable relief’’. The Court concluded that, in sum, this case was significantly different from Sony and reliance on that case to rule in favor of StreamCast and Grokster was in error. Sony dealt with a claim of liability based solely on distributing a product with alternative lawful and unlawful uses, with knowledge that some users would follow the unlawful course. The case had struck a balance between the interests of protection and innovation by holding

CLSR briefing that the product’s capability of substantial lawful employment should bar the imputation of fault and consequent secondary liability for the unlawful acts of others: ‘‘MGM’s evidence in this case most obviously addresses a different basis of liability for distributing a product open to alternative uses. Here, evidence of the distributors’ words and deeds going beyond distribution as such shows a purpose to cause and profit from third-party acts of copyright infringement. If liability for inducing infringement is ultimately found, it will not be on the basis of presuming or imputing fault, but from inferring a patently illegal objective from statements and actions showing what that objective was.’’ There was substantial evidence therefore in MGM’s favor on all elements of inducement, and summary judgment in favor of Grokster and StreamCast was in error. On remand, reconsideration of MGM’s motion for summary judgment would be in order. The judgment of the Court of Appeals was vacated and the case remanded for further proceedings consistent with this opinion. Addition supporting judgments were issued by Justice Ginsburg with whom the Chief Justice and Justice Kennedy joined concurring and by Justice Breyer with whom Justice Stevens and Justice O’Connor concurred.

Information security forum warns that the cost of Sarbanes-Oxley compliance is at the expense of other security spending A new report published by the Information Security Forum (ISF) warns that the cost of complying with the Sarbanes-Oxley legislation is diverting spending away from addressing other security threats. The global not-for-profit organisation says that many of its members expect to spend more than $10m on information security controls for Sarbanes-Oxley. The business imperative to comply also means that in many cases the true cost of compliance is unknown. With increasing concerns about compliance, the new ISF report provides a high-level overview of the Sarbanes-Oxley Act 2002 and examines how information security is affected by the requirement to comply. The report provides practical guidance to address problematic areas in the compliance process. According to the ISF, these problem areas include poor documentation; informal controls and use of spreadsheets, lack of clarity when dealing with outsource providers and insufficient understanding of the internal workings of large business applications.

371 What’s more the Act ignores important security areas that are extremely important when dealing with risks to information, such as business continuity and disaster recovery. This makes it important to integrate compliance into an overall IT security and corporate governance strategy. Any Jones, ISF Consultant said: ‘‘In the wake of financial scandals like Enron and WorldCom, the Sarbanes-Oxley Act was designed to improve corporate governance and accountability but has proved difficult to interpret for information security professionals. As neither the legislation nor the official guidance specifically mentions the words ‘information security’, the impact on security policy and the security controls that need to be put into place must be determined by each individual organisation in the context of their business. Additionally, for organisations whose business is not primarily financial for example, manufacturing or product-service industries, the diversion of information security attention from other risk areas to Sarbanes-Oxley compliance may lead to important business risks being neglected. It is important that Sarbanes-Oxley does not push organisations into following a compliance-based approach rather than a risk-based approach that may compromise information security. The ISF report helps companies to achieve compliance while also ensuring that they have the appropriate security controls in place.’’

Editor’s note The full Sarbanes-Oxley report is one of the latest additions to the ISF library of over 200 research reports that are available free of charge to ISF Members. The Information Security Forum (ISF) was founded in 1989 and is a not-for-profit international association of over 260 organisations which fund and co-operate in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a research programme, and has invested more than US$75 million over the past 16 years in providing best practice material for its members. Further information from: www.securityforum. org.

US surveillance survey finds many companies monitoring, recording, videotaping and firing employees From computer monitoring and telephone tapping to video surveillance and GPS satellite tracking,

372 employers are using policy and technology to manage productivity and protect resources. To motivate employee compliance, companies increasingly are putting teeth in their technology policies. Fully 26% have fired workers for misusing the Internet. Another 25% have terminated employees for e-mail misuse. And 6% have fired employees for misusing office telephones. That is according to the 2005 Electronic Monitoring & Surveillance Survey from American Management Association (AMA) and the ePolicy Institute. Internet, e-mail, IM and blogging When it comes to workplace computer use, employers are primarily concerned about inappropriate Web surfing, with 76% monitoring workers’ Website connections. Fully 65% of companies use software to block connections to inappropriate Websites e a 27% increase since 2001 when AMA and ePolicy Institute last surveyed electronic monitoring and surveillance policies and procedures in the workplace. Computer monitoring takes various forms, with 36% of employers tracking content, keystrokes and time spent at the keyboard. Another 50% store and review employees’ computer files. Companies also keep an eye on e-mail, with 55% retaining and reviewing messages. Employers are doing a good job of notifying employees when they are being watched. Of those organisations that engage in monitoring and surveillance activities, fully 80% inform workers that the company is monitoring content, keystrokes and time spent at the keyboard; 82% let employees know the company stores and reviews computer files; 86% alert employees to e-mail monitoring; and 89% notify employees that their Web usage is being tracked. Commenting Nancy Flynn, executive director of the ePolicy Institute said: ‘‘Concern over litigation and the role electronic evidence plays in lawsuits and regulatory investigations has spurred more employers to implement electronic technology policies. Workers’ e-mail, IM, blog and Internet content creates written business records that are the electronic equivalent of DNA evidence.’’ She noted that one in five employers has had e-mail subpoenaed by courts and regulators and another 13% have battled workplace lawsuits triggered by employee e-mail. She said: ‘‘To help control the risk of litigation, security breaches and other electronic disasters, employers should take advantage of technology tools to battle people problems e including the accidental

CLSR briefing and intentional misuse of computer systems, telephones and other electronic resources’’. Telephone, cell phones, camera phones and voice mail Concerned about inappropriate telephone use, 57% of employers block access to 900 lines and other unauthorized phone numbers. The numbers of employers who monitor the amount of time employees spend on the phone and track the numbers called has jumped to 51%, up from 9% in 2001. The percentage of companies that tape phone conversations has also grown in the past four years. In 2001, 9% of companies recorded workers’ phone calls. Today, 19% tape the calls of employees in selected job categories, and another 3% record and review all employees’ phone chat. Far fewer employers monitor employees’ voice mail messages, with 15% reporting that they tape or review voice mail. To help manage employees’ telephone use, employers apply a combination of policy and discipline. Twenty seven percent have a written policy governing personal cell phone use at the office, and another 19% use policy to help control the capture and transmission of images via camera phones. Six percent of companies have fired employees for misusing office phones, and another 22% have issued formal reprimands to those who abuse phone privileges. Video surveillance More than half of the companies surveyed use video monitoring to counter theft, violence and sabotage (51% in 2005 vs. 33% in 2001). The number of companies that use video surveillance to track employees’ on-the-job performance has also increased, with 10% now videotaping selected job categories and 6% videotaping all employees. Among companies that videotape workers, 85% notify employees of the practice. Global satellite positioning and emerging surveillance technology Employers have been slow to adopt emerging monitoring and surveillance technologies to help track employee productivity and movement. Employers who use Assisted Global Positioning or Global Positioning Systems satellite technology are in the minority, with only 5% using GPS to monitor cell phones; 8% using GPS to track company vehicles; and 8% using GSP to monitor employee ID/Smartcards. The majority (53%) of companies employ Smartcard technology to control physical security and access to buildings and data centers. Trailing far behind is the use of technology that enables

CLSR briefing fingerprint scans (5%), facial recognition (2%) and iris scans (0.5%).

Editor’s note The 2005 Electronic Monitoring & Surveillance Survey is co-sponsored by American Management Association (www.amanet.org) and the ePolicy Institute (www.epolicyinstitute.com). A total of 526 U.S. companies participated: 23% represent companies employing 100 or fewer workers, 101e 500 employees (25%), 501e1000 (10%), 1001e2500 (13%), 2501e5000 (7%) and 5001 or more (22%).

Study into insider threat to computer systems published A study into computer systems sabotage and critical infrastructure sectors has been conducted by the Secret Service National Threat Assessment Centre (NTAC) and the CERT program of Carnegie Mellon Universities’ Software Engineering Institute. The insider effect study (ITS) focuses on the individuals who have access to information systems and have perpetrated harm using them. It examines each incident from the behavioural and the technical perspective. The study combines the Secret Service’s expertise in behavioural and incident analysis with the CERT’s technical expertise in network systems survivability and security. The ITS builds on earlier studies that focussed on identifying information that was operationally relevant and could help prevent future violent of disruptive incidents. The goal of the earlier research: ‘‘was to find information that could help enhance threat assessment efforts e efforts to identify, assess, and manage the risk of harm an individual may pose, before the individual has the opportunity to engage in violent behaviour’’. The cases examined in the present insider effect study are incidents perpetrated by insiders (current or former employees or contractors) who intentionally exceeded or misused an authorized level of network, system or data access in a manner that affected the security of the organisations’ data, systems, or daily business operations. The study finds that most of the insiders who committed acts of sabotage were former employees who had held a technical position with the targeted organisation. The majority of the incidents examined were perpetrated against private sector organisations. These caused financial losses, negative impacts to business operations and damage to reputation. As

373 a result of these incidents almost all of the insiders were charged with criminal offences and the majority with violations of federal law. Among the key findings of the ITS study are the following:  negative work-event triggered most insiders’ actions;  most of the insiders had acted throughout in a concerning manner in the workplace;  the majority of insiders planned their activities in advance;  when hired, the majority of insiders were granted system administrative or privileged access, but less than half had authorized access at the time of the incident;  insiders used unsophisticated methods for exploiting systemic vulnerabilities in applications, processes and/or procedures, that relatively sophisticated attack tools were also employed;  the majority of insiders compromised computer accounts, created unauthorized back door accounts, or used shared accounts in their attacks;  remote access was used to carry out the majority of the attacks; and  the majority of insider attacks were only detected once there was a noticeable irregularity in the information system or the system became unavailable.

Editor’s note Available from: www.secretservice.gov/ntac/ its_report_050516_es.pdf

International WIPO recommends uniform mechanism to regulate Domain NameRegistrations with introduction of new gTLDs The World Intellectual Property Organisation (WIPO) has recommended the introduction of a uniform intellectual property (IP) protection mechanism designed to further curb unauthorized registration of domain names in all new generic Top-Level Domains (gTLDs). This comes in a report by WIPO’s Arbitration and Mediation Center (WIPO Center) on the IP implications of introducing additional generic Top-Level Domains (new gTLDs). The report says that such a preventive mechanism would complement the curative relief provided by

374 the existing Uniform Domain Name Dispute Resolution Policy (UDRP). The report is based on WIPO’s experience in the area of IP protection in the domain name system (DNS). Commenting Mr. Francis Gurry, WIPO Deputy Director General who oversees the work of the Center said: ‘‘The introduction of a new gTLD presents particular challenges for IP owners seeking to protect their domain names against unauthorized registration by third parties. With the growth of Internet usage and electronic commerce, the strategic importance of domain names as business identifiers has grown significantly.’’ Mr. Gurry said that registering their entire trademark portfolio may often be the only way for IP owners to protect their identifiers from being ‘‘grabbed’’ by cybersquatters. If domain names are randomly attributed in newly opened gTLDs, IP owners will be forced to compete with cybersquatters for their own trademarks e unless additional safeguards are introduced, he added. ‘‘Our new report makes practical recommendations for addressing such issues.’’ WIPO’s report has been prepared in response to a request made by the Internet Corporation for Assigned Names and Numbers (ICANN), the institution that oversees the functioning of the DNS. Following the introduction of seven new gTLDs in 2000 (.aero, .biz, .coop, .info, .museum, .name, .pro), ICANN is developing a comprehensive strategy for further expansion of the DNS. The report provides input into that strategy from an IP and dispute resolution perspective. WIPO’s recommendations made in the context of the First WIPO Internet Domain Name Process in 1999 led to the adoption of the UDRP e intended to offer a quick and cost effective procedure for the independent resolution of disputes that arise from the abusive registration of trademarks as domain names. Under the UDRP, a complainant must demonstrate that the disputed domain name is identical or confusingly similar to its trademark, that the respondent does not have a right or legitimate interest in the domain name and that the respondent registered and used the domain name in bad faith. The WIPO Center was the first UDRP service provider to be accredited in December 1999 and has since administered over 7500 cases under this policy alone. The WIPO Center has also been involved in the implementation of certain trademark protection mechanisms developed by new gTLD operators, and has handled more than 15,000 dispute resolution procedures under such mechanisms.

CLSR briefing WIPO’s report focuses exclusively on the IP aspects that need to be taken into account if and when such extensions of the domain name space take place, and does not comment on whether further extensions are necessary or desirable. The report summarizes the WIPO Center’s UDRP experience, and notes that WIPO’s UDRP case filing rate has remained stable over the last years and recently even increased. An additional mechanism to prevent unauthorized registration of domain names during the critical introductory phase of a new gTLD would, therefore, strengthen the ability to combat the still widespread practice of cybersquatting. WIPO’s UDRP experience also shows that the first extension of the DNS in 2000 has not caused significant shifts in cybersquatting or enforcement patterns. UDRP disputes continue to concentrate heavily in the .com domain. Indeed, this trend has become even more pronounced since the introduction of the seven new gTLDs. While this may partly be explained by the availability of the start-up IP protection mechanisms adopted by .biz and .info, it more likely indicates that .com continues to be the most attractive domain for trademark owners as well as for cybersquatters. The report summarizes the WIPO Center’s experience in implementing various IP protection mechanisms developed by a number of new gTLDs and provides a comparative evaluation of existing approaches (watch services, defensive registrations, exclusion mechanisms, and pre-registration mechanisms). It notes a trend among TLDs towards sunrise mechanisms, i.e. the possibility for IP owners to register their identifiers before the general public. Experience shows that the need for IP protection mechanisms is most tangible in open gTLDs, which are not subject to clearly defined and policed registration restrictions, and which accept domain name applications from the general public. The fewer restrictions and prior verification requirements associated with the registration process, the greater the risk of abusive registrations. The report also confirms the need for effective IP protection mechanisms to prevent new gTLDs from turning into cybersquatting havens and recommends that mechanisms should: be effective and minimize the potential for abuse; take account of rights and interests of third parties; and be practicable and straightforward in order to avoid undue delays in the introduction or functioning of new gTLDs. In conclusion, the report recommends implementing a single uniform preventive IP protection

CLSR briefing mechanism across all new gTLDs. Specifically, new gTLDs would be required to offer IP owners the option of registering their protected identifiers during a specified period before opening registration to the general public. In sponsored or restricted gTLDs, where IP owners may not be eligible to register domain names, IP owners could instead be given the option of obtaining defensive registrations during this initial period. Such a uniform mechanism would have a number of advantages:  operators of new gTLDs would not be required to develop their own IP protection mechanisms, a task for which they are not necessarily equipped;  ICANN would not be required to monitor the correct implementation of multiple protection mechanisms applied by different gTLDs (now that ICANN’s experimental ‘‘proof of concept’’ phase on new gTLDs has been concluded);  IP owners would not be required to devote significant resources to understanding and using multiple different IP protection mechanisms; and  the general public would benefit from enhanced reliability and credibility of domains.

Editor’s note The report, New Generic Top-Level Domains: Intellectual Property Considerations, is available from: http://arbiter.wipo.int/domains/reports. newgtld-ip

Online music distribution providing both opportunities and challenges according to OECD report Online music distribution is set to grow significantly over the next few years, forcing industry to reconsider their business models and posing regulatory challenges to governments, according to a new OECD report on the digital music industry. The rise of online music sales has implications for a wide range of players, including artists, consumers, the record industry, and new digital intermediaries. The OECD underlines the positive potential of digital distribution, both as a new business model and as a new social and cultural phenomenon. Its report also concludes that Internet-based piracy may be reduced, if licenced file-sharing and new forms of (super)-distribution evolve. The report is the outcome of work involving of a wide range of stakeholders. It represents one of

375 the first roadmaps as to how public policy should be re-evaluated. In particular, the OECD calls for policies which balance the interests of suppliers and users, in areas such as the protection of intellectual property rights and digital rights management, without disadvantaging innovative e-business models and new technologies. Given that the online distribution of content is a relatively new phenomenon, legal frameworks involving issues such as rights protection technologies and secure (micro)payment systems may need to be revisited. Findings of the report include:  Around one-third of Internet users in OECD countries have downloaded files from peer-topeer (P2P) networks, with the number of simultaneous users on all P2P networks reaching almost 10 million users in October 2004.  In principle, file-sharing software is an innovative and promising technology. However, many P2P users are making unauthorized copies not only of music, but increasingly also of video and software.  It is difficult to establish a basis to prove a causal relationship between the 20% fall in overall revenues experienced by the music industry between 1999 and 2003, but digital piracy may be an important impediment to the success of legitimate online content markets.  The year 2004 marked a turning point when a range of legitimate online music services became available. By the end of 2004, there were 230 sites offering over 1 m tracks online in the US and Europe.  In the online business model, it is mainly the record labels that generate direct revenues from the sale of online music over third-party services. In the current environment, online music providers currently face low or zero margins, calling into question wholesale and retail pricing.  Online music sales account for only a small share of total revenues (1e2%), but they are forecast to rise by a factor of 3e5 by 2008, representing 5e10% of revenue. In addition, there are positive and significant economic ripple effects on the consumer electronics manufacturers, the PC and telecom industries and on new digital intermediaries (e.g., digital rights management software).  Efforts by value chain participants to vertically integrate some of the different functions along the value chain accompany the trend towards online music delivery.

376  In terms of price, unbundling of music tracks may work to the advantage of the music consumer. However, there may be ‘‘cultural costs of unbundling’’, including the loss of meaningful societal access to an artist’s less ‘‘commercial’’ offerings. Challenges and policy considerations include:  Standards and technical interoperability: Too many incompatible audio and DRM formats and hardware devices could depress the growth of online music. With vertical integration of the value chain, and a potential lock-in of consumers in certain standards, attention should be paid to maintaining an environment where small and innovative players can compete. A diversity of interoperable content, standards and hardware is likely to prove most beneficial to competitive online markets.  Protection of intellectual property rights: The importance of government actions to take steps to address internet piracy is underlined. Public policy also needs to be attentive to differing approaches to establishing copyright liability of Internet intermediaries across jurisdictions; multiplicity of rights clearance, etc.  Digital rights management (DRM): DRMs are essential to new content business models, yet they have often failed to prevent unauthorized uses. Concerns over transparency, privacy, and comparatively restrictive terms of usage rights (e.g., denial of fair use) are also flagged.

Editor’s note This study is part of the OECD Project on Digital Broadband Content (www.oecd.org/sti/ digitalcontent). The report is available at: http://www.oecd. org/dataoecd/13/2/34995041.pdf

Paris court outlaws French company’s use of biometric system to monitor employees’ working hours Effia Services Works Council and Sud Rail Union v. Effia Services (Paris Court of First Instance, 19 April 2005). The Paris Court of First Instance has judged that a French company’s use of a biometric fingerprinting system was unlawful because it was disproportionate and thus unnecessary to monitor employees’ working hours. The company, Effia Services, a subsidiary of the French national rail company SNCF, was responsible for baggage handling and passenger assistance in French stations. It

CLSR briefing introduced a system to monitor employees’ working hours in order to aid in the preparation of payslips. The system involved storing each employee’s fingerprints in the memory chip of their badge. Comparison of the fingerprint stored on the badge with the employee’s actual fingerprint, read by a biometric device, allowed the company to verify the presence of the employee at work. However, the employees were unhappy with the system and saw it as an infringement of their individual rights and liberties. In its judgment, the court relied upon article L.120e2 of the French Employment Code, which states that restrictions on human rights and liberties must be justified by the nature of the task to be accomplished or be proportionate to their goal. It also cited Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Directive states in its introduction that data processing systems must respect the fundamental rights and freedoms of individuals, notably their right to privacy. The court also referred to article 6, which provides that personal data must be: (i) collected for specified, explicit and legitimate purposes and (ii) adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed. The Directive was transposed by the French law of 6 August 2004 (which amended the law of 6 January 1978 relating to data processing, files and liberties) although this had not been implemented when the facts of the case took place. The court emphasized that a digital fingerprint identified a specific physical trait which was unique and permanent to each individual. The utilisation of digital fingerprinting questioned the very nature of the human body and breached individual liberties unless it could be justified for security or protective purposes in a specified locality. The court therefore considered whether or not biometric fingerprinting was justified for the purpose of verifying employees’ working hours in order to help with the preparation of payslips. The court concluded that such an aim did not justify the construction of a database of digital fingerprints of employees working in public areas of SNCF stations. The data processing in question, when taken as a whole, was neither suitable nor proportionate to its end goal. The court, therefore, declared that the company’s use of biometric fingerprinting was unlawful. The decision is the first by a French court in relation to the use of biometric systems in French companies, although the French data protection authority, also known as the CNIL, has previously

CLSR briefing rejected certain systems on the basis that they were not justified by considerations of security or public order. However, interestingly the CNIL has authorized systems where there was no central database of fingerprints, but instead fingerprints were stored on the employee’s badge, which carries less risk in relation to individual freedom. In the Effia Services case, although the court referred to the construction of a database, it appears that there was no permanent central repository of fingerprints (although one could argue that at least temporary memorisation would be required for the biometric reader to compare the fingerprint on the badge with the fingerprint of the employee). It therefore seems that what was seen as more dangerous by the court was the fact that the biometric system was simply unnecessary in order to monitor employees’ working hours and that there was no overriding security issue. David Taylor and Jane Seager Intellectual Property, Technology and Media Group, Lovells, Paris.

German court holds publisher liable for hyperlink in copyright infringement dispute It is permitted to report on software which is able to bypass copy protection, but setting a link to a producer’s homepage in the article is illegal. Thus ruled the Court of Appeals Mu ¨nchen I, Germany on March 7, 2005 (File No. 21 O 322/05). The beginning of this case was an article published on the Internet which reported on new software capable of copying DVDs and CDs even if the medium is copy protected. The producer, who was registered in Antigua, and the software were mentioned by name and a link led to the producer’s homepage. The article was based on the producer’s press release but also pointed out that by-passing copy protection using such software would be illegal in Germany. Several companies from the music industries turned against the article. Basically the court, in its ruling, balanced freedom of press against the right of property which is both protected by the German Constitution. Without any doubts the court deemed the software itself as illegal referring to the German Copyright Act.

377 Therefore, the link to the producer’s homepage helped to violate copyright and would not be protected by freedom of press. Because the user is able to find and download a limited trail version from the producer’s homepage, it is irrelevant that the link only led to the front-page. It was also irrelevant whether the software and producer were mentioned by name as most users would be able to find that software, having this information from the article, by using a search engine. Clicking on the link was much easier and the danger of violating copyrights rose significantly. Freedom of press was unable to change this result because the reporting itself was not hindered by prohibiting the link. The press, while protected by the German Constitution, was still able to work as intended without linking to the producer’s homepage. It had also to be taken into account that freedom of the press competed with property rights and with regard to the link; property rights dominated freedom of press because such rights limited freedom of the press. The article itself was judged differently by the court. Even by describing illegal actions, including producer’s name and the name of the software, the article was protected by freedom of the press. Because the publisher dissociated itself from the producer’s press release, mentioned the prohibited use in Germany and described music industry’s point of view, the article was protected by freedom of the press. Also there was a public interest in this article because the software was capable of by-passing copy protections which had not been introduced in the market. Using these techniques, the software differed from other similar software and the public had a general interest in such information. The ruling, however, is not yet legally binding because the publisher has filed an appeal. But it is an example how freedom of press is balanced against property rights in detailed consideration and is the first decision based on the renewed German Copyright Act. Malte Hilpert ([email protected]) is an Associate in the Frankfurt office of Latham and Watkins. He practises in the Corporate Department, focusing on telecommunication, ecommerce, information technology and digital media.

Computer Law & Security Report (2005) 21, 378e383

EUROPEAN NATIONAL NEWS

The regular article on the developments at the national level in key European countries* Mark Turner, Dominic Callaghan Herbert Smith LLP, London, UK

Editor’s note This is the first edition of a new column that will now be appearing in each edition of CLSR. It provides a concise alerting service of important national developments in key European countries and is a welcome addition to CLSR. Part of its purpose is to compliment the Journal’s feature articles, EU Update and Briefing Notes by keeping readers abreast of what is currently happening ‘‘on the ground’’ at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.

on 30 June 2005, is the implementation into Belgian law of the six EU Directives that aim to reform the legal framework of electronic services. The main principle of the Act is that providers are freely able to establish electronic communications’ networks and electronic communications’ services, provided that certain conditions are fulfilled. One of the conditions is that every provider of electronic communications’ networks and services has to submit a notification to the Belgian Institute for Postal Services and Telecommunications prior to the start of its provision of networks and services. Every person or company which has submitted a notification also has to communicate its turnover and will receive an invitation to pay a contribution to the management costs of a newly established Fund for Universal Services regarding electronic communications.

A. Belgium 1. Act on electronic communications On 20 June 2005, the new Act of 13 June 2005 on electronic communications was published in the Official Journal. The Act, which entered into force

*

This article is in the area of IT and communications e co-ordinated by Herbert Smith LLP and contributed to by firms from across Europe.

2. Act implementing the EU Directive on copyright in the information society On 22 May 2005, Parliament adopted the Act implementing the EU Directive 2001/29 on the harmonization of certain aspects of copyright and related rights in the information society. The Act was published in the Official Journal on 27 May 2005. The Directive was due to be implemented in national law by 22 December 2002.

0267-3649/$ - see front matter ª 2005 Herbert Smith LLP. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.08.001

European national news

3. Legislation on the amicable settlement of E-Commerce Act violations On 10 May 2005, secondary legislation was published in the Official Journal on proposing an amicable settlement to infringers of the E-Commerce Act as an alternative to the criminal sanctions. The minimum and maximum amounts that can be proposed are V50 and V1,250,000, depending on the type of infringement. http://www.staatsblad.be. Erik Valgaeren, Partner, erik.valgaeren@stib ´, Associate, fred be.com and Frederic Debussere [email protected] from the Brussels office of Stibbe (Tel.: C32 2 533 53 51).

B. Denmark 1. New legislation on domain names in Denmark On July 1, 2005, a new law relating to the administration of Danish domain names entered into force. In Denmark, there has previously been no specific legislation on domain names such as the Top Level Domain (TLD) .dk. The regulation of important questions such as proprietary rights to domain names and rights to the use of the domain name in general, have been administered on a private basis, with some uncertainty as to the legal foundation of those rights. The current administrator of the TLD.dk, DIFO (Dansk Internet Forum) is a private organization. DIFO has issued terms and conditions which the registrants of a domain name under the TLD.dk, must adhere to upon registration. The new law covers a series of formal issues regarding the administration of TLDs, including provisions on the public tender for the administration, the organization and function of the administrator and the establishment of an independent complaints’ commission. Further, the new law requires that the administrator issues terms and conditions that the registrants must adhere to upon registration. There are no specific requirements as to the contents of the terms and conditions. Consequently there is not expected to be any significant changes to the current administration. The law provides that ownership to the TLD.dk as well as to any sub-level domain name is with the Danish State so that registrants only acquire a right of use to a domain name. Registrants may not

379 register and use a domain name in conflict with ‘‘proper domain name usage’’. The law also provides that registrants may not register and maintain the registration of domain names for the sole purpose of resale. There is a further prohibition on registration for the purpose of hiring out domain names. Carsten Raasteen, Partner, cr@kromannreu mert.com and Mads C.B. Lunoe, Assistant Attorney, [email protected] from Kromann Reumert, Copenhagen office, Denmark (Tel.: C45 70 12 12 11).

C. France 1. Whistle-blowing telephone hotlines: SarbaneseOxley vs. Data Protection US public companies implementing whistle-blowing policies inspired by the SarbaneseOxley Act may find themselves at odds with the French and, possibly, other European data protection legislation. In two decisions of May 26, 2005, the French data protection authority (CNIL) disapproved the setting up by two French subsidiaries of US companies of hotlines allowing employees to anonymously report alleged violations of the law or of company rules. The CNIL found such mechanisms inherently incompatible with key requirements of the French data protection law of 1978 (as amended in August 2004), in particular:  the requirement to process data fairly and lawfully: the hotlines would amount, according to the CNIL, to an organized ‘‘private denunciation system’’ likely to increase the risk of false accusations and incompatible with the duty to inform individuals of the processing of their data and of their rights under the law;  the requirement to process data for a legitimate purpose and proportionately to such purpose: the CNIL found no valid justification for such whistle-blowing mechanisms, since companies have other, less privacy-invasive ways to prevent and track frauds (e.g. internal audits, employee training, cooperation with authorities). Because violations of the French data protection law are punishable by up to 5 years imprisonment and a fine of up to V1,500,000, companies should take these decisions seriously.

380 Acknowledging the conflicting obligations of French affiliates of US companies, the CNIL has initiated discussions with the SEC and the French Ministry of Labor, to find alternative solutions that will satisfy both pieces of legislation. This issue will also be discussed at the next meeting of the European data protection authorities (the socalled ‘‘Article 29 Working Party’’). In the meantime, many companies e including several large US consulting firms e have decided to withhold the launch of their whistle-blowing mechanisms in France. Decisions (in French): http://www.cnil.fr/index.php?idZ1833. http://www.cnil.fr/index.php?idZ1834. Alexandra Neri, Partner, alexandra.neri@her bertsmith.com from the Paris Office of Herbert Smith LLP (Tel.: C33 1 53 57 70 70).

D. Germany Two recent decisions of the German Federal Court of Justice (FCJ), have clarified some fundamental legal issues relating to the Internet. Both the decisions are available via http://www.bundesger ichtshof.de.

1. International jurisdiction and applicable law The plaintiff operated a hotel chain under the German trademark ‘‘MARITIM’’. The defendant operated a ‘‘HOTEL MARITIME’’ in Denmark, but promoted his hotels in German as well under the domain http://www.hotelmaritime.dk. The plaintiff applied for an injunction in order that the defendant would refrain from using his trademark in Germany and his domain in the German language. The FCJ confirmed its jurisdiction based on Article 5 No. 3 of the Council Regulation 44/ 2001/EC. Under this provision it was sufficient that a tort was alleged to have been committed in a Member State. However, the FCJ found against the charge of infringement for lack of sufficient activities in Germany. The Court required a ‘‘relevant commercial effect’’ in Germany (cf. http:// www.wipo.int/sct/en/documents/). Mere advertising on the Internet was not sufficient for that purpose. The Court also found the fact that the defendant had sent prospectuses in German to interested parties in Germany was not sufficient.

M. Turner, D. Callaghan

2. Domain name registration for speculative purposes The FCJ (I ZR 207/01) confirmed that, in principle, the registration of generic terms as domain names is not restricted. In this case, the editor of the newspaper ‘‘Die Welt’’ had sued a person who had registered numerous domain names for speculative purposes, inter alia ‘‘weltonline.de’’. According to the FCJ no offence contra bones mores had been committed, even if competitors had an interest in the use of the generic term e e.g. as the owner of a corresponding trademark. Rather, the principle of priority applies. This decision highlights the weakness of a trademark based on a generic term. Dr. Stefan Weidert, Partner, stefan.weidert@ gleisslutz.com, and Frederik Brenner, Associate, [email protected], of the Berlin Office of Gleiss Lutz (Tel.: C49 30 20946412).

E. Italy 1. New Industrial Property Code expressly protects trademarks against similar domain names The recently approved Industrial Property Code (Legislative Decree No. 30/2005) introduces an express prohibition on using domain names which are likely to cause confusion on the part of the public due to the domain name being identical or similar to an earlier trademark. In addition, the Industrial Property Code provides that the Judicial Authority can, as an interim measure (i) issue a banning order, prohibiting the use of the domain name, and (ii) order the provisional transfer of the domain name in favour of the trademark owner. http://www.camera.it/parlam/leggi/deleghe/ testi/05030dl.htm.

2. Internet publication becomes mandatory in seizure proceedings Section 490 of the Code of Civil Procedure, as modified by the Law issued on May 14, 2005, no. 80, introduces the mandatory publication of the advice of seizure of registered movables of a certain value and of immovables not only in newspapers and on Court rolls as in the past, but also on ‘‘proper websites’’. http://www.senato.it/parlam/leggi/05080l.htm.

European national news

3. Case law clarifies providers liability for illegal information disclosed on the web Under the Italian E-Commerce Law (Legislative Decree No. 70/03, implementing the EC Directive No. 2000/31) Internet providers are neither required to control the content of the information they transmit or store, nor to actively monitor content for any illegal activities. However, if providers do become aware of unlawful activities by their users they are bound to remove any illegal content or to inform authorities of suspicious activities. The Court of Catania in a June 2004 firstinstance judgement stated that when a hosting provider actively chooses the contents to be transmitted (i.e. a so-called ‘‘content provider’’) it will be directly liable for any illegal information published on the web. http://www.ictlex.net/index.php?pZ411. Salvatore Orlando, Partner, [email protected] and Roberta Falciai, Associate, [email protected] from the Rome and Milan Offices of Macchi di Cellere Gangemi (Rome office Tel.: C39 06 362141 and Milan office Tel.: C39 02 763281).

F. The Netherlands 1. Use of ‘‘modern communication tools’’ in decision-making processes within legal entities On 7 March 2005 the Dutch Government deposited a Bill in Parliament that enables legal entities to use modern communication tools (such as e-mail and the Internet) in their internal decision-making process. Shareholders can, once the Bill is adopted, exercise their rights using modern communication tools. These communication tools are likely to lead to savings in administrative expenses. Management can lay down requirements as to the use of the tools. The proposed Bill now lies with Parliament for approval. http://www.overheid.nl/op/ (proposal number 30019).

2. Several stipulations of the general conditions of Dell declared unreasonably onerous and prohibited HCC, a Dutch association of computer users, started civil proceedings against a Dutch Dell company with regard to the use and contents of

381 Dell’s general conditions. The forum for such cases, brought before the Court by legal entities with the purpose of promoting the interest of parties, is the Court of Appeal of The Hague. Several stipulations of the conditions were declared unreasonably onerous against consumers. These stipulations related to the limitations of the use of statutory rights of consumers, limitations and exclusions of liability as well as a reference to an intellectual property and software policy. The Court prohibited Dell to use such stipulations in its conditions. http://www.rechtspraak.nl under case number 03/1463, LJ-AT1762.

3. High level of support in Dutch society for personal data protection According to a report by the Dutch Data Protection Authority (‘DPA’), Dutch citizens regularly reflect on personal data protection. Over 90% feel legislation in the field of personal data protection is of the utmost importance. Citizens place the most confidence in the personal data handling by ‘official’ organizations such as the Dutch Tax Authority. The DPA is little known according to the report and of little direct importance to citizens. The report recommends a communication strategy to make the DPA more visible for the public and encourages companies to adopt a responsible personal data policy. http://www.cbpweb.nl/documenten/rap_2005_ privacy_burgers.shtml?referZtrue&themeZpurple. Further information on these subjects in English: http://www.stibbe.com/upload/b6e39f0104e21c 29eb01c64.pdf. Reinout Rinzema, Partner, reinout.rinzema@ stibbe.com and Christian den Boer, Legal assistant, [email protected] from the Amsterdam Office of Stibbe (Tel.: C31 20 54 60 112).

G. Spain 1. The New Spanish National Domain Names Plan A new regulation on the registration of ‘‘.ES’’ domain names, known as the National Domain Names Plan, has been adopted by the Spanish authorities. These new rules introduce a more flexible registration regime, aimed at promoting the growth of .ES domain names. According to the new Plan, the registration of .ES domain names shall be available to any person or entity ‘‘with interests or links with Spain’’. Such an

382

M. Turner, D. Callaghan

open formula will lead to an almost ‘‘first-come, first served’’ registration system. The lifting of the restrictions imposed by the previous regulations has been compensated by the creation of several mechanisms that can be used to combat abusive registrations. Among these mechanisms is an administrative dispute resolution policy relating to cases of bad-faith registration, which is based on ICANN’s UDRP. Another significant change introduced by this new set of rules is that a domain name shall be fully transferable by its owners, something that was not possible under the previous rules. In order to avoid conflicts, a ‘‘Sunrise Period’’ is being used. It is divided into two phases. Phase One was completed on July 7, 2005. During that phase the registration of .ES domain names was reserved to Spanish public institutions. They were entitled to register those domain names which corresponded to their official names. Phase two will begin in September 2005 and will last 45 days. The exact launching date has not been announced yet. During this phase the holders of trademarks, trade names, denominations of origin, as well as companies, foundations and associations (whose official names as contained in the corresponding public registries) shall be entitled to register the .ES domains that correspond to those names or signs. Jorge Llevat, Partner, jorge.llevat@cuatrecasa s.com, and Albert Agustinoy, Associate, albert. [email protected], from Cuatrecasas (Tel.: C34 93 290 55 85).

2. Supreme Court judgement e personal data on a web site are not considered a transfer of personal data to third countries

H. Sweden

The UK IC has released research showing that the majority of people learn little from data protection ‘small print’ as set out in Fair Processing Notices (FPNs), because they are too lengthy and use legal jargon. The UK IC encourages the use of the next generation of multi-layered privacy statements. The first layer gives the basic information and then allows users to click through to obtain more detail. (N.B. This move to multi-layered privacy notices follows on from an earlier EU Article 29 Working Party Opinion.) Article 29 Working Party Opinion: http://europa. eu.int/comm/justice_home/fsj/privacy/working group/wpdocs/2004_en.htm.

1. New IT Bill e an information society for all The Swedish Government has recently published an IT Bill (prop 2004/05:175) describing the new Swedish IT policy. The goal of the IT policy is to form an information society for all. Skills, user confidence and accessibility are the three main instruments that will be used to achieve that goal. The issue of Internet security is also identified as a priority area, as well as issues relating to the use of the Internet by children. The Bill includes inter alia proposals for a new Act on national Internet Top Level Domains and changes in the Electronic Communication Act as well as the Rights of Way Act. The Government has also proposed a review of the Electronic Communication Act to make the appeal process more efficient and provide stronger protection of legal rights. http://www.regeringen.se/sb/d/4218/a/47411 (in Swedish).

The Swedish Supreme Court (judgement HD B 3042/03 from 2005) has recently ruled that personal data are not to be considered as being transferred to third countries if a person in an EU Member State publishes personal data on a web site and the provider of the web server is established in the same or another EU Member State. The provisions on transfer of personal data to third countries in the Swedish Personal Data Act are, according to the Swedish Supreme Court, to be construed similarly as the provisions in Directive 95/46/EC of the European Parliament and the Council of Europe. The Swedish Supreme Court’s ruling is therefore in line with the Court of Justice of the European Communities’ judgement C-101/ 01 from 2003 (the ‘‘Bodil Lindqvist’’ decision). http://www2.thomsonfakta.se/westlawse/ind ex.asp?idZ3&dPIDZ614 (in Swedish). ¨rn Gustavsson, Partner, bjorn.gustavsson@ Bjo vinge.se and Eva Fredrikson, Associate, eva.fre [email protected] from Advokatfirman Vinge KB (Tel.: C46 8 614 30 00).

I. United Kingdom 1. UK Information Commissioner promotes simpler online privacy policies

2. DTI reviews the scope of protection for ISPs The Department of Trade and Industry is seeking the views of UK business and consumers on whether Articles 12e14 of the Electronic Commerce Directive, which limit the liability of ISPs where they act as mere conduits, caches or hosts of information, and which were transposed into UK

European national news law by the Electronic Commerce (EC Directive) Regulations 2002, should now be extended to providers of hyperlinks, location tools and content aggregation services. This is a key issue given the drive by the software, music and film industries to pursue anyone that facilitates IP piracy. http://www.dti.gov.uk/consultations/files/ publication-1498.pdf.

3. UK opts in to proposed Regulation Establishing a European Small Claims Procedure The UK has formally agreed to take part in the scheme which will apply to claims less than V2000.

383 It will overcome the existing complications in relation to the recognition and enforcement of judgements in other countries. This initiative is important for the growth of E-Commerce as the majority of B2C transactions fall well below that threshold. The UK’s Department of Trade and Industry (DTI) have issued a public consultation on how this scheme could be implemented in the UK. DTI consultation http://www.dca.gov.uk/ consult/smallclaims/smallclaims.htm. Mark Turner, Report Correspondent, Partner. mark.turner@ herbertsmith.com Dominic Callaghan, Associate (Australian qualified). dominic. [email protected] from the London Office of Herbert Smith LLP (Tel.: C44 20 7374 8000).

Computer Law & Security Report (2005) 21, 384e391

EU UPDATE

Baker & McKenzie’s regular article tracking developments in EU law relating to IP, IT and telecommunications Jonathan Westwell, Miriam Andrews, Carlo Buckley, Sarah Lynam Baker & McKenzie

Abstract This is the latest edition of Baker & McKenzie’s column on developments in EU law relating to IP, IT and telecommunications. This article summarises recent developments that are considered important for practitioners, students and academics in a wide range of information technology, e-commerce, telecommunications and intellectual property areas. It cannot be exhaustive but intends to address the important points. This is a hard copy reference guide, but links to outside web sites are included where possible. No responsibility is assumed for the accuracy of information contained in these links. ª 2005 Baker & McKenzie. Published by Elsevier Ltd. All rights reserved.

A. General intellectual property 1. Commission proposes harmonisation of criminal measures for IP infringements On 12 July 2005 the Commission adopted proposals for a Directive and a Framework Decision (COM (2005)276) aimed at harmonising national criminal law with respect to infringement of intellectual property rights. In April 2004 the IP Enforcement Directive (2004/48/EC) came into force providing for the harmonisation of various civil and administrative measures and remedies to combat counterfeiting and piracy. The current proposals are considered

necessary to supplement the IP Enforcement Directive by providing for the alignment of criminal sanctions. The proposed Directive focuses on the definition of offences and the type of penalties which may be imposed whereas the Framework Decision lays down detailed rules on the level of penalties and other measures to ensure co-operation between Member States. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 906&formatZHTML&agedZ0&languageZ en&guiLanguageZen Proposal: http://europa.eu.int/eur-lex/lex/ LexUriServ/site/en/com/2005/com2005_ 0276en01.pdf

0267-3649/$ - see front matter ª 2005 Baker & McKenzie. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.08.009

EU update

385

2. EUeUS anti-piracy declaration

C. Patents

On 20 June 2005 the EU and the US released a joint statement declaring their intention to work together to fight against global piracy and counterfeiting. The statement focuses on three areas: promoting strong and effective internal and border enforcement; a strengthening of co-operation; and the fostering of publiceprivate partnerships aimed at protecting intellectual property. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZPRES/05/ 157&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

1. Software Patent Directive rejected

B. Copyright and trade marks 1. New reform proposed for musical licensing over the Internet On 7 July 2005 the Commission published a study on how copyright for musical works is licensed for use on the Internet. The study sets out the Commission’s objectives and options for adapting cross-border collective rights management in order to maximise the potential of music to drive online content services. See article below for further detail. Press Release: http://europa.eu.int/rapid/pressReleasesAction. do?referenceZIP/05/872&formatZHTML&agedZ 0&languageZEN&guiLanguageZen

2. Infringement proceedings against France, Finland, Spain and the Czech Republic for non-implementation of 2001 Copyright Directive On 13 July the Commission announced its intention to take action against four Member States concerning their incomplete implementation of the Copyright Directive (2001/29/EC). It will send ‘‘reasoned opinions’’ under Article 228 of the EC Treaty to France and Finland requesting them to comply immediately with ECJ judgments concerning their implementation of the Directive. It will send the Czech Republic a letter of formal notice under Article 226 EC, the first stage in proceedings and send Spain an informal letter asking how it intends to comply with an existing judgment of the ECJ on its non-implementation. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 872&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

On 6 July 2005 the European Parliament was voted by a large majority to reject the Council’s common position for adopting a Directive on the patentability of software and other computer-related inventions (11979/1/2004 e C6-0058/2005 e 2002/0047(COD)). The Commission has said that it will not come forward with more proposals. The vote puts an end to a fierce debate that has raged for three years. Large software suppliers, supporting the proposed Directive, argued that patents would encourage research spending and defend European inventions from US competition. ‘‘Open source’’ supporters and small businesses critical of the Directive claimed that there was sufficient protection already in place and the patenting of software would result in increased legal costs. Press Release: http://www2.europarl.eu.int/ omk/sipade2?PUBREFZ-//EP//TEXTCPRESSCDN20050706-1C0CDOCCXMLCV0//EN&LZ EN&LEVELZ2&NAVZX&LSTDOCZN#SECTION1

2. Commission adopts a second report on biotechnological inventions, covering gene patents and stem cells On 18 July 2005 the Commission adopted a second report (COM (2005)312) to the Council and the Parliament covering developments and implications of patent law in the field of biotechnology and genetic engineering. The report focuses on patents relating to gene sequences and the patentability of inventions relating to stem cells concluding that monitoring needs to continue in these areas. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 960&formatZHTML&agedZ0&languageZ en&guiLanguageZen Report: http://www.europa.eu.int/comm/ internal_market/en/indprop/invent/index.htm

D. Data protection/privacy 1. New drive for data retention legislation following London terror attacks On 13 July 2005, in an emergency meeting called by the UK’s Home Secretary in the wake of the London bombings, the Council announced its

386 intention to agree a Framework Decision on retention of communications data as soon as October 2005. Previously, the European Parliament had rejected Member States’ proposals for data retention on 7 June 2005 in line with the views of the Civil Liberties, Justice and Home Affairs Committee of the Council. See article below.

2. EDPS provides guidelines on balancing data protection rights with rights to access information On 12 July 2005 the European Data Protection Supervisor (the ‘‘EDPS’’) issued a paper with guidelines for dealing with requests for access to public documents containing personal data. The EDPS paper highlights the background and importance of both rights concerning data protection and those associated with access to information, and guides the reader through the process of consideration. It includes examples from the EU institutions and a checklist for officials dealing with the possible tension between both rights. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZEDPS/05/ 3&formatZHTML&agedZ0&languageZ EN&guiLanguageZen Paper: http://www.edps.eu.int/publications/ policy_papers/Public_access_data_protection_EN.pdf

3. Decision adopted over transfer of data to Canada On 18 July 2005 the General Affairs and External Relations Council decided to sign an agreement with Canada providing for the transfer of selected passenger data from the EU to the Canadian authorities to help identify passengers who could be a threat to security. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 965&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

E. Competition law 1. Commission delivers review of 200th notification by Member States of measures to improve competition On 14 July 2005 the Commission announced that it had completed its 200th assessment of national

J. Westwell et al. regulators to improve competition in the electronic communications market. Since the entry into force of the regulatory framework for electronic communication services in July 2003, Member States must ensure effective competition in their national electronic communications’ markets and notify their analyses and proposed regulatory measures to the Commission for assessment. The Commission’s role in this procedure is to ensure consistency of the EU rules throughout the Single Market. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 926&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

F. Telecoms 1. Commission issues Communication on Universal Services Directive ‘Safeguarding E-Communications Services for all in the Internet Era’ On 25 May 2005 the Commission issued a Communication on the review of the scope of universal service in accordance with Article 15 of Directive 2002/22/EC. In the Communication the Commission states that there is no current need for new legal requirements for mobile and high-speed Internet services under the EU’s universal service rules. However, it recognised that in the future, as services traditionally carried by telephone networks become increasingly Internet based, the focus of universal service may evolve towards providing an affordable broadband access link for all. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 594&formatZHTML&agedZ0&languageZ EN&guiLanguageZen Communication: http://europa.eu.int/ information_society/topics/ecomm/doc/useful_ information/library/communic_reports/universal_ service/com_2005_203_en.pdf

2. Commission takes action against 11 Member States for failure to implement electronic communications rules On 7 July 2005 the Commission sent letters to 11 Member States for failure to implement properly EU rules on electronic communications. The Member States involved were: the Czech Republic, France, Greece, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia, Slovenia and Finland. The Commission

EU update has already taken action against 10 Member States earlier this year. Action against Poland and Latvia has now reached the stage of ‘Reasoned Opinion’ whilst the others have received ‘Letters of Formal Notice’. This latest round of infringement proceedings tackles issues of direct relevance to users and to the effectiveness of Member States’ regulatory regimes. The main issues surround the independence of national telecoms regulators, the requirement of number portability and of comprehensive subscriber directories, designation of ‘‘universal service’’ providers, and the availability of the European emergency number 112. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 875&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

3. Commission decision enables faster wireless access On 14 July 2005 the Commission adopted a Decision on the harmonised use of radio spectrum in the 5 GHz frequency band for the implementation of Wireless Access Systems including Radio Local Area Networks. The decision makes available a substantial amount of radio spectrum throughout the European Union for radio local area networks e commonly known as ‘‘Wi-Fi’’ e and used to provide access on the move to the Internet and private networks. The decision is part of the i2010 initiative to foster growth and jobs in the digital economy. Decision: http://europa.eu.int/information_ society/policy/radio_spectrum/docs/ref_info/ 5ghz_com_decision/5ghz_com_dec_en.pdf Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 929&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

G. Information technology 1. Commission takes legal action against eight Member States over electronic waste On 11 July 2005 the Commission formally requested Estonia, Finland, France, Greece, Italy, Malta, Poland and the UK to transpose into their national laws three EU Directives tackling the environmental problems caused by the growing amount of electronic and electrical waste. The three Directives concerned are Directive 2002/96/ EC on waste electrical and electronic equipment,

387 as amended, Directive 2003/108/EC amending Directive 2002/96/EC on waste electrical and electronic equipment and Directive 2002/95/EC on the restriction of the use of certain hazardous substances in electrical and electronic equipment. The deadline for implementation of these Directives was 13 August 2005. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 895&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

2. Commission launches ambitious information technology programme On 1 June 2005 the Commission announced that it was launching a five-year strategy aimed at boosting the digital economy. The initiative i2010: European Information Society 2010 has three priorities: to create an open and a competitive single market for information society and media services within the EU, to increase EU investment in research on information and communication technologies (ICT) by 80%, and to promote an inclusive European information society. Member States are asked to define national information society priorities in their national reform programmes in mid-October 2005 to contribute to the objectives of i2010. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 643&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

H. E-commerce 1. Commission receives authorisation to open E-contracting negotiations On 7 July 2005 the Commission received authorisation from the Council to open negotiations on behalf of the EU, within the United Nations Commission on International Trade Law (UNCITRAL), on a draft UN Convention aimed at making it easier to conclude international business-tobusiness contracts electronically. The Commission’s aim will be to ensure compatibility between the draft Convention and Directive 2000/31/EC on electronic commerce. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 873&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

388

2. New Member States accede to Rome Convention on applicable law On 8 July 2005 all 10 of the EU’s newest Member States signed up to the Convention on the law applicable to contractual obligations opened for signature in Rome on 19 June 1980, and to the First and Second Protocols on its interpretation by the Court of Justice of the European Communities. Convention: http://europa.eu.int/eur-lex/lex/ LexUriServ/site/en/oj/2005/c_169/c_16920050708 en00010009.pdf

3. Directive on unfair commercial practices signed On 12 June 2005 the Directive on unfair business to consumer practices in the internal market (Directive 2005/29/EC) (the ‘‘UCP Directive’’) came into force. It was adopted by the Council on 21 April 2005 and was signed by the European Parliament and the Council on 11 May 2005. It must be implemented by 12 June 2007. In June 2005 the UK’s Department of Trade and Industry commissioned an independent report to provide an analysis of the application and scope of the UCP Directive. Directive: http://www.dti.gov.uk/ccp/topics1/ pdf1/ucpoj110605.pdf Report: http://www.dti.gov.uk/ccp/consultpdf/ final_report180505.pdf

4. Government consults on extending E-commerce Directive to providers of hyperlinks and other services On 8 June 2005 the UK’s Department of Trade and Industry published a consultation document seeking views of UK businesses, consumers and other organisations on whether Articles 12 to 14 of the Electronic Commerce Directive (Directive 2000/31/EC) transposed into UK law by the Electronic Commerce (EC Directive) Regulations 2002, should now be extended to providers of hyperlinks, location tool and content aggregation services. Consultation Document: http://www.dti.gov. uk/consultations/files/publication-1498.pdf Directive: http://europa.eu.int/smartapi/cgi/ sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg ZEN&numdocZ32000L0031&modelZguichett

J. Westwell et al.

I. Internet 1. Commission opens consultation on broadband gap On 14 July 2005 the Commission opened a consultation on the policy measures needed to bridge the gap between levels of high-speed Internet access across Europe. Comments are invited on the Commission’s working paper ‘Broadband access and public support in under-served areas’. The paper presents the pros and cons of various initiatives to extend broadband coverage, describes alternative technologies and provides examples of publicly-financed broadband projects. The consultation is open until 16 September 2005. http://europa.eu.int/rapid/ Press Release: pressReleasesAction.do?referenceZIP/05/928&type ZHTML&agedZ0&languageZEN&guiLanguageZen Consultation: http://europa.eu.int/information_ society/eeurope/i2010/digital_divide/index_en.htm

J. Media 1. Final phase in consultations on modernising EU rules for audiovisual content On 12 July 2005 the Commission made subject to public consultation preliminary conclusions drawn from consultations with experts and stakeholders on the future EU rules for audiovisual content. Following this final round of consultations, the Commission will present a proposal for the new EU rules, which will eventually replace the Television Without Frontiers Directive of 1989. These changes to the EU rules for audiovisual content are part of the Commission’s i2010 initiative, launched in June 2005. This consultation ends on 5 September 2005. Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 908&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

K. Outsourcing 1. Commission publishes guidance on new e-procurement rules On 15 July 2005 the Commission published a document providing interpretation and explanation of

EU update the new rules on e-procurement. The e-procurement rules form part of the two new public procurement Directives (2004/18/EC and 2004/ 17/EC). The new Directives aim to computerise traditional procedures for the award of contracts and to introduce both new purchase techniques and new instruments made possible by the advances in technology and the Internet. Member States must implement the Directives into national law by the end of January 2006. Guidance: http://europa.eu.int/comm/internal_market/publicprocurement/e-procurement_ en.htm Press Release: http://europa.eu.int/rapid/ pressReleasesAction.do?referenceZIP/05/ 948&formatZHTML&agedZ0&languageZ EN&guiLanguageZen

2. Draft regulations implementing EU public sector and utilities procurement The Office of Government Commerce (the ‘‘OGC’’) is consulting on regulations to implement the EU public sector and utilities procurement Directives (2004/18/EC and 2004/17/EC). Following last years consultation on the general approach to be adopted in the UK’s implementation, the OGC is now inviting comments from the public sector and utilities and their suppliers and potential suppliers on the detail of the draft regulations. The deadline for responses is 12 September 2005. Consultation Document: http://www.ogc.gov. uk/embedded_object.asp?docidZ1003746

L. Retention of data proposal on the prevention of terrorism In April 2004 the governments of the UK, France, Ireland and Sweden proposed a draft EU Framework Decision (the ‘‘Decision’’) which included pan-European rules for the retention of electronic communications data. The Decision, if adopted, would have meant that all communications location and traffic data, including subscriber and user data would have to be retained by communications service providers for between 12 and 36 months. The aim was to aid the prevention, investigation, detection and prosecution of crime or criminal offences including terrorism. On 7 June 2005 the European Parliament, in line with the views of the Civil Liberties, Justice and Home Affairs Committee of the Council, rejected the Decision on three grounds: the Council’s incorrect choice of legal basis; the disproportionality

389 of the measures and the possible contravention of Article 8 of the European Convention of Human Rights (ECHR).

Choice of legal basis The Decision was proposed under the Treaty on European Union (TEU) which meant that the Council could use its sole legislative power and the Parliament only had a consultative role. The Parliament disagreed with this approach and felt that Community legislation on the obligations of service providers already existed and that the legal basis chosen by the Council was contrary to the TEU, which states that the TEU should make no changes to the Treaties establishing the European Communities (TEC). Accordingly, no provision of the TEU may affect those of the TEC and the failure of the Council to observe the existing legislative framework constituted a contravention of such law. The parliament therefore believed that service providers’ obligation to retain data should fall under the scope of the TEC and that the co-decision procedure should be followed; enabling the Parliament to undertake a more influential role in the implementation of such measures.

Proportionality The Parliament considered that the obligations imposed by the Decision were not justified. It believed that the measures were unfairly harsh and inappropriate in tackling the concerns at hand. In particular, the Parliament highlighted the following issues:  The sheer volume of data to be stored would mean that any meaningful analysis of such data would be extremely slow and difficult.  Terrorists would easily be able to circumvent the measures.  The measures were not compatible with the principle of presumption of innocence.  The burdens placed on the European telecommunications industry, particularly on small and medium-sized telecom companies would lead to huge costs which could potentially distort competition.

Article 8 ECHR In line with Article 8(2) of the ECHR a measure must be laid down by law, necessary in a democratic

390 society, and serve one of the legitimate purposes specified in the ECHR. In light of the above arguments the Parliament did not believe that the Decision fulfilled all three criteria. The Parliament believed that in comparison with the proposal for ‘blanket’ data retention under the Decision, storage for a specific purpose, a model laid down by the Council of Europe’s Convention on Cybercrime (ETS No.185, 8 November 2001), could be a more suitable and milder option.

Impact of the recent London attacks On 13 July 2005, the Civil Liberties, Justice and Home Affairs Committee of the Council met, in an emergency meeting to discuss data retention again within the wider context of an EU’s response to the terror attacks on London. The Council announced at this meeting that it intends to agree a Framework Decision on the retention of data and suggested that this will be done by October 2005. Although concerns over data retention proposals still remain, it seems that the London bombings have dispelled some of the concerns about the original proposal raised by member states in the Council. Despite this, the European Parliament could still challenge the legal basis on which these new proposals are being put forward.

M. EU Commission proposes new system for cross-border collective rights management of online music On 7 July 2005 the European Commission published the Study on a Community Initiative on the Crossborder Collective Management of Copyright, in which it proposed a new system for the crossborder collective rights management of online music. The management of copyright protected works by collecting societies in the EU is currently on a country-by-country rather than pan-European basis. Reciprocal agreements between collecting societies in different countries do exist, but commercial users who wish to use copyright works as part of online content must currently obtain clearance from many different societies across the EU. As the online music industry has grown rapidly over the past few years, this is becoming increasingly complex and expensive and is believed to be online music downloading affecting the uptake of online music downloading in the EU. For example, online music downloading was eight

J. Westwell et al. times higher in the US than in Western Europe. The Commission considered that the figure in Western Europe may be higher if improvements were made in the way in which copyright for online music services is cleared. Consequently, the Commission has published this study and is proposing a pan-European licence to overhaul this system. The Commission’s objective in doing this is to encourage legal music downloads, which it regards as a potential driver of e-commerce in the EU, and to increase the confidence of copyright rights-holders that they will be financially rewarded regardless of where their works are exploited. Specifically, the Commission hopes that the proposed changes will:  Establish a collective licensing policy that will promote the development of new Internetbased services;  Give rights-holders the freedom to choose the best placed collecting society and the ability to switch between different societies if desired;  Improve distribution of royalties; and  Improve transparency and accountability of societies. The study considers three options for the future of cross-border collective rights management:  To allow the industry itself to develop a more efficient system;  To remove certain restrictions from the current system, such as territorial restrictions in reciprocal agreements between the collecting societies, and restrictions relating to the distribution of royalties;  To permit rights-holders to choose their preferred collecting society to manage their works across the whole of the EU, which would provide legal certainty for commercial users as to the scope of the licence and the territory covered. The Commission provisionally concluded that the third option is the most preferable, as permitting rights-holders to choose their collecting society would create a competitive environment and enhance the earning potential of the rights-holders. This would also provide the collecting societies with an incentive to provide optimal services to their clients. The Commission is also proposing seven core principles that member states must adhere in order to enable the implementation of the new system.

EU update Although it is generally recognised that modernisation is required, the introduction of such a system is not without its opponents. GESAC, which represents European collecting societies, has questioned the effectiveness of the system and would like more examination of the legal security and costs involved. Further comments are welcomed by the Commission until 28 July 2005.

391 For further information on any of the above, please contact Harry Small (harry.small@bakernet. com) of the Intellectual Property and Information Technology Department of the London office of Baker & McKenzie (Tel.: C44 20 7919 1000). Mr Small was assisted in the preparation of this article by Miriam Andrews, Jonathan Westwell, Carlo Buckley and Sarah Lynam.

Computer Law & Security Report (2005) 21, 392e404

DIGITAL SIGNATURE SECURITY

Is internet security a major issue with respect to the slow acceptance rate of digital signatures? Aashish Srivastava Department of Business Law and Taxation, Monash University, Australia

Abstract Over the years the Internet has established itself to be the most widely accepted form of communication. On the other hand, it has also proved itself to be an extremely insecure network. An issue is whether the insecure nature of the Internet creates a lack of trust or reluctance on the part of individuals and businesses to use Electronic Signatures, and in particular, Digital Signatures? This paper attempts to answer this question by examining two issues. First, how secure is the process of issuance of Digital Signature Certificates (DSCs)/key pairs by a Certification Authority (CA)? Second, what are the security issues associated with the storage of DSCs/key pairs? It is shown in the paper that the issuing of DSCs/key pairs by the CA’s to their subscribers is a fairly secure process. However, the storing of DSCs/key pairs is a major security issue. It is suggested that legislation should make it mandatory for CAs to issue DSCs/key pairs on portable information storage devices. It is further suggested that CAs issue DSCs/key pairs on secure and user friendly portable information storage devices such as the flash disk. Finally, it is argued that, though the security of the DSCs/key pairs stored on flash disks can be further enhanced through the use of biometrics, legislation should tread carefully when laying down any rules or guidelines in this regard because of the privacy and sensitivity issues associated with the use of biometrics. ª 2005 Aashish Srivastava. Published by Elsevier Ltd. All rights reserved.

0267-3649/$ - see front matter ª 2005 Aashish Srivastava. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.06.009

Digital signature security

A. Introduction Over the last three decades the Internet has proved itself to be the most widely accepted means of communication. On the other hand, it has also proved to be an extremely insecure network. The figures relating to hacking, spam and virus attacks are alarming and increasing year by year.1 The Drug and Crime Prevention Committee Report (2004) submitted to the Parliament of Victoria, Australia stated that ‘[s]eventy-nine per cent of the respondents [believed] that a security breach to their electronic commerce system would most likely occur via the Internet or other external access’.2 These concerns regarding the insecure nature of the Internet creates a lack of trust or reluctance on the part of individuals and businesses3 to use the Internet to transmit important and confidential information. However, the question arises whether this lack of trust fostered by security concerns also extends to the reluctance in the use of Electronic Signatures (ESs), and in particular, Digital Signatures (DSs). This paper attempts to answer this question by examining two issues. First, how secure is the process of issuance of Digital Signature Certificates (DSCs)/ key pairs by a Certification Authority (CA)? Second, what are the security issues associated with the storage of DSCs/key pairs? To do so the appropriate legislation of Australia, the United Kingdom (UK), India and Hong Kong (HK) will be analysed with a view to finding how the law relating to this matter is being implemented. The models presented by these countries throw considerable light on the issue. The paper concludes with certain suggestions for the improvement in the law.

1

Sullivan Brendan, Deloitte: Tech future includes cybercrime, nanotechnology: Digital crime and online security threats are expected to skyrocket in ’05, 20 January 2005, Computerworld www.computerworld.com/printthis/2005/0,4814,99097,00.html at 9 May 2005; Gaudin Sharon, Last Year’s Security Problems May Balloon in 2004, 14 January 2004, eSecurityplanet.com www. esecurityplanet.com/trends/article.php/3299121 at 1 April 2004. 2 Drugs and Crime Prevention Committee, Parliament of Victoria, Inquiry into Fraud and Electronic Commerce:-Final Report (2004), Parliament of Victoria, [75] www.parliament. vic.gov.au/dcpc/Reports/DCPC_FraudElectronicCommerce_ 05-01-2004.pdf at 21 April 2004. 3 ‘‘The internet offers huge scope for.business.but security urgently needs to be improved.’’ See Markillie Paul, ‘A survey of e-commerce: Unlimited opportunities?’ The Economist, 15e21 May 2004, 14. Also see Roberts Paul, Gartner: Consumers dissatisfied with online security, 6 December 2004, The Industry Standard www.thestandard.com/movabletype/datadigest/ archives/000706.php at 9 May 2005.

393

B. The process of issuance of DSs: how secure is it? The issuance of DSCs/key pairs can be divided into the following four steps:  The applicant applies online to the CA.  The applicant appears personally before the CA with proof of identity.  The CA issues Personal Identification Number (PIN) and Uniform Resource Locator (URL) address to the applicant through e-mail.  The applicant copies and pastes the PIN at the designated URL to install/import the DSC/key pairs. In the following paragraphs these four steps are discussed together with how secure or insecure each step might be.

1. The applicant applies online to the CA for DSC/key pair The first step for an issuance of a DSC/key pair is performed by the applicant i.e. the applicant enrols himself/herself online by visiting the web server of the CA.4 In this process, when the applicant connects his computer, via the Internet, to the CA’s server a secure channel is established between the computer and the server. In other words, the data transferred between the subscriber’s computer and the CA’s web server is in an encrypted form and can only be decrypted at either end. This is evident from the fact that a pad lock5 appears at the right hand bottom of the screen of the applicant’s computer. When the applicant clicks on this pad lock a new window appears on his/her computer screen that displays the security settings of the CA’s server. Mostly, the security setting used in such a process is Secure Socket Layer (SSL). The following Fig. 16 shows this process.

4 A web server can be understood as a computer that delivers web pages through the Internet to one’s computer when he/she connects to that web server by entering the Uniform Resource Locator (URL) address of that web server. E.g. the web server of Verisign Australia (A Gatekeeper accredited CA in Australia) is www.verisign.com.au/gatekeeper at 3 May 2005. 5 If a pad lock appears on a web page it means that there is a secure session between the web server and the computer that is accessing the resources from that web server. 6 This figure shows a 128 bit SSL encryption.

394

A. Srivastava

Figure 1

Thus, how secure the enrolment process is depends upon the security of the SSL encryption. Doubts have been cast as to inherent security of SSL and it has been argued that SSL does not supply the security that the user believes it does. A Swedish hacker has shown Reuters news agency that SSL’s traffic is vulnerable to attacks and can be brokenopen.7 In the past, security of 40 bit SSL encryption has been decoded within a few hours.8 However, it is presumed that 128 bit SSL, which is used in the enrolment process, is extremely secure because if the same process is used that was used to decrypt the 40 bit SSL, the time required to break it will be 1 trillion years.9 Thus, how secure the enrolment process is of a DSC/key pair is limited to the security provided by 128 bit SSL encryption.

2. Applicant appears personally before the CA with proof of identity After the online enrolment the applicant has to personally appear before the CA10 and satisfy the 7

Reuters, Expert: bank yields to Microsoft flaw, 26 August 2002, ZDNet !http://news.zdnet.com/2100-1009_ 22-955442.htmlO at 17 December 2004. 8 Murray Eric, SSL Server Security Survey, 31 July 2000, ZDNet http://whitepapers.zdnet.co.uk/0,39025945,60022893p39000485q,00.htm at 21 August 2004. 9 SSL Certificate FAQ: Is 128-bit SSL encryption really stronger than 40-bit SSL encryption?, Verisign www.verisign.com/pro ducts-services/security-services/ssl/ssl-information-center/ faq/ssl-encryption.html at 27 April 2005. 10 Some CAs in countries such as Australia takes the assistance of a Registration Authority (RA) for this task who reports the outcome to the CA. However, in other countries such as India and HK there is no RA and the task of the RA is performed by the CA itself. See www.verisign.com.au/gatekeeper for Verisign (Australia), a Gatekeeper accredited CA in Australia that takes assistance from RA (Australia Post). Also see www.safescrypt. com for SafeScrypt, a CA in India and www.hongkongpost.gov. hk/index.html for Hongkong Post, a CA in HK.

identity requirement. The security risk at this stage is extremely high and any error in verifying the identity of the applicant by the CA may lead fraudsters to apply for DSCs/key pairs using fake and fabricated documents.11 The reason for this is that, with the advancement in the quality of desktop publishing technology, anybody having basic knowledge of computers can create fake documents such as a mark sheet, driving license, passport and insurance cards to satisfy the identification requirement.12 This has happened in the past whereby Verisign, a globally renowned CA, issued DSCs/key pairs to an impostor who fraudulently claimed himself to be an employee of Microsoft.13 In order to minimise this security risk some CAs have started to corroborate the identity of the DS applicant by either cross-checking the identity documents supplied by the applicant with the authorities that issued those documents or by confirming it through a publicly available database. For example, Equifax Secure, a CA in the UK, does not require applicants to satisfy any Evidence of Identity (EOI) points or provide any identity documents but verifies their identity through its database. The advantage, however, with Equifax Secure is that it is a private sector database that contains data of more than 300 million consumers

11 Barker Garry, ‘Stolen identity: the hidden cost’, The Age (Melbourne), 13 July 2002; Federal Trade Commission, Identity Theft Survey Report, 2003; Hewitt Sue, ‘New fraud laws plan Bid to protect identities’, Sunday Herald Sun (Melbourne), 13 July 2003. 12 Barker Garry, ‘Technology Making Fraud Easy’, Sunday Age (Melbourne), 4 April 2004. 13 Though, it was soon revoked by Verisign when it realized its mistake. See Gomes Ferdinand, SECURITY ALERT: Fraudulent Digital Certificates, 7 June 2001, SANS (SysAdmin, Audit, Network, Security) www.sans.org/rr/papers/13/679.pdf at 22 March 2004.

Digital signature security and businesses worldwide.14 However, this is not the case with CAs in Australia, India and HK. In Australia the CAs require an applicant to satisfy EOI points requirement by providing the requisite identity documents such as passport, driving license, birth certificates and so on.15 CAs in India require the applicants to submit a ‘Certificate Application Attestation Form’ attested by the Bank Manger of the applicant’s bank along with copies of the identity documents such as passport, driving license, identity card attested either by a notary public, class 3 gazetted officer or the applicant’s bank manager.16 In HK, however, the process of authentication is satisfied by an applicant by presenting his/her HK Identity Card to the CA.17 For non-individual applicants the process is quite similar. The authorised representative, on behalf of the organisation, acts as the applicant for DS. He/she satisfies his/her identity requirement to the CA in the same way as an individual applicant. Apart from this, they satisfy the organisation’s requirement by submitting the photocopy of the relevant documents such as the Certificate of Incorporation, Memorandum of Association along with the authority letter to act as an authorised representative on behalf of the organisation.

3. The CA issues PIN and URL address to the applicant through e-mail Once the applicant has satisfied the identity requirement the CA will issue a PIN and an URL address to the applicant through e-mail. The pasting of this PIN at the stated URL will allow the applicant to download his/her DSC/key pair.18 This process of issuance of PIN and URL address through an e-mail by CA’s makes it vulnerable to attack by hackers. There are two reasons for this. First, the e-mail sent by the CA to the subscriber containing the PIN and the URL is unencrypted. The Internet being an open and insecure network19 14 See FAQ, Equifax Secure www.equifaxsecure.co.uk/digital certificates/dc_tfaq.html at 14 May 2005. 15 See Identification Requirements, Verisign Australia www.verisign.com.au/gatekeeper/validation.shtml at 14 May 2005. 16 See Identification Requirements, SafeScrypt (India) www. safescrypt.com/support/Enrollment-Guide-RCAI3-org.html at 14 May 2005. 17 See Identification Requirements, Hongkong Post (HK) www.hongkongpost.gov.hk/product/ecert/apply/index.html#2 at 14 May 2005. 18 However, apart from the PIN there is no other requirement or field on the URL/web page e.g. a ‘security question’ such as date of birth or the subscriber’s mother’s maiden name, etc for the subscriber to fill into. 19 See above note 2.

395 such an e-mail is easily susceptible to attack during its transmission from the CA’s server to the subscriber’s20 computer.21 Hackers can easily intercept such unencrypted e-mails and steal the PIN and URL address. Second, even if it is assumed that such an e-mail has safely reached the subscriber’s computer the PIN and the URL address contained in the e-mail are prone to attack because e-mails are secured inappropriately through a mere password. Passwords are weak security measures22 and anybody with only meagre technical knowledge can break the subscriber’s e-mail password to steal the PIN and URL address. Fig. 2 illustrates this drawback. So does this mean that if a hacker is able to steal the PIN of the subscriber, either during its transmission from the CA’s server to the subscriber’s computer or by cracking the subscriber’s e-mail password, he/she will be able to create a DSC/key pair in the name of the subscriber? Probably not! How technology ensures this is explained in the next step.

4. The applicant copies and pastes the PIN at the designated URL to install the DSC/key pairs Now, let us suppose that the e-mail containing the PIN and the URL sent by the CA reaches the subscriber’s computer, it may or may not have been tampered with either during transmission or at its destination in the third step. The fourth step is then performed by the subscriber, i.e. the pasting of the PIN at the mentioned URL to install/import the DSC/key pair. This process of pasting the PIN at the mentioned URL is similar to the process used by the subscriber in the first step to enrol for the DSC/key pair i.e. the data transferred between the CA’s server and the computer from which the PIN is being pasted is in an encrypted form. Once the PIN has been pasted in the required field on the designated URL, the CA’s server checks its database to confirm the identity related to that PIN. It checks whether the 20

After fulfilling the registration requirement the applicant can now be termed as a subscriber. 21 E-mail messages have been disrupted in the past whereby an impostor succeeded in getting the America Online Internet address changed. See Anderson John C. and Closen Michael L., ‘Document authentication in electronic commerce: the misleading notary public analog for the digital signature certification authority’ (1999) 17(3) The John Marshall Journal of Computer & Information Law 833. 22 How and why passwords are insecure is explained later on in this article.

396

A. Srivastava

Password Attack

Figure 2

computer from which the PIN is being pasted is the same that was used to enrol for the DSC/key pair, in the first step.23 The following Fig. 3 displays this process.

third step it will be of no use to him unless he/she is using the subscriber’s computer. The reason for this is that the hacker will have to use the same computer to paste the PIN at the mentioned URL,

Server confirms that pasting of PIN is by the same computer as was used to enrol in first step

Figure 3

If a different computer is used to the original computer the DSC/key pair will not be allowed to be downloaded and a message will be displayed on the screen ‘Private key not found’.24 This means that even if a hacker is able to steal the PIN in the

23

Not only this, the web browser used must also be the same in both the steps. E.g. if the web browser at the time of enrolment for DSC/key pair in the first step is Netscape Navigator then at the time of pasting of the PIN it should also be Netscape Navigator and not Microsoft Internet Explorer. 24 See FAQ-Personal Certificates, SafeScrypt (India) www.safe scrypt.com/faq/index.html at 14 May 2005.

which was used by the subscriber in the first step, to enrol for his/her DSC/key pair (Fig. 4). Thus, the whole process of issuing of DSCs/key pairs, though an online electronic process is a fairly secure process. However, once the DSC/key pair has been installed the question is where to store the key pairs, especially the private key.25 Most of the common forms of storage devices still contain 25 It is the private key that is required to create a DS, therefore it needs to be secured by the subscriber. The public key can be considered similar to an e-mail address or a telephone number and is therefore not required to be kept secure.

Digital signature security security risks. In the following paragraphs some of the devices for storing the private key are described, and their security is examined.

C. How secure is the stored private key? The most common form of storage of a private key is on the hard disk of a computer, either at home or in the office.26 The subscriber uses the key board and/or mouse to command this stored private key to generate a DS, which is then attached to a particular data message.27 The security issue lies in the fact that the same command can be given by anyone who has access to the subscriber’s computer because technically it is the computer that ‘signs’ as a subscriber rather than the actual subscriber of the private key. In such a case of fraud it would be impossible for the recipient of a fraudulent message with DS to be assured whether it is the subscriber or someone else who has fraudulently signed as a subscriber by using the subscriber’s computer. In order to provide a certainty as to the authentication/identity of the subscriber in the online world, the private key is stored on the hard disk of the subscriber’s computer secured through a password. This password is created by, and known only to, the subscriber. It is only when the subscriber uses his/her password to activate the private key that a DS of the subscriber is created and embedded on to the data message. However, the question is: are passwords adequate means to store a private key? ‘People are always a weak link, and study after study shows they will give up passwords if asked in the right way’.28 Recently the organisers of a European trade show asked unsuspecting office workers travelling through the London tube for their computer passwords and more than 70% of the respondents answered without any hesitation.29 Not only are people careless about the secrecy of their passwords but often the passwords they

26

Especially for Non-Individual DSCs or Organisation DSCs. 27 Data message means ‘‘.information generated, sent, received or stored by electronic, optical or similar means including.electronic mail, telegram, telex or telecopy.’’ See Art 2 (c) UNCITRAL Model Law on Electronic signatures (2001). 28 Regan Keith, The Fine Art of Password Protection, 7 July 2003, EcommerceTimes www.ecommercetimes.com/perl/story/ 21776.html at 25 April 2005. 29 Murphy Kerry, ‘Psst: a candy bar for your password?’, The Australian (Sydney), 27 April 2004.

397 choose are inappropriate. A survey showed that one in every five persons chooses their name as a password, while one in every 10 prefers their birthday as a password.30 Such simple passwords can be effortlessly cracked by an ordinary person through the use of ‘dictionary attack’ software readily available in the marketplace. Thus, in order to protect the private key on the subscriber’s computer, instead of enhancing password-based security, the physical security of the computer will have to be enhanced. Doing this may not be a major problem as computers can be physically secured by keeping them behind locked doors or by a 24 h video surveillance. However, the private key is not only insecure because someone can physically access the computer of the subscriber by breaking the password, but its insecurity is further fuelled by the fact that most computers are connected to the Internet and operating systems on the computer cannot guarantee adequate security against hackers. The world’s most widely used operating system is also not flawless.31 It can allow hackers to take control of a person’s computer when the person is reading e-mail or visiting websites. The problem arises because many websites do not provide a secure ‘‘session’’ between the server and the subscriber’s computer.32 Such insecure paths can become easy targets of hackers, when a subscriber or any member of his/her family is using the computer for Internet chatting, visiting web pages or sending e-mails. A similar thing could happen when a subscriber is a non-individual/organisation and somebody on behalf of the organisation is using the computer in the office. Furthermore, in many offices, government and academic institutions, and other organisations these days, computers are generally connected to each other in the form of a network33 known as an Intranet.34 Computers in an Intranet network are also insecure and data residing on each computer, including an individual’s private key, is prone to attack from every other computer in the

30 See Being coy about your age makes good e-security sense, 18 October 2000, International Chamber of Commerce www.iccwbo.org/search/query.asp at 25 April 2005. 31 See ‘Microsoft Flaw aids hackers’, Herald Sun (Melbourne), 20 March 2003. 32 As it is provided by the CA servers in the form of SSL for generation of key pairs. 33 This network may or may not be connected to the global Internet. 34 Examples of Intranet are Local Area Network (LAN), Metropolitan Area Network (MAN) and Wide Area Network (WAN).

398

A. Srivastava

Server checks and finds that it is not the subscriber’s computer that is pasting the PIN.

Private key not found

Figure 4

Intranet network. The reason for this is that software such as ‘Inspector Copier’ is available.35 This software can remotely back up data from an individual’s computer by bypassing operating system protections such as passwords that have been used by individuals to secure the contents on their computers.36 ‘KeyLogging’ software, which can record key strokes and capture passwords, can also be downloaded from the Internet and used by a hacker to perform attacks on password protected files such as a private key on an individual’s computer.37 Thus, the private key stored on the hard disk of a computer through a password is more susceptible to attack by hackers sitting some distance away on a remote computer, than from individuals in close vicinity to the subscriber’s computer. However, if DSCs/key pairs can be issued by CAs on portable information storage devices such as floppy disks, smart cards,38 Universal Standard Bus (USB)39 35

Burnett, Steve, Paine, Stephen and RSA Security., RSA Security’s official guide to cryptography (Osborne/McGrawHill, New York, 2001), 7. 36 Ibid. 37 Legon Jeordan, Student hacks school, erases class files, 11 June 2003, CNN.com www.cnn.com/2003/TECH/internet/06/ 10/school.hacked/ at 21 April 2005. 38 Smart cards are similar in shape and size to credit cards. However, unlike a credit card which uses a magnetic stripe for storing data, smart cards have a memory chip or a microprocessor fixed on the card and therefore it can easily perform the Public Key Infrastructure (PKI) service i.e. the subscriber signing through his/her private key and using public key/private key encryption for sending electronic documents. To use a smart card, another hardware known as a smart card reader is required which is attached to the computer. See What is a smart card?, Howstuffworks www.howstuffworks.com/question332.htm at 26 April 2005. 39 USB tokens are similar in shape and size to a house key and can be plugged into the USB port which comes attached with most of the computers and laptops these days.

tokens, issues relating to the storage of the private key can be solved to a certain extent. An advantage of using these devices for storing the private key, rather than the hard disk of the computer is that the private key is stored on a physical medium that is not exposed to the Internet, when not in use. In the next few paragraphs the question will be considered whether the insecure nature of the Internet has been taken into consideration by Australia, the UK, India and HK in drafting their IT legislation and whether they provide any guidelines on for the manner in which DSC/key pair should be issued by CA’s or stored by the subscribers. If so, what are they and if not, what is the current trend as to the manner in which DSCs/key pairs are issued and stored in these countries and how secure or insecure are such processes?

1. Australia The Australian Electronic Transactions Act 1999 (Cth) has adopted a technology neutral approach40 and thus it does not specify the mode in which DSC/key pair has to be issued. The body that grants accreditation to CA’s in Australia i.e. ‘Gatekeeper’ also does not provide in its Model Certificate Policy (CP) the manner in which DSCs/key pair should be issued by its accredited CAs or stored by the subscribers. The Gatekeeper accredited CA’s issue DSCs/key pairs to their subscribers by the conventional method of issuing a PIN and URL through e-mail

40

Electronic Transactions Act 1999 (Cth) s 10.

Digital signature security and inviting the subscriber to visit a secure site to generate his/her DSC/key pair on to their hard disk. To quote from Verisign’s (Australia) Individual Gatekeeper CP:

399 do not sell private key storage devices such as smart cards or USB tokens.

3. India 6.2.7-Method of Activating Private Key Subscribers have the option of using enhanced Private Key protection mechanisms available today including the use of smart card, biometric access device, and other hardware tokens to store Private Keys. The use of two factor authentication mechanisms (e.g., token and passphrase, biometric and passphrase) is encouraged. It is strongly recommended that the Key Holder restrict access to the Private Key by use of Activation Data, so that before an operation requiring the Private Key may be commenced the Activation Data known only to the Key Holder must be entered.41 However, recently, Verisign (Australia) has started selling smart cards and USB tokens at an additional price.42 The sale of such devices can be compared to the sale of protective mobile covers/ accessories that can be purchased by a customer by paying an extra amount when buying a mobile phone.43

2. UK In the UK, neither the Electronic Communications Act 2000 nor the explanatory notes to this Act provide any guidelines as to the mode in which DSCs/key pairs should be issued by the CA’s to their subscribers. Rather, this is left to the industry which has established the tScheme. The tScheme, grants accreditation to CA’s in the UK but does not provides any guideline on the issuing of DSCs/key pairs. CAs’, such as Equifax Secure,44 issue DSCs/ key pairs to their subscribers by the conventional method of issuing a PIN and URL through e-mail and inviting the subscriber to visit a secure site to download his/her DSC/key pair on to their hard disk.45 Equifax Secure unlike Verisign (Australia),

India is the only country among the four chosen countries where the legislation provides for the manner in which the DSC/key pair is to be generated by the subscriber.46 The Indian Information Technology Act 2000, which is a technology specific legislation, states that ‘‘.the subscriber shall generate the key pair by applying the ‘security procedure’.’’47 and obligates the Central Government to prescribe what the ‘security procedure’ should be. In doing so, the Central Government should take into consideration factors such as commercial circumstances prevailing at the time, including factors such as the nature of a transaction, technological capacity, costs, etc.48 Safescrypt, India’s first CA, issues DSCs/key pairs by issuing of PIN to the subscriber by e-mail and inviting the subscriber to download the DSCs/key pairs from their secure website.49 The subscriber then generates the DSCs/key pairs on to the hard disk of his/her computer. This implies that the Central Government in India considers generating DSCs/key pairs in such a way as an appropriate ‘security procedure.’ Safescrypt, like Equifax Secure do not sell private key storage devices such as smart cards or USB tokens.

4. Hong Kong The Hong Kong (HK) Electronic Transactions Ordinance does not specify the medium on which DSCs/ key pairs should be issued by the CA’s to their subscribers. However, from the starting of the issuance of DSCs/key pairs in HK, CAs have been giving their subscriber’s an option to have their DSCs/key pairs on devices such as floppy disks apart from the method of importing/installing DSCs/key pairs from the CA’s server. According to the 2nd Annual General Meeting of the HK Public

41

See sec 6.2.7, Verisign Gatekeeper Individual Certificate Policy, July 2004, Verisign http://gatekeeper.esign.com.au/ repository/gk_ind_cp.pdf at 5 May 2005. 42 See Gatekeeper: Smart Cards, Tokens and Readers www. verisign.com.au/gatekeeper/smartcards/ at 27 April 2005. 43 A subscriber can install the DSCs/key pairs either onto the smart card/USB token directly or first install it on the hard disk of the computer and then export it to such devices. 44 Equifax Secure www.equifaxsecure.co.uk at 14 April 2005. 45 Equifax Secure, Frequently Asked Questions www.equifax secure.co.uk/digitalcertificates/dc_tfaq.html at 14 April 2005.

46 This indirectly affects the manner in which DSC is to be issued by the CAs in India. 47 Information Technology Act 2000 (India) s 40. 48 Information Technology Act 2000 (India) s 16. 49 The CAs in India are only granted accreditation after an audit officer of the Central Government of India certifies that the infrastructure of the applicant CAs are according to the requirement. However, there is no mandatory guideline as to the manner in which CAs should issue DSCs to their subscribers. See http://cca.gov.in/organisation.jsp at 1 May 2005.

400

A. Srivastava

Key Infrastructure (HKPKI) forum held on 20 October 2003, out of the total number of DSCs (e-Cert)50 issued, 80% opted for the e-Cert/DSCs on a floppy disk rather than through e-mails.51 Thus, from these figures it can be inferred that Internet insecurity may not be a major issue for the drafters of the ES/DS legislation but is certainly a matter of concern for the subscribers of DSCs/key pairs. DSCs/key pairs on devices such as floppy disks certainly make it less prone to online attacks. Thus, in all the four chosen countries, apart from HK, the general process of issuance of DSCs/

to the smart card has various advantages as compared to when the private key is stored on the hard disk of the computer. Since the private key never leaves the smart card, storing the private key on to the smart card protects it from being spoofed by a hacker. A hash52 of the document that is to be signed using DS is created by the computer and the hash is sent to the smart card to generate a DS. The generated DS is then sent back to the computer, which is then embedded to the data message. The following Fig. 5 shows this process. Smart Card

(Private key of the subscriber)

DATA MESSAGE

Message Digest

Digital Signature

Figure 5

key pair is through the process of issuing of an e-mail and inviting the subscriber to visit a secure site to download the DSC/key pair. The option as to the medium on which the key pair is to be stored is, however, left to the subscriber. Portable information storage devices such as smart cards, USB token, etc. are becoming a viable option these days for subscribers to securely store their DSCs/key pairs from online attacks. In the next few paragraphs the advantages and drawbacks, including issues related to security of these devices are examined. Smart cards are quite similar in shape and size to credit cards and embedding the private key on

However, malicious applications on the computers can make the smart card perform tasks other than those authorised by the subscriber of the DSC/key pair. For example, suppose ‘X’ is a CEO of company ‘AB’ in Melbourne and wants to send an acceptance to a proposal given to him by Y, who is MD of company ‘BC’ in Perth. ‘X’ wants to send the acceptance through an e-mail that is signed through his/her DS. ‘A’ X’ types the e-mail ‘I accept your offer’. However, if ‘Z’, another employee of ‘AB’, thinks that the deal is not in his vested interest then he/she may write a secret 52

50

DSCs issued by Hongkong Post are known as e-Cert. Hongkong Post, Hong Kong PKI Forum, 2nd Annual General Meeting (2003), HKPKIForumwww.hkpkiforum.org.hk/docs/ AGM_Presentation_2003_final.PDF at 4 May 2004. However, since June 2003, the Hong Kong Special Administrative Region (HKSAR) government is issuing Smart Identity (ID) cards to its 6.9 million residents, and individuals who are interested can get ‘free of charge’ DSCs/key pairs embedded on to their Smart ID card. See www.smartid.gov.hk/t_en/replace/ at 7 May 2005. 51

It is a process whereby the data message is passed through a hashing algorithm, which is a one-way function and an irreversible process. The result of this process is a number which is substantially smaller than the data message and is called a ‘message digest’ or ‘hash value’. Sometimes it is also referred to as the digital fingerprint of the data message. It is virtually impossible to derive the data message from its hash value. Two similar data messages if passed through the same hashing algorithm will give the same hash value. However, if one data message is even changed by a single bit the hash value will change. See www.webopedia.com.

Digital signature security

401

malicious program on ‘X’s’ computer that actually says ‘I reject your offer’. Such a malicious e-mail can be signed by ‘X’, using his/her private key embedded on to the smart card and sent to ‘Z’, without him being aware of the reality. Thus, the drawback of the smart card is that it knows that it is signing but it does not know ‘what’ it is signing. It could be a genuine data message or it could be a malicious data message. Other insecurities have also been exposed in the past with respect to smart cards. It has been brought to light that as data stored in the memory of the smart card is in the form of Electrically Erasable Programmable Read Only Memory (EEPROM), logical attacks to spoof the data can be performed by the supply of fluctuating voltage and temperatures.53 It has also been uncovered that physical attacks on smart cards can be easily performed by extracting the silicon chip from the plastic card.54 In such a type of attack the plastic behind the circuit chip is removed through the use of a sharp knife so that the epoxy resin with which the circuit chip had been glued to the card is visible. The resin is then first washed in concentrated nitric acid and then in acetone to expose the silicon surface of the chip so as to spoof the data stored on it. Besides this, other insecurities associated with smart cards were also brought to light such as, ‘‘erasing the security lock bit by focusing Ultra Violet light on the EEPROM, probing the operation of the circuit by using microprobing needles, or using laser cutter microscopes to explore the chip, and so on’’.55 Research done by Monash University for the Australian Commission for the Future (ACFF) in 1996, indicated that there are plenty of ways in which the security of smart cards can be circumvented so as to carry out fraud. These include insecurity associated with the loss of smart cards where the smart card has not been protected through a PIN number by the owner/subscriber or where the PIN can be compromised.56 However, according to a recent report by the Drug and Crime Prevention Committee, Victoria ‘.recent technological developments have solved a number of. [security] concerns’57 associated with smart cards. The technological developments in the recent past have undoubtedly considerably enhanced the

security of smart cards. This, however, does not mean that the private key embedded on smart card is impenetrable. It merely means that such attacks by a hacker are much more difficult now than it was a few years ago. However, a major problem associated with the use of DSCs/key pairs on smart cards is that for using the smart card another device known as a smart card reader is required. But as smart card readers or terminals are not as ubiquitous as floppy drives or Compact Disk (CD) drives that are fixed in most computers, the subscriber will have to purchase a smart card reader to use his/her smart card.58 This means that the subscriber can use his/her DSC/key pair embedded smart card on his/her computer that is fitted with a smart card reader, and on those computers that have a smart card reader, the chances of which are meager. Hence, the embedding of DSCs/key pairs on to a smart card may enhance its security but certainly not its utility as it cannot be used with the same ease and effectiveness as a credit or debit card, which can be kept in one’s wallet/purse and can be used anywhere. Private keys can also be stored on devices other than smart cards such as flash disk, a type of USB token, which is similar in shape to a key but a little bit thicker in size. The functionality of a flash disk is similar to a smart card. It also provides the same level of security to a DSC/key pair as smart cards, since the private key does not leave the flash disk to sign the document. The advantage of using flash disk for storing the private key is that flash disk does not require a separate device like a smart card reader for interacting with the computer.59 The flash disk can be plugged into the USB port that generally comes as an integral part of most computers. Other technological mediums are also being developed on which DSCs/key pairs can be stored. One such product is ‘Snorkey’. Snorkey’s advantage is that it is a credit card sized CD and can be used in a CD drive which is found on most computers. Also, unlike smart cards, Snorkeys do not require the installation of huge drivers or other interfaces. However, the drawback with Snorkey is that it is not as secure as a smart card or a flash disk. The reason for this is that the private key is transferred from Snorkey to the computer’s memory for the signing of the data message60 and thus

53 CHAN, Siu-cheung Charles, An Overview of Smart Card Security http://home.hkstar.com/walanchan/papers/smart CardSecurity/ at 29 March 2005. 54 Ibid. 55 Ibid. 56 Centre for Electronic Commerce, Monash University, Smart Cards and the future of your money, (1996), 59. 57 Drugs and Crime Prevention Committee, above 2, 97.

58 Apart from this the subscriber will also have to install the driver of the card reader on his/her computer. 59 Only if the operating system on the computer is Windows 98 or an earlier version. 60 Though, it ensures that the private key is erased once the function has been performed by the subscriber. See Technology to make PKI affordable, Odyssey Technologies www.odysseytec. com/technology/snorkey.htm at 31 March 2005.

402 increases the chance of the private key being susceptible to an attack by the hacker. The other method of private key storage is storage on central servers. Sometimes, to further enhance the security of the private key, the private key is split into a few parts and each part is stored on a different server. When a subscriber wants to use the private key he/she authenticates himself/herself through a PIN/password to all the servers through a secure channel and each split key is sent by the server to the subscriber through that secure channel. When all the split keys reach the subscriber’s computer, they are combined together to form a complete private key so as to be used by the subscriber. However, whether the DSC/key pair is stored on a smart card, flash disks, Snorkey or a server, the access to the private key on these devices is secured through a PIN or a password. Thus, the security of a private key stored on these devices boils down to security of a PIN/password. It may be argued at this stage that if the security of the private key on these devices is obtained through a PIN/password and the same is true for the private key stored on the hard disk of the compute, then how can storage of the private key on these devices be any more secure than on the hard disk of a computer. There are two reasons for this. First, these devices are connected for a very short duration to the computer or external network such as Intranet or Internet and thus less susceptible to online attack. Secondly, these devices can retain their security. In other words, devices such as smart cards can prevent themselves from being misused if somebody tries to crack its PIN/password. These devices are designed in such a way that they automatically de-activate themselves if an incorrect PIN/password is typed consecutively for a certain number of times, as it happens with the wrong entry of a Subscriber’s Identity Module (SIM) number in a mobile phone. However, this type of security system may not work when the subscriber stores the DSC/key pair on to the hard disk of the computer. Computers are generally connected to an outside network such as the Internet and/or Intranet and in such cases the whole system of password security can be by-passed by a hacker to gain access to the subscriber’s private key. However, it is possible that if somebody gets hold of devices such as smart card or flash disk, he/she can crack the subscriber’s PIN/password and misuse the subscriber’s private key. Thus, it is true that the embedding of the DSC/key pair on the above said devices can never be totally secure.

A. Srivastava It has been suggested that the use of biometrics by a subscriber for accessing his/her private key embedded on to the smart card or a similar device is the most appropriate and secure method.61 However, this raises the question, can biometrics provide foolproof security to the private key? The use of biometrics may enhance the security of the private key to a considerable extent, but biometrics cannot be said to be impenetrable. Security breaches can take place with biometrics too. There are various kinds of biometrics and how secure a biometric is depends upon the type of biometric that is being used. Some kinds of biometrics are highly secure while others are not so secure. For example, biometrics such as iris recognition and DNA matching are highly secure62 with an error rate as low as 1 in 1.1 million63 and 1 in 5 million respectively.64 However, these biometric security systems are extremely expensive and such high costs could not be borne by a subscriber to store his/her private key. On the other hand, biometrics, such as keystroke and signature dynamics, is moderately secure and fairly expensive. The most well known form of biometric to date, however, is the fingerprint. The advantage of using the fingerprint is that it has less ‘false positives’,65 which means that it will hardly ever allow access to an illegitimate user. However, the drawback to fingerprints is that it also shows more ‘false negatives’,66 which means that sometimes it may fail to recognise the biometric of the legitimate owner. Therefore, at times it may be possible that a subscriber may want to send an important e-mail signed through his/her DS but may not be able to activate the private key to create the DS, as the system may fail to recognise his/her fingerprint.

61 Struif Bruno, ‘Use of Biometrics for User Verification in Electronic Signature Smart Cards’ (Proceedings of the International Conference on Research in Smartcards: Smart Card Programming and Security, 2001) http://portal. acm.org/citation.cfm?idZ646803.706111&collZGUIDE&dlZ GUIDE&CFIDZ44803737&CFTOKENZ41925274 at 25 May 2004. 62 Other forms of secure biometrics are retina recognition and vein patterns. 63 See Cole Stephen, ‘Don’t Blink Now’, Click Online-BBC World, 31 July 2003 www.bbcworld.com/content/clickonline_ archive_30_2003.asp?pageidZ666&co_pageidZ2 at 25 October 2004. 64 Tipton Harold F. and Krause Micki, Information security management handbook (5th ed, Auerbach, Boca Raton, Fl, 2004) 14. 65 False positive is sometime also referred as ‘False Acceptance Rate’ (FAR). 66 False negative is sometime also referred as ‘False Rejection Rate’ (FRR).

Digital signature security Besides this, biometrics faces the same drawbacks, as do smart cards. For the use of biometrics the subscriber will have to install a biometric reader on his/her computer and also upload appropriate software so that the computer can interpret the data from the biometric reader. Apart from this, biometric technology is still in its infancy. The security and authentication features of biometric devices are still being tried and tested in applications throughout the world.67 Also, there are no formal standards yet with respect to biometric based indicators. A subscriber can choose to keep his/her DSCs/ key pairs either on the hard disk of his/her computer or on devices such as smart cards or flash disks with or without the use of further security features such as biometrics. However, the more the security features those are used the greater the cost borne by the subscriber.

D. Conclusions and suggestions for improvement Apparently the issuing of DSCs/key pairs by the CA’s to their subscribers, though an online/electronic process is a fairly secure process. However, to make it even more secure it should be made mandatory for CAs to issue DSCs/key pairs on a portable information storage device (without specifying any particular device as that hinders the development of other better technological devices). This will also solve, to some extent, the issue associated with the secure storage of the private key. As shown, the private key, if stored on a portable information storage device, would be more secure than when stored on the hard disk of a computer. It is suggested that the CAs should ensure that the portable information storage device should not be a smart card as it is in HK. Smart ID cards are being issued to every individual in HK and, once the issuance is complete by 2007, smart card readers will become a ubiquitous item in that country.68 This however, is not the case for Australia, India, the UK and perhaps many other countries. CAs in these countries should also avoid floppy disks as a portable information storage device for issuing DSC/key pairs as most

67 Rohde Laura, UK passport agency begins trial on biometric IDs, 26 April 2004, Computerworld, www.computerworld.com/ governmenttopics/government/story/0,10801,92695,00.html at 26 October 2004. 68 Thus, CAs in HK can issue non-individual DSCs/key pairs on smart cards also.

403 laptops no longer have a floppy drive as an in-built feature. This would restrict subscribers having laptops from using DSs. The use of CDs such as Snorkey should also be avoided as a portable information storage device by CAs. As shown earlier they are insecure, require installation of huge drivers and are inconvenient to use. It is suggested that CAs issue DSCs/key pairs on portable information storage devices that can be plugged into USB ports such as the flash disk. As mentioned earlier the advantage of using flash disk is that most of the computers and laptops come fitted with USB ports and also most operating systems (exception Windows 98) can read data from flash disk without the installation of drivers. Flash disks are easy to carry, have fast processing capabilities and have a higher memory capacity as compared to other portable information storage devices. The continuous increase in the demand for flash disks has also resulted in substantial reduction in their price. CAs should ensure that the subscriber receives his/her DSC/ key pair embedded on a flash disk rather than leaving it up to the subscriber to store it on an appropriate device. However, the usage of smart cards and flash disks has their own limitations. A subscriber can lose his/her smart card or flash drive and the finder may be able to crack open the subscriber’s private key and use it for malicious use. These drawbacks are similar to that associated with credit cards. However, with the success of credit cards it can be assumed that such limitations would not be a factor in the acceptance rate of DSCs/key pairs embedded on smart card or flash drive. Thus, whether it is HK, Australia, the UK, and India or as a matter of fact any other country, the usage of portable information storage devices such as smart card or flash disk will increase the security of the private key. The security of the private key can be further enhanced and made almost impenetrable, though not completely secure, by providing another layer of security through the use of biometrics. However, among the four chosen countries it is only in HK that the biometric template in the form of a fingerprint of the subscriber is embedded on the Smart ID card of the subscriber. But the activation of the DSC/key pair of the subscriber is not through the fingerprint but by a PIN/password. It is suggested that legislation should restrict itself from laying down that any rules or guidelines as to the usage of biometrics as an additional security feature for storing the DSCs/key pairs is acceptable, not only because biometric technology is immature, expensive, lacks standards and has not yet been tested in day-to-day applications, but also because of the

404 privacy and sensitivity issues associated with the use of biometrics.69 In 1994, Blum and Litwack in their book, The EMail Frontier, said that ‘Within three to ten years, messages that do not bear . [a] digital signature will become the exception in e-mail.’70 The timeline set by Blum and Litwack has passed. However, messages with DS are still an exception rather than the norm. Undoubtedly, the fear amongst persons’ that Internet is insecure (as mentioned in the Drug and Crime Prevention Committee’s report) is the reason for the reluctance in the use of DSs. As

69 See Roberts Bill, Are you ready for Biometrics? 3 March 2003, Society for Human Resource Management; www.shrm.org/ hrmagazine/articles/0303/0303hrtech.asp at 9 March 2004; Crompton Malcolm, ‘Biometrics and privacy’(2002) 9 (3) Privacy Law and Policy Reporter 53; Tomko G, ‘Biometrics as a privacyenhancing technology: friend or foe of privacy?’ (Privacy Laws & Business 9th Privacy Commissioners’/Data Protection Authorities Workshop, 15 September 1998) www.dss.state.ct.us/ digital/tomko.htm at 25 May 2004. 70 Blum D J and Litwack D M, The E-mail Frontier: Emerging Markets and Evolving Technologies, (Addison-Wesley Publishing Company, New York, 1994) 13.

A. Srivastava shown above, these fears are genuine and not baseless. However, if legislation mandates the compulsory usage of portable information storage devices for the storage of DSCs/key pairs without intimidating the privacy of subscribers through biometrics and if CAs also ensure the safe issuance of DSCs/key pairs on devices such as flash disks, certainly in the next three to 10 years, messages without a DS could become an exception. Aashish Srivastava, Ph.D candidate, Department of Business Law and Taxation, Monash University, Australia. [email protected]

Computer Law & Security Report (2005) 21, 405e407

ACCESS TO ENCRYPTED MESSAGES

Data e plausible deniability Derrick Grover Report Correspondent

Abstract It is important to be aware that the right to inspect encrypted messages does not in itself guarantee the discovery of secret data. Complex plausible deniability methods have been investigated previously. It is possible, however, that simpler methods may suffice. ª 2005 Derrick Grover. Published by Elsevier Ltd. All rights reserved.

A. Introduction Previous issues of CLSR have discussed the role of Government agencies having the right to access encrypted data (Kennedy, 2000). There is perhaps a tendency to dwell on the use of public key and PGP systems. These systems are efficient and easy to implement now that appropriate software has been widely distributed. In so far as they provide for universal communication they have become indispensable to legitimate organisations for sending secure messages. A criminal organisation, however, may be willing to trade efficiency for immunity from discovery. In particular, if the organisation is being investigated then it needs to be able to deny, plausibly, that there are data on its system that are being withheld from the investigating agency. It is important to be aware of alternative systems that allow falsification of data held in encrypted form. Some methods that a criminal organisation might use to circumvent discovery were discussed

in Grover (2004). It is, however, likely that encryption keys derived from irrational numbers will provide a simpler method since computers can be used to calculate a key’s number sequence to any desired length. Keys that are longer than the messages to be sent prevent cryptanalysis (if the same key is used in more than one message then the chance of discovery is increased).

B. The one-time-pad The one-time-pad is a system that simulates a key of indefinite length. It consists of a pad in which random numbers are written on successive pages. Each page is torn off as it is used so that there is no history available for the enemy to use in deciphering the message. It is not only well-known for its immunity to cryptanalysis, but also for the distribution problem necessitating an identical copy to be sent through enemy lines to the recipient.

0267-3649/$ - see front matter ª 2005 Derrick Grover. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.06.013

406 In operation the number on the top of the pad is added to the number of the first character in the message. For example ‘‘M’’ is the 13th letter in the alphabet; if the pad number were 5 then ‘‘M’’ would be enciphered as ‘‘R’’ e the 18th letter. If the result is greater than 26 then 26 is subtracted. A variation on this technique, to overcome the distribution problem is to use the sequence of letters in a book to define the pad numbers, but this is subject to the danger that the enemy has a copy, or finds a copy in the possession of the suspect. The storage capability and power of modern computers permit the full text of numerous books to be held ready for inspection. The advent of computers, however, has changed the situation since complex algorithms can be based on a single character, or simple number, to generate a key of substantial length. Such a character or number is known as the seed for generating the sequence. The essence of the onetime-pad is that it provides a different encoding sequence for each message that is sent. This requirement could be met by changing the seed for generating the pad each day of the year using, for example, the day’s number in the year or characters at particular positions in that day’s newspaper.

C. Irrational numbers A simple example could use the square root of the day of the year (d ) to generate an irrational number of indefinite length (provided it is not a perfect square). Since this is being written on the 33rd day of the year d Z 33. To ensure that it is never a perfect square an increment (0.1) can be added to give the square root of 33.1 Z 5.753259945. as the key for encryption. If a more general form such as a ! d C b is used then only the numbers a and b have to be communicated to the recipient as discussed later under investigation techniques. The other aspect of the one-time-pad is that an alternative pad can be devised that decodes the encrypted data to be a relatively innocuous message. It is a simple matter to derive an alternative key (that is declared to the enemy) by subtracting the innocuous message from the encrypted data. The alternative key then decodes the encrypted message to give the innocuous message as a substitute. Let ‘‘T Brown’’ be the secret data and ‘‘ J Smith’’ the innocuous data, then:

D. Grover T B R O W N C 5 7 5 3 2 5 Z Y I W R Y S Z encrypted message. Y I W R Y S ÿ J S M I T H Z 15 16 10 9 5 11 Z key declared to enemy. Subtracting the declared key from the encrypted message gives the innocuous message ‘‘J Smith’’. It is straightforward to use an Excel spreadsheet for this purpose as shown in the Appendix.

D. Methods of analysis There are some well-known weaknesses in basic cryptographic systems. Letter frequency analysis can be used when a key is used repeatedly for different messages. Letter separation will identify likely words in a simple Caesar cipher. The one-time-pad should be immune to these. If, however, the different seeds used for generating the key are insufficiently separated then the first few digits of successive keys may be similar. For example the square roots of 365.1 and 366.1 are 19.10. and 19.13. Accordingly the first 3 digits of the key would be the same on successive days. If ‘‘b’’ in the equation ‘‘key Z a ! d C b’’ is very large then more digits might be duplicated on successive days. This would be a weakness if the opening phrases in the secret message were duplicated. Modern computers can calculate millions of square roots in a second. If the investigator has an inkling of the method used then the line of attack can be refined. For example, if an algorithm based on square roots were suspected then an initial investigation need only to check on the first few characters in the code to record the set that produce legitimate words. The algorithms that produced this set could then be tested on further code to check their validity. It is likely that the choices would reduce rapidly as the length of investigated code is increased. These comments are of course only an introduction to the possibilities. More sophistication could be brought to bear with the considerable resources of the Government Communications Headquarters (GCHQ).

E. Methods of discovery The vast quantity of data that is transferred over the Internet makes it infeasible to monitor all traffic. Priority must evidently be given to suspicious circumstances. How safe from discovery is an organisation that tries to hide secret code? Various methods such as steganography are available. Steganographic

Access to encrypted messages methods for hiding data in pictures, music and digitised conversation have been reviewed in Grover (1998). Methods for checking unusual characteristics of images that have been modified to hide data have been described in Petitcolas et al., 1998. Whilst the data may not be retrieved, the methods may arouse suspicion and justify closer investigation. Alternatively images can be distorted in ways that destroy the format of hidden data. Whether the encrypted data of one-time-pads are a form of steganography is debatable. Strictly speaking the secret data lies in the key itself. How might an investigating agency go about discovering the key? The first line of attack must be to check the plausibility of the innocuous message obtained by the declared key. Evidently such a message must be sensitive enough to justify encrypting it. Preparing an alternative innocuous message for every secret message that is sent is an administrative overhead that will doubtlessly fail from time to time. There is the added burden that both the secret and declared messages should be of the same length, this would mean that filler characters would have to be added retrospectively to the secret message to conform to the length of the declared data. This problem may be manageable when the data are held on the user’s own system. A list of, for example, information identifying collaborators may be changed infrequently and the effort required to generate an alternative list, to be declared, may be tolerable. The problem becomes greater when the data are communicated to collaborators around the country. The investigating agency is likely to have the resources to raid, simultaneously, the systems of suspects. In order to be plausible they must be able to declare the same key in order to reveal the same message. The key distribution problem then arises albeit it is the distribution of an unimportant key for an innocuous message that does not reveal the criminal data.

407

F. Conclusions Technology provides extensive methods for communication. The potential for hiding messages is only limited by the ingenuity of the user, but the resources and ingenuity of the investigators may be sufficient for discovery or at least to identify a suspicious situation. From the criminal organisation’s point of view, the weakness lies in the administrative overhead required to provide a plausible history to an investigating authority.

Appendix

Secret message in clear: Add key number Encrypted message: Subtract substitute Declared key

Text

Equivalent numerals

TBROWN

20 2 18 15 23 14

YIWRYS JSMITH

575325 25 9 23 18 25 19 10 19 13 9 20 8 15 16 10 9 5 11

References Grover D. Steganography for identifying ownership of copyright. The Computer law and Security Report 1998;14: 121e2. Grover D. Dual encryption and plausible deniability. The Computer Law and Security Report 2004;20:37e40. Kennedy G. Encryption policies. The Computer Law and Security Report 2000;16:240e7. Petitcolas FAP, Anderson RJ, Kuhn MG. Attacks on copyright marking systems. Springer lecture notes in computer science 1525 - second international workshop on information hiding, IH’98, Portland: Oregon; 1998. p. 218e38.

Computer Law & Security Report (2005) 21, 408e414

PROFILING OF CYBER CRIME

Criminal profiling and insider cyber crime Nick Nykodym, Robert Taylor, Julia Vilela Management Department, College of Business Administration, University of Toledo, Ohio, USA

Abstract On a global scale, cyber crime has skyrocketed with the advancement of the electronic medium. While progress is being made in combating cyber crime (particularly with the Council of Europe’s Convention on Cyber Crime), a large gap continues to exist in legislative compatibility across international borders. Often overlooked in regards to profiling is cyber crime. The idea that an individual committing crime in cyberspace can fit a certain outline (a profile) may seem farfetched, but evidence suggests that certain distinguishing characteristics do regularly exist in cyber criminals. This can be particularly useful for companies (the most often hindered victims of cyber crime) attempting to do away with cyber criminals inside their own walls (the most common type of cyber criminals). Whether they are simply breaking company policy by browsing the Internet while on the clock or embezzling thousands of dollars through the company’s network, insiders are a very real problem that companies spend millions of dollars annually to prevent. An accurate profile of an inside cyber criminal may help in identifying both prospectively and retrospectively. ª 2005 Nick Nykodym, Robert Taylor & Julia Vilela. Published by Elsevier Ltd. All rights reserved.

A. History of profiling The profiling of criminals dates back to the 15th century. The investigative technique’s path through history has been, at times, poorly documented and marred with occasional inaccurate findings and prejudices. As many adversaries as the method seems to have, however, there exists strong instances throughout history in which the process has produced incredible results that demand attention and consideration. Today, profiling

takes a very different form than it did in the 1400s. Since the 1970s the United States Federal Bureau of Investigation has recognized criminal profiling as an official field and has advocated its use in retrospective analysis. While opinions differ on the most effective profiling process, real world instances have proven that criminal profiling can be helpful and can lead to accurate arrests. Alone however, profiling is completely useless and potentially dangerous. It must be combined with detailed case analysis, accurate information and demographics, precise crime scene investigation,

0267-3649/$ - see front matter ª 2005 Nick Nykodym, Robert Taylor & Julia Vilela. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.07.001

Profiling of cyber crime and reliable records and statistics to provide its true worth. The acknowledged account of profiling can be traced back to the 1400s1 when the fear of witches and a strong demand for a system of identifying them led to the publication of Malleus Maleficaru, which came to serve as an outline for recognizing witches.2 Through the ages the field of profiling and identifying criminals based upon distinguishable characteristics has taken many forms and has evolved greatly. From the 18th century studies of Franz Gall3 and the eventual development of the field of cranioscopy (Phrenology): the belief and study that a person’s psychological aspects (including criminal inclinations) could be assessed by examining the bumps and depressions on the skull, and the fingerprint identification system influenced by Galton in the late 1800s,4 to the release of the Criminal Man in 1876 great study has gone into what makes criminals different from the law abiding men and women. Modern criminal identification systems can be traced to the notorious case of Jack the Ripper. Dr. Thomas Bond investigated the case and applying psychology to profile the perpetrator and assess the scene, exceeded the limits of profiling during this era.5 His intuitive skills were so precise that he had even pinpointed physical characteristics (neatly dressed, middle-aged, harmless looking, etc.) of the perpetrator, and accurately reconstructed his personal environment (reserved, eccentric, living in respectable surroundings, etc.). In the late 1950s, psychiatrist James Brussel took a psychoanalytical approach to profile the ‘‘Mad Bomber’’. After reviewing the evidence and other facts, Dr. Brussel provided authorities with a profile to work with: the bomber is an educated eastern European male between 40 and 50 years old. He is an unmarried, paranoid personality type probably living with a female relative. His physique is neat, clean-shaven, with a muscular build. Because he is a detail-oriented person, he resents criticism and feels he is superior to others. Brussel concluded, 1 Woodworth, M., Porter, S. (1999); ‘‘Historical foundations and current applications of criminal profiling in violent crime investigations’’ Expert Advice, 7: 241e264. 2 Kramer, H. and Sprenger, J. (1970) Malleus Malificarum. New York, B. Blom. 3 Wickepedia. ‘‘Franz Joseph Gall’’. Jan. 05. Online Posting. Wickepedia.org. Accessed: January 21, 2005. http://en.wikipedia. org/wiki/Franz_Joseph_Gall. 4 Gall, S., Beins, B. & Feldman, A. (1996). The Gale Encyclopedia of Psychology. Detroit, Gale. 5 North Carolina Wesleyan College. ‘‘History of Profiling’’. December 19, 2003. North Carolina Wesleyan College. Accessed: January 24, 2005. http://faculty.ncwc.edu/toconnor/ 428/428lect01.htm.

409 ‘‘When you catch him, he’ll be wearing a doublebreasted suit e buttoned’’.6 Surprisingly, this was one of the first and last times that this psychoanalytical approach was employed. By the end of the 1970s, the Federal Bureau of Investigation had officially recognized ‘criminal profiling’ as an official field and had introduced Applied Criminology as a permanent course at the FBI Academy.7,8 Between 1979 and 1983, correction facilities were visited on the account of interviewing incarcerated felons.9 Questions were asked about the crimes committed, the victims, background information (both the criminal and the victim), the meditation behind the crimes, etc. They also studied court transcripts, police reports, criminal records, and psychiatric reports of the perpetrators’ behavior. Today’s profiling process takes two approaches: prospective and retrospective. Prospective profiling attempts to create a ‘‘template’’ of a specific type of offender (for example, a terrorist, a child molester, or a serial murderer) based on the characteristics of previous offenders. These prospective profiles are then held over a specific population in order to attempt to narrow down and predict who will commit these specific types of offenses. This type of profiling often receives tough criticism because it is often overly inclusive and may lead to suspicions against innocent people. The antithesis of prospective profiling and the type of profiling used most often by the FBI, is retrospective profiling. This approach is after the fact and case specific. It attempts to use the clues left behind by a specific criminal to develop a specific description of that person. The idea is to link a specific person or persons to a specific crime (or series of crimes) that have already occurred based on personality and behavioral characteristics that have been identified through analysis of the crime scene and the facts of the case.10 In the 1990s, profiler Brent Turvey met with and interviewed an incarcerated serial killer after extensively reviewing crime reports, court transcripts, and court records. After the interview, Turvey compared his verbal interview with evidence from the records. Nothing matched! Turvey could not comprehend how the prisoner’s statements 6

Pinizzotto, A. (1984); ‘‘Forensic psychology: criminal personality profiling’’ Journal of Police Science and Administration, 12: 32e40. 7 Op cit note 1. 8 Petherick, W. (1999) ‘‘Criminal Profiling’’ Crime Library, 15 May 2001. 9 Op cit note 8. 10 McCrary, Gregg. (2003) The Unknown Darkness: Profiling the Predators among Us. New York: Morrow.

410

N. Nykodym et al.

could be so contradictory to the information in the crime reports until he realized that the perpetrator was purposely misconstruing the facts to redirect the responsibility of the crime. Turvey’s approach, called Behavioral Evidence Analysis (BEA), relies more on an intuition than past approaches. Behavioral Evidence Analysis consists of four steps within two phases (Turvey, 1997 as cited in Petherick, 1999).11 Step one is called the Equivocal Forensic Analysis. This step involves evaluating the evidence. Although the significance of the evidence is most likely ambiguous, the examiner must interpret the most probable meaning of the data. This step employs an unlimited number of sources from which to collect data. Step two, Victimology, is assessing the victim. Profiling the victim could be the primary source of information that could lead you straight to the perpetrator.12 If the victim was killed during the attack, this step will be used to create an accurate make-up of the victim. By determining characteristics of the victim, a profiler can use this information to determine characteristics of the offender. For instance, if the abduction of the victim does not show a struggle, perhaps the victim knew or trusted the offender. Step three is known as Crime Scene Characteristics, and is quoted as ‘‘the distinguishing features of a crime scene as evidenced by an offender’s behavioral decisions regarding the victim and the offense location, and their subsequent meaning to the offender’’.13 This step encompasses the perpetrator’s approach to the victim, the location of the crime scene, many other elements of the crime venue, and where the crime took place in comparison to other crimes. There may be a strong possibility that the majority of the crime took place at a site that had some sort of significance to the offender. The final step is known as Offender Characteristics. This step consists of assumptions of the offender’s personality and behavioral characteristics based on the following collected information. Characteristics defined in this stage include: physical build, offender sex, work ethic, mode of transportation, criminal history, skill level, race, marital status, passiveness/aggressiveness, medical history, and offender residence in relation to the crime.14 Collectively, this data could reduce or increase the number of suspects.

11 12 13 14

Op Op Op Op

cit cit cit cit

note note note note

8. 8. 8. 8.

The assumptions from these four steps can be applied in the two phases of the BEA, known as The Investigative Phase and The Trial Phase. Turvey explains the objectives of the Investigative Phase, aka the ‘unknown offender for the known crime’ phase, as:  Reducing the suspect pool in a criminal investigation;  Assisting in the linkage of potentially related crimes by identifying unique crime scene indicators and behavioral patterns;  Assisting in the assessment of the potential for escalation of nuisance criminal behavior to more serious or more violent crimes;  Helping keep the overall investigation on track and undistracted;  The Trial Phase is also known as the ‘known offender for the known crime.’ The objectives of this phase are listed below;  To assist in the process of evaluating the nature and value of forensic evidence to a particular case;  To assist in the process of developing interview or interrogative strategy;  To help develop and gain insight in offender fantasy and motivations;  To help gain insight into offender state of mind before, during, and after the commission of a crime;  To help suggest a crime scene linkage by virtue of modus operandi (those things the perpetrator had to do to commit the crime) and the signature behavior (those things the perpetrator did not have to do to commit the crime, which usually fulfill a physical or psychological need)15; The BEA is not reliant upon statistics.16 This method is the circumspect analysis of the event, the victim, the perpetrator, the scene, and the psychological make-up of all persons involved. This method is extremely time-consuming and is based on intuition and acquired skills attained through thorough training. Although criminal profiling seems to be a specific term, there are many methods of profiling. Many successful profilers have their own methods to solve crimes, but no two methods are exactly the same. Profiling has come a long way and has evolved to encompasses all aspects of a crime. While the term ‘profiling’ has come under heavy scrutiny recently, particularly since the 2001 15 16

Op cit note 8. Op cit note 8.

Profiling of cyber crime attacks against the United States, work in its field continues to evolve and is still employed today.

B. Cybercrimes against business Cyber crime is a hot topic of the 20th century. The world stands at a crossroads for developing defense mechanisms against it. Cyber crime by its most general definition can be any crime committed over a computer network.17 These crimes have been occurring since the creation of the Internet. If there is information to be shared, there is information to be sabotaged. The challenge is faced by every online individual, company or organization across the globe. Internationally, progress against cyber crime is haltered by the fact that governments around the world are imposing different and often conflicting legislation to deal with what is a global issue.18 Progress is being made; the Council of Europe’s Convention on Cyber Crime has taken significant steps toward creating a treaty intended to establish international standards for combating cyber crime. However, a great deal of work remains in creating global acceptance and ratification of the treaty.19 In particular, cyber crime against business is growing. The reported total lost from cyber crime increased annually in 2000, 2001, and 2002: $265 million, $378 million, and $450 million, respectively.20 Additionally, the total loss from 1997 to 2002 reported to the authorities is almost $2 billion.21 The very way that business is now conducted nourishes the growth of cyber crime. One European survey points out that 43% of over 3000 surveyed companies, organizations, government agencies believe that cyber crime will be the biggest and most damaging class of criminal activity in the future.22 The increasing role of the Internet sales, the massive amount of data transferred through the computerized information systems inside and outside organizations, much of which is very sensitive and is related to the core of business; 17 Dictionary.com. www.dictionary.com. Accessed: Jan. 21, 2005. 18 Nykodym & Taylor. (2004). ‘‘The World’s Current Efforts Against Cybercrime’’. Computer Law and Security Report. Vol. 20, 390e395. 19 Op cit note 18. 20 Swartz, N. (2002); ‘‘Cyber Crime Soars’’, The Information Management Journal, MayeJune 2002. 21 Power, R. (2002); ‘‘2002 CSI/FBI Computer Crime and Security Survey’’, Computer Security Institute, Vol. VIII, No. 1, Spring 2002. 22 Krempl, Stegan. (2001). ‘‘Web of Deceit’’. Financial Times. Ft.com. Connectis September 2001. http://specials.ft.com/ connectis/FT3NKDS3TRC.html: April 1, 2005.

411 the immense use of Internet in the workplace; and increased access to confidential information, all of these are factors that contribute to the growing threat of cyber crime.23 A major element of cyber crime, which accounted for $170 million of loss in 2002, is theft of proprietary information: customer databases; product databases; R&D data; etc. And while the total loss in 2002 was 28 times more than the total loss for 1997, the number of respondents reporting any loss has grown by only 24% for the same period of time.24 One logical explanation is that the perpetrators are getting better equipped and have more knowledge. An additional factor is that organizations are putting more value on the information nowadays than few years ago. The value of the information has increased and organizations have recognized it. The information being stolen is ‘‘worth more’’ today than in the past.

C. Insider cybercrime and abuses Insider abuse of net access and unauthorized insider access are two concerns for employers. While insider abuse of Net access went up to US$50,099,000 from US$35,001,650 in 2001, the unauthorized insider access decreased to US$4,503,000 from US$6,064,000 (Power 2002).25 Upwards of 70% of all computer crime directed toward companies is committed by insiders.26 The insider abuse of Net access includes small violations at first glance such as reading newspapers online, following sporting events while at work, gambling on line. Though these crimes may seem innocent and petty, they hit the companies where it hurts most e productivity. On top of that, a company hoping to curb Insider abuse of net access by conducting surveillance over the employees’ Internet use has to deal with issues such as privacy at the workplace and psychological and mistrust issues which often arise when implementing such a policy; this may ultimately result in resistance and conflicts between the management and the employees.27 More so, while the organizations can simply deploy security technologies to limit the insider unauthorized access, they may 23

Nykodym, N. & Kehayov, R. (2005) ‘‘Cybercrime from the inside’’ e Unpublished manuscript. 24 Op cit note 21. 25 Op cit note 21. 26 Demers, Marie Eve. (2001). ‘‘Prioritizing Internet Security’’, Electronic News (North America), Vol. 47 (4), 46. 27 Ariss, S, Nykodym, N. Cole, A (2002) ‘‘Trust and Technology in the Virtual Organization, ‘‘Advanced Management Journal, Vol. 67, 22e25.

412 have to use more of a profiling approach to monitor their employees in order to decrease the Net abuse from inside. It may be helpful for organizations to understand the types of people that are likely to commit net abuse. Some common characteristics of a person who commits Net abuse on a regular basis are: willingness to show no fear from the managers around, inclination for breaking the rules, and perhaps a keen sports fan. While the person who commits unauthorized access from inside is more likely to be secret, hard to communicate with, and quiet.28 The position of the attacker in the company has a significant influence in cyber crime. Cyber Crimes committed by managers, account for greater amount of money on average, while the cases are fewer. This is because managers may have more access capabilities and it may be easier for them to hide their crimes. While the employees perform more of the cyber crimes, they lack the control over or access to the companies’ assets, consequently the companies’ loss will be less. An alliance between a manager and an employee in committing a crime may be very difficult to detect and stop because their working on different levels of hierarchy may allow them more options to hide or disguise the crime. According to a sample of computer crime cases given by Computer Crime and Intellectual Property Section of the US Department of Justice 34% of the insiders committing cyber crime are between 20 and 29 years, 36% between 30 and 35 years, and 27% over 35 years. And although the more perpetrators are between 30 and 35 years old, the most damage is done by persons over 35 years like Roger Duronio, 60, charged with more than $3 million, Timothy Allen Lloyd, 39, charged with over $10 million, and Kevin Mitnick, 37, charged with over $1 million of theft.29

D. Profiles and cyber criminals There are many differences between cyber crime and the conventional crime both in committing the crime and in prosecuting it. All of which seem to favor the criminals. This makes it very difficult to track, catch, and prosecute cyber criminals within the current the legal system. Many times, the cyber criminal may be far away from the place

N. Nykodym et al. where the crime takes place. The attackers can choose the place they will be at the time that the crime is to be committed because cyber crime does not require a physical presence from the perpetrator. A simple program can be written at any time by the attacker and entered into the organizational network. The program can be set to execute at any time the perpetrator wants. There is a resemblance with a clock bomb, but the small program is far easier to hide and disguised within the network. It is not even necessary for the program to be within the network, it could be released from any place on the earth with a computer and Internet connection. When stealing information, the attackers have several choices from where they can actually steal the data. First, they can steal from the main server, second from the back up server, which holds a full copy of the main server, third while the data is in transition between two points, and fourth from a web page, which shows the data to the end user. It does not matter which method the perpetrator will choose as there is a great chance that the attack will go unnoticed if the information is not immediately released. Think of conventional crime versus a cyber crime. A conventional crime, stealing cash for example will be immediately noticed and the next time the money is counted. Stealing data on the other hand is different. All the information is still on the server and it may seem untouched as there might be another copy of the data made by the perpetrator. Cyber crime victims are typically organizations, whose systems are penetrated, and the customers of that organization. In case of data theft, the data could be strictly related to the organization or it could be a customer database with data like social security numbers, credit card information, mailing addresses and other details. Therefore organizations may suffer substantial losses in the form of lost customers and/or stolen or compromised confidential information. Customers can also suffer financial losses, when their identity is stolen. The attackers may be experts in the field where they do their crime e hackers, computer security experts, programmers, Internet experts. On the other hand the organizations have to rely on employees like them to protect their networks.30 Also the attackers may act as an organized group by sharing information without revealing their

28

Op cit note 26. United States Department of Justice. Computer Crime and Intellectual Property Section (CCIPS). Computer Intrusion Cases. United States Justice Department; www.cybercrime. gov/cccases.html as of June 16, 2003. 29

30 Piper, T. (2002); ‘‘An Uneven Playing field: The Advantages of the Cyber Criminals vs. Law Enforcement e and Some Practical Suggestions’’; SANS Info Sec Reading Room; www.sans.org/rr/ legal/ueven.php, 09/10/2002.

Profiling of cyber crime identities on the Internet and thus make the task of the law enforcement even harder. The Internet itself offers more opportunities for the attackers to communicate without revealing who they are, and give them a great advantage against the authorities.31 These differences (mentioned above) make the tasks of profiling and catching the cyber criminal much more difficult. Comparing the application of the four stages of Behavioral Evidence Analysis to the cyber crime and conventional crime will reveal better the advantages of the cyber criminal over the authorities and the difficulties in profiling a cyber criminal. In the first step e the Equivocal Forensic Analysis, all the evidences are considered and evaluated, but in cyber crime most of the times there is no physical evidence, cyber evidence is easier to be destroy by the perpetrator. There is no DNA, no finger prints or any physical presence. Therefore, it is much harder to find any significant evidence that may lead to the attacker. In step two e Victimology, a profile of the victim is done. But as mentioned before there may be two separate victims e the organization and the customers of the organization. It should be decided first which is the ultimate target, or are they both. Conventional crime makes identifying the victim much easier. For step three e Crime Scene Characteristics, it is even more difficult to profile the cyber criminal because of the advantages of choosing the time and place by the cyber attacker. Limited amounts of evidence and the very complicated nature of the crime can make the first three steps very complicated and inconclusive. The final step e the Offender Characteristics, is perhaps even more challenging. Criminal profiling is relatively new as an official method to investigate conventional crimes, and that cyber crimes are much more difficult to spot and to prosecute than the conventional crime, law enforcement finds itself in a very complex situation when trying to create a profile of the cyber criminal.

E. Applying profiles to insiders In order to make the most precise profile of an inside cyber criminal, the first step will be to divide the type of cyber crime into one of many possible subcategories. Insider cyber crime can be generalized in four main categories: espionage, theft, sabotage, and personal abuse of the organizational network. 31

Op cit note 29.

413 A spy is ‘‘a person who keeps close and secret watch on the activities and words of another or others’’ or ‘‘a person who seeks to obtain confidential information about the activities, plans, methods, etc., of an organization or person, esp. one who is employed for this purpose by a competitor’’.32 Therefore, the spy could be employed by a competitor, trained, and placed in the organization. The spies are after confidential or sensitive information, thus they must be placed high in the organizational hierarchy. They could be a part of the management team and would be an excellent source of very secret data. They could even be from the senior management staff. For that reason spies may not be very young at the time of the crime, maybe in the thirties as a junior manager or in their sixties for a more senior management position. Also depending on the race structure of the management team, they could be white, when there are more white managers in the organization, or black, if the organization has more people of color at higher positions, or both, if the organization is more diverse. The cyber criminal is careful of what they say, and how they look. They do not want to look different, and always try to blend in among others. They are calm and secret persons. In order to catch a spy, you have to look for ordinary people who always try to hide their steps. There are a lot of similarities between espionage and the sabotage. But these two crimes are also very different. They both can be influenced by a competitor, but the saboteurs are not necessarily employed by the organization. They could act from a distance. The saboteur and the spy should possess a sound knowledge in the IT area so that they would be able to commit the cyber crime and hide their steps. Both saboteurs and spies are secret persons, trying not to be seen. But the saboteur can act to harm the organization with personal motives like revenge for a lay off, or a missed promotion. A saboteur could be a person recently laid off, or an employee who feels neglected by the organization in some way. Saboteurs are probably between 25 years and 40 if employed by the company, so they have enough experience within the organization to learn the weaknesses and to feel offended if not offered a promotion or bonus. If employed by a competitor the age could vary significantly. Unlike saboteurs and spies, the thief is guided only by mercantile motives for his own gain. The only goal in front of the cyber thief is to steal 32 New Universal Unabridged Dictionary, 1996; Barnes & Nobles Books.

414 valuable information from an organization and use it or sell it afterwards for money. According to a sample from prosecuted intellectual crimes, provided by the US Department of Justice (Computer Crime and Intellectual Property Section) there is a strong pattern in the age of the cyber robbers. If the crime is for less than $100,000 most likely the attacker is young 20e25 years old, male or female, still in the low hierarchy of the organization. If the crime is worth between $100,000 and $1,000,000 the committer is probably 25e35 years old male, and if the crime accounts for more than $1,000,000 the attacker is over 35 and from the top management staff. The thief is confident in his actions. He is comfortable in his position. His crime is not driven by hate or revenge but by greed and hunger for money. The most common insider cyber crime is the Net abuse for personal use like reading magazines on the workstation, on-line gambling, surfing the Net. This type of crime does not account for much money loss. Taken together, however, all the cases of Net abuse can hurt the organization’s productivity, and there is a lot an organization can lose. The person who does this type of crime may openly: oppose supervisors; be non-conformant to rules; and regularly break rules.

N. Nykodym et al. In conclusion, it is important to be said again that profiling is not a totally new method. The concept has been deployed in fighting crimes for centuries. While it is not 100% accurate, the system has had its hits and has a legitimate track record. Continued work and research will inevitably result in more advanced and useful identification processes and strategies. It is impossible to build the right profile for each and every cybercrime, because each cybercrime is done under different circumstances and different motives may be at the center of the crime. The motives and the circumstances should always be considered when a profile is constructed.

Further reading Kocsis R, Irwin H, Hayes A, Nunn R. Expertise in psychological profiling. Journal of Interpersonal Violence 2000;15:311e31. www.crimelibrary.com/criminology; 2003. Riem A. Cybercrimes of the 21st century. Computer Fraud & Security 2001;4:12e5. Speer D. Redefining borders: the challenges of cybercrime. Crime, Law & Social Change 2000;34:259e73. Nick Nykodym, PhD; Robert Taylor, M.B.A.; and Julia Vilela, M.B.A., Management Department, College of Business Administration, University of Toledo, Ohio USA. E-mail address: [email protected]

Computer Law & Security Report (2005) 21, 415e419

FREEDOM OF INFORMATION ACT e UK

Introduction to freedom of Information Act Marcus Turle 1, Vicky Hordern Field Fisher Waterhouse, London, UK

Abstract In the wake of 9/11, the UK Anti-terrorism, Crime and Security Act 2001 was rushed through Parliament, giving the government sweeping powers to imprison foreign nationals without charge. Even though the House of Lords has now ruled this practice to be both discriminatory and disproportionate, we still have a system of control orders which effectively allow internment by means of 24 h house arrest. Identity cards are on the way, and we will soon see biometric chips appearing in passports. In this context, the advent of the Freedom of Information Act 2000 (FOIA) is a welcome counterweight to a trend which seems increasingly to be tipping the scales in favour of the state. ª 2005 Field Fisher Waterhouse. Published by Elsevier Ltd. All rights reserved.

1. Introduction e the new rules FOIA is intended to be the driver for a public sector revolution e blowing away the traditional Westminster culture of secrecy and leaving in its place clear legal duties of openness and transparency: in short, to replace ‘‘need-to-know’’ with ‘‘right-toknow’’. If the new law works, then it should mean increased transparency about major policy decisions, the delivery of public services and accountability for public spending. As a result of FOIA, members of the public have the legal right to access a huge array of informa1

Marcus Turle is the editor of Freedom of Information, the only legal journal available which is dedicated to this area (register at www.foij.com for a free sample copy) and the author of Sweet & Maxwell’s forthcoming Freedom of Information Manual.

tion on the actions of public bodies e everyone from central government departments to parish councils. Anyone will be able to ask for information, and requests can range from how much your local council spent on paper clips last year, to the grounds for appointing a particular contractor to build a school or hospital. Even copies of contracts and invoices could be disclosable. The first phase of the new regime e the operation of publication schemes e has actually been with us for some time. Publication schemes describe the categories of information which each authority routinely makes available to the public (i.e. online via a website). Since January, however, phase two has extended FOIA’s reach by imposing on every public authority a duty to make available any information at all, if it is holding it. There are 23 potential exemptions to this duty, but relying on an exemption will only be allowed if there’s

0267-3649/$ - see front matter ª 2005 Field Fisher Waterhouse. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.08.007

416 a justifiable reason. Many of the exemptions are available only where the public interest permits. Significantly, the new rules are not just about the public sector. FOIA also impacts business. For companies, FOIA is both an opportunity and a threat. An opportunity to sell FOIA-specific IT services to the public sector and to learn more about how public sector customers operate and what they want and expect from their suppliers, and the means to get hold of information which government may hold about competitors. Of course, this is also a threat. Competitors will themselves be able to ask for information about other companies supplying to government including, potentially, information which is confidential or commercially sensitive. Additionally, any information that IT companies hold on behalf of public authorities under outsourcing arrangements will fall under FOIA. Public authorities will increasingly insist on a contractual obligation that the IT company co-operates with the public authority in handling any FOI requests or ‘requests for information’ (RFIs) that the authority receives.

2. How FOIA could be a threat to IT companies FOIA impacts every company supplying IT services to the public sector. IT companies that provide outsourcing or other IT related services should realise that all documentation that they have provided to the public authority may be disclosable under FOIA. The effect of FOIA could be disastrous for businesses which have not taken careful steps to protect themselves. Every company with government customers (whether through PPP,2 PFI,3 G-Cat4 or S-Cat5) needs to know how FOIA will affect it and what it needs to be doing to counter the risks. In essence, the duty of disclosure applying to public authorities under FOIA applies not just to 2 PPP e public private partnership is the mechanism used by government to finance and deliver public services at lower long term economic cost. 3 Private Finance Initiative. This is the most frequently used initiative within the public private partnership. 4 G-Cat is the Government catalogue for IT and Telecoms related goods and services. It comprises a number of Framework Agreements and is available to any UK contracting authority in the public and utilities sectors. 5 S-Cat is a catalogue based procurement scheme established by CCTA in 1997 to provide public sector organisations with a simplified means of procuring, and contracting for a wide range of IT related consultancy and specialist services from a variety of service providers.

M. Turle, V. Hordern each authority’s own information, but also to information which it holds relating to external organisations. This includes all contracts and all tender documents with or from private sector suppliers and all other correspondence and documents which you would expect to find in the average public body’s filing cabinets. FOIA may require disclosure of even confidential or commercially sensitive information. There are 23 potential exemptions to FOIA’s disclosure obligations, and information may be exempt where disclosure could prejudice a company’s commercial interests, or where information is confidential. However, both of these exemptions are subject to public interest considerations and even if one of them is available, it will only prevent disclosure if the public body chooses to apply it. Further, where a request relates to a contract for the delivery of public services, there will be a strong presumption in favour of disclosure even if the information is confidential or commercially sensitive e because there will be a clear public interest in promoting accountability for expenditure of public funds and obtaining value for money. The public interest will be even stronger in relation to issues which, for example, are the subject of national or parliamentary debate (such as the implementation of an integrated IT system for handling police intelligence e as recommended by the Bichard Report6), where an issue affects a wide range of people (such as the national identity card programme), or where public safety may be at issue (such as the modernisation of the tube under the government’s PPP scheme). In cases like these, private sector suppliers must think carefully about how to manage the risk of their information being made public, and how to work with their government customers to manage the information handling process in a way which allows the public authority to meet its legal obligations and the company to mitigate the risk of secret information finding its way into a tabloid newspaper. And it doesn’t stop there. The legal regime which requires government to make documents available contains no balancing requirement for them to consult companies before disclosure, or is there any mechanism within FOIA for companies to stop or prevent disclosure. So companies will have limited options when faced with the prospect of information about their business being made public. They can talk to the public authority and hope to persuade it not to disclose information. They can apply for an injunction preventing disclosure. Or they can sue for 6 Bichard Inquiry Report HC 653 (The Stationery Office, London, June 2004).

Freedom of Information Act e UK damages after the event (and perhaps get an injunction to prevent further disclosure in future). Of course, none of these options provide certainty of outcome, and the last two will be expensive. What is more, the first and second options will only be available if the public authority actually notifies the company before it responds that it has received a request. What can IT companies supplying to the public sector do to protect their businesses from the effects of FOIA? Well, there are a number of steps. First, companies should find out from public sector customers who their Freedom of Information Champion is, how their records management policies work, and clarify who will bear the costs for producing information which the company might be holding on the customer’s behalf (if, for example, the company is an outsourcing service provider). Second, companies should make sure that the contract requires their public sector customers to consult them (or at the very least notify them) before they disclose information about them in response to an FOIA request. Third, companies should discuss with their customers now (or when negotiating future contracts) what information about the company will and will not be potentially disclosable under FOIA. Ideally, they should put together a list of what is commercially sensitive and a list of other information which they think might fall under one of the other exemptions in FOIA. It is imperative that all IT companies start thinking now about how to deal with FOIA in their dealings with the public sector. They should also be looking at how the FOIA exemptions might apply to information about their businesses and how they will need to deal with the public sector on FOIA matters.

417  someone will need to know in detail how the FOIA exemptions work, and there ought to be a pool of staff with a good working knowledge of the main provisions;  they will need to consider what types of requests they are likely to get and what types of information people will want to see. It will be sensible to have an information request flow chart or lifecycle to map the key stages of the internal system and make sure it effectively records and tracks requests;  ideally, it is worth doing some work now on what types of information may be exempt from FOIA disclosure e and for documents which contain some exempt and some non-exempt information, consider formatting them to capture the exempt information separately;  think about the organisation’s structure and whether responsibility for information handling should be devolved. In all but the smallest public bodies, some measure of devolution will be inevitable. Everyone in the FOIA chain will need a working understanding of the rules, and expertise sufficiently to identify when a request merits escalation to someone with in-depth knowledge and experience;  for organisations involved in high profile projects, it may benefit to establish links with the Information Commissioner’s Office who will be able to offer support and advice. An awareness of the key issues facing public authorities with regard to information handling will give IT companies an insight into how they can help meet the needs of their public sector customers.

4. How FOIA can be an opportunity to IT companies

3. Information handling Undoubtedly, there will need to be something of a culture change within some public authorities and particularly so in relation to information handling. Public authorities, especially those with information systems which are cumbersome and historic, would be well advised to undertake information audits, create file structures and retention schedules that anticipate any requests under FOIA. Systems will vary from organisation to organisation, but for most public bodies the key issues will be the same:  they will need to know what types of information they have and where it is;

IT companies can use the FOIA to find out about competitors. If an IT company does not want an authority to know that they are making a request, the company can use third party agents such as solicitors’ firms to make the requests. IT companies should bear in mind that the way a public authority handles such requests may vary. Since the authority is not required under FOIA to consult the competitor before disclosing competitor-related information, it may depend upon the terms under which the competitor-related information was initially provided to the authority e.g. provided under an obligation of confidentiality or classified as commercially sensitive. Alternatively an IT provider can provide a list of the information

418 that it considers to be exempt from FOI disclosure (with an explanation as to why the exemption applies). Apart from using the FOIA to find out about competitors, IT businesses may also provide services that assist public authorities in the management of their responsibilities under FOIA. Public bodies will need to have systems in place which enable them to process requests for information (RFIs).7 Such a system requires a correct identification of requests when they come in, ensuring the request ends up on the right person’s desk, collecting and sifting all the information requested, and responding correctly within 20 days, taking account of the 23 potential exemptions. Such systems can be vital in big public sector organisations to ensure that time and resources are managed as efficiently as possible in responding to RFIs. A number of IT companies offer request tracking systems (RTS) which public authorities can use to track the progress of an RFI from its arrival within the public authority to the sending of a response to the requester. However, some request tracking systems which were prepared to meet the January 2005 deadline are not yet sophisticated enough to deal with the particular demands of a public authority. Public authorities keen to implement an RTS may have to wait before more mature and considered systems evolve which adequately reflect the needs of authorities under FOIA. Such needs may vary. A public authority, such as the British Potato Council (one of many obscure and eccentric sounding bodies listed in FOIA Schedule 1) is likely to receive less RFI’s, and require different management functionality, in comparison with the Home Office or other central government body. IT companies would be well advised to reflect on the benefits of providing flexible software with management reporting facilities enabling a public authority to review and assess compliance. Request tracking systems that interoperate with electronic records management systems should enable easy identification of documents and quick retrieval. Such electronic records management systems (as provided by iManage and similar software) should provide a public authority with a simple and reliable way of accessing information (for searches both under FOIA and the Data Protection Act 1998 (DPA)) in compliance with its statutory responsibilities. Electronic records management systems should also encourage good in-

7

Freedom of Information Act 2000 Ch.36, s. 8.

M. Turle, V. Hordern formation handling practices and a consistent records management and archiving policy. Records management is key to an effectively run response procedure for both requests under the FOIA and the DPA as well as bringing broader benefits to a public authority. The Department for Constitutional Affairs has commented that: ‘‘Any freedom of information legislation is only as good as the quality of the records to which it provides access. Such rights are of little use if reliable records are not created in the first place, if they cannot be found when needed or if the arrangements for their eventual archiving or destruction are inadequate’’.8 IT systems that provide an easy to use records management system can help to relieve public authorities of certain potential obstacles.

5. Pitfalls for public authorities using RTS Public authorities should note some obvious pitfalls in using RTS software. Many public authorities have, over recent years, tied themselves into IT framework agreements which require them to use certain providers when requesting discrete pieces of software. Where their IT provider is not able themselves to provide such FOI specific software, the IT provider may seek a third party to act as a sub-contractor. Depending on the terms of the main framework agreement, the public authority may find itself in a disadvantageous position since there is no contractual relationship between the third party and the public authority and there is a risk that the third party will not deliver the software that meets the public authority’s specifications. A public authority will need to consider carefully the terms of its main IT framework agreement to ascertain whether its main IT provider has the resources to provide RTS software. Public authorities will have varying needs. A public authority will not want to be burdened by an RTS system that cannot be adapted or updated in any way but should seek a flexible software package so that change is possible should a different approach be necessary. Freedom of information legislation aims to make public bodies more transparent and accountable 8 Lord Chancellor’s Code of Practice on the Management of Records Issued under section 46 of the Freedom of Information Act 2000, (Department of Constitutional Affairs, November 2002) Foreword.

Freedom of Information Act e UK internally as well as in their dealings with the private sector. Those IT companies that regularly provide services to the public sector would do well to gain an understanding of how FOIA may be a challenge to their current working practices and to change their procedures accordingly. But FOIA also offers new openings for IT companies to work with public authorities to improve and refine the

419 way information is managed and retained. However, an IT company responds, it is clear that FOIA is here to stay. Marcus Turle, Report Correspondent and Vicky Hordern are solicitors specialising in privacy and information law at City law firm Field Fisher Waterhouse. Email: [email protected]. Vicky Hordern can be contacted at [email protected].

Computer Law & Security Report (2005) 21, 420e422

OPEN SOURCE

IPR indemnities in the open source and proprietary software worlds Richard Kemp, Caspar Gibbons Kemp Little LLP, London

Abstract Intellectual property right (IPR) indemnities in software licences e the commitment of the licensor to step up to the plate and bear the risk if the customer is challenged in its use of the software by a third party for infringing its IPR (see also An Indemnity Primer for IT Consumers: What You Need to Know, What You Want to Have, Jeffrey P Kushan, Sidley Austin Brown & Wood LLP, November 2004 e accessible on http://tinyurl.com/br4vb) e are assuming increasing importance in the competing marketing strategies of the open source software (OSS) and proprietary software vendors’ camps as they engage for the hearts and minds of the IT departments of the world’s largest customers. ª 2005 Kemp Little LLP. Published by Elsevier Ltd. All rights reserved.

Very briefly, OSS has increasingly in recent years moved away from its radical, anti-business establishment origins and towards the middle ground.1 Customers constantly raise the bar on their requirements for cheaper, better and more reliable software that preserves sunk investment. The perceived lower cost of OSS coupled with the ability of users to modify the core OSS operating system have accelerated its take up around the world in the public and corporate sectors. This combination of increasing pressure on software developers and the opportunity for profit that

growing acceptance affords is driving the commercialisation of OSS. Established vendors like Hewlett Packard and Novell now include in their catalogues their own house ‘flavours’ of OSS products like Linux. IBM manages, Janus-like, to point both ways e not only it is a self professed proponent of OSS but it is also one of the largest holders of software patents in the world.2 The heart of the OSS tradition e that software should be communitarian (i.e. outside traditional norms of property ownership) and freely open to 2

1

See ‘Open Source Software Monetised: Out of the Bazaar and into Big Business’, Ieuan G Mahony and Edward J Naughton, Holland and Knight LLP, published in The Computer and Internet Lawyer, Vol. 21, No. 10 (October 2004) at page 1.

‘‘There are some high ironies that IBM, one of the largest obtainers of patents in the world, ends up being the defender of the GPL’’ (S Shankland, http://CNET News.com, 28 October 2003, quoted in ‘Open Source Software Monetised’), see footnote 1.

0267-3649/$ - see front matter ª 2005 Kemp Little LLP. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.08.004

Open source adaptation and distribution e means that there is no single entity responsible for all the codes. Consequently, there is no one with either capability or inclination to speak about its origin. In essence, the whole concept of licensor is anathema. This is reflected in licences under which OSS is supplied. For instance, both the GNU General Public Licence3 (GPL) and the Open Source Licence (OSL) of the Open Source Initiative (OSI)4 focus on licensee activities only. These traditions have served the ideals of OSS, by maximising the evolution of the underlying code but it is little surprise that, historically, OSS came with indemnity, warranty or liability measures expressly excluded.5 This can lead to odd results: Clause 7 of version 2.1 of the OSI’s OSL gives with the one hand e the Licensor gives a warranty of title of sorts e whilst taking away with the other e the Licensor is defined (circularly) as the unnamed ‘owner of the Original Work’.6 With a ‘pure’ OSS product, the customer gets no legal security to support his use, adaptation and distribution rights: the pressure, such as there, is peer pressure through knowing who the OSS design/coding community is e but of course there is no diligence mechanism to check this out. To date, this inherent inability to stand behind supplier commitments e which in the real world go beyond the contractual word on the page and directly to reputation e has not been as significant an impediment to OSS take up as might have been expected. But this slightly rose-tinted view is changing. Until relatively recently, IPR indemnities were one of those clauses that did not get a lot of attention in software deals. For an IPR claim to arise that would trigger the indemnity was perceived to be a remote possibility. There were more important things to discuss. That perception is changing, however, with a spate of high profile IPR infringement actions against resellers and end users which bring the issue of supplier IPR indemnities directly into play. These cases include Luxembourg company Inpro’s patent infringement claim in Germany against T-Mobile as a customer of Research in Motion for the Blackberry device7; Lucent Technologies, Inc. v. Dell,8 concerning allegedly infringing Microsoft software pre-loaded on Dell computers; the Forgent Compression Labs

421 JPEG infringement claims launched in April 20049; and of course the SCO v. IBM10 and related litigation in the OSS arena. With increasing number of software and related patent applications, the trend towards a more assertive approach to software IPR by right holders looks set to continue. These cases have really brought home to big IT buyers recognition of the indemnity/security issue. Over the last few years, big organisations in the public and private sectors alike have invested significantly in world class procurement processes to manage risk and get better value from suppliers. As IT systems constantly become more central to the organisation’s activities, these processes focus on technology suppliers’ contractual terms and conditions, particularly the risk allocation mechanisms of warranties, liability limitations and IPR indemnity clauses. Big IT buyers like financial institutions increasingly take management of contingent IPR liabilities and their potential for financial exposure and business disruption no less seriously than exposures from their trading books. As with most types of products, they will invariably want to see their software vendors step up to such third party IPR risks by providing IPR indemnities. The OSS community finds it hard to respond effectively to this rigorous, contract based procurement process. Large software vendors are attempting to step into the breach. A feature of the monetisation of OSS has been the offering of OSS products with contractual cover by software vendors to improve acceptability in the corporate world. The best example of this is by corporate vendors selling their own version of Linux where the stimulus for providing cover has largely been the SCO litigation. HP (from September 2003) and Novell (from January 2004) now offer indemnity cover of sorts for their versions of Linux.11 It is to be noted that in these cases we are not really talking about pure OSS at all e these vendors offer their own specific flavours of Linux. Further, the indemnity cover provided is limited: HP requires users to run the HP version on HP hardware and to subscribe to an HP software support agreement; Novell requires users to have a minimum spend with them of $50,000, be subscribers to its support and upgrade services, and its indemnity is capped at the lower of $1.5m

3

http://tinyurl.com/agckq. http://tinyurl.com/ey34u. 5 see e.g. v.2 GPL clauses 11 and 12. 6 see clause 7 in the document at the link in footnote 4. 7 See also In Pro II Licensing v. T-Mobile USA, Inc for similar litigation in the USA: http://tinyurl.com/cbmsb. 8 see press comment, e.g. http://tinyurl.com/dqzfc. 4

9

http://www.forgent.com/ip/672patent.shtml. In essence, SCO alleges that IBM’s version of Linux infringes its IP rights in Unix; see press comment e.g. http://tinyurl.com/ ajvxo and the useful http://www.groklaw.net. 11 Overview of HP: http://tinyurl.com/dhmhf; and Novell: http://tinyurl.com/7d8z6. 10

422 or 125% of the value of the customer’s purchases with Novell; and Red Hat (since January 2004) offers a warranty to replace infringing code but no indemnity as such. Outside the OSS world, proprietary software vendors who give meaningful IPR indemnity protection perceive a relative advantage in the face of increasing legal risk and procurement rigour. This is because they write their software in-house, know who wrote what and are well placed to gauge and hedge the risk of third party infringement claims. For example Microsoft’s indemnity,12 although expressed as an obligation to defend against claims and to pay the amount of any ‘final’ judgement, is broad in its coverage (including copyright, trademark, misappropriated trade secrets and e more boldly and unusually e patents). Being uncapped, it is also deep in financial terms. This is the language and these are steps in the negotiation dance that the procurement groups at large organisations understand. And in late 2004, in recognition in part of the SCO litigation issue, it extended IP protection for covered claims from volume licensees to all end users of Microsoft’s software. The issue of indemnification will only be a factor when businesses calculate the total cost of ownership of a particular piece of software. Indemnities, a minor contractual art form in their own right, invariably come replete with restrictions: however dull, they must be read carefully and all the way through. But purchasing a third party software product (on which your business may rely completely for core processes) which comes with an uncovered contingent risk that could, at worst, take away your right to use it is something of an aberration in the world of the large organisation

12

http://tinyurl.com/axk6g.

R. Kemp, C. Gibbons procurement machine. The buyer who does so in this case is gambling, calculatingly or otherwise, that the risk of a successful IPR claim against it is minuscule. Calculating this gamble is not simply a prediction of whether, for example, SCO will win. Simply being involved in litigation incurs cost, which may be significant when the subject matter is highly technical and the market so competitive. Researching and responding to a claim whether frivolous or not will tie up internal resources, almost certainly require specialist external advice and (for defendants with an exchange listing and concomitant disclosure obligations) potentially impact upon brand image and shareholder value. These points should not be underestimated in the context of IP claims.13 In these times of greater calibration of e if not aversion to e risk, proprietary software vendors think they’re on to something. What was once regarded as a boring, narrow, technical legal issue may well become a tipping point. Whatever industry sector one looks in, it is hard to find an example of another product, whether for the mass- or professional-market, which comes without any sort of good title commitment. In the end it will be the market that decides just how big a brake on OSS uptake the lack of effective legal security will be. Tellingly, the new version of the GPL anticipated for release in 2005 is anticipated to be likely address patent and other IPR issues.14 Richard Kemp, Report Correspondent, Partner Kemp Little LLP. E-mail address: [email protected] Caspar Gibbons, Solicitor, Kemp Little LLP. E-mail address: [email protected]

13 The SCO claim is in the region of $3 billion; for a recent actual judgement, see Lowry’s Reports, Inc. v. Legg Mason, Inc. WDQ-01-3898 (http://tinyurl.com/c323w), where misuse of an $800 licence resulted in a jury award of w$20 million. 14 See for example the Free Software Foundation (FSF) press release of 9 June 2005 about the article by Richard M Stallman and Eben Moglen discussing the forthcoming GPL Version 3 e http://www.fsf.org/news/gpl3.html.

Computer Law & Security Report (2005) 21, 423e426

ELECTRONIC CONTRACTING

Concluding leases by e-mail Ter Kah Leng NUS Business School, National University of Singapore

Abstract In a landmark decision, the Singapore High Court has held that it is possible to enter into a legally binding lease simply by e-mail correspondence. The implications of this case on the requirement for writing and signature and its impact on e-Commerce will be examined below. ª 2005 Ter Kah Leng, NUS Business School, National University of Singapore. Published by Elsevier Ltd. All rights reserved.

A. SM Integrated Transware Pte Ltd v. Schenker Singapore (Pte) Ltd1 SM Integrated (SMI) and Schenker were both companies providing logistics services. SMI owned a warehouse which it was negotiating to rent to Schenker for the proposed storage of dangerous goods. The negotiations were conducted face to face, by telephone or e-mail correspondence. At no time was there any letter correspondence. Shortly before the lease was to commence, the third party, whose dangerous goods Schenker was proposing to store in SMI’s warehouse, no longer needed its services. Schenker thereupon withdrew from the lease, resulting in SMI’s loss of rentals during the two-year period of the lease. Three issues arose for consideration: (a) whether the negotiations between the parties culminated in a binding agreement and if so, (b) whether

the requirements of section 6(d) of the Civil Law Act were satisfied and (c) whether the lease was subject to a condition precedent. The first issue was decided in the affirmative, while the third issue was answered in the negative. This article will focus on the second issue.

B. Sufficient memorandum Schenker’s defence to the second issue was that even if a binding contract had been concluded, it was unenforceable by virtue of section 6(d) of the Civil Law Act2 (CLA) and section 4(1)(d) of the Electronic Transactions Act3 (ETA). The CLA provides that for a lease to be enforceable there must

2 Cap 43, 1994 Rev Ed, the modern re-enactment of the relevant provision of the English Statute of Frauds 1677. Available at http://statutes.agc.gov.sg. 3 Cap 88, 1999 Rev Ed which is based on the UNCITRAL Model Law on e-Commerce, Singapore being the first country to adopt 1 [2005] SGHC 58. Judgment delivered on 30 March 2005. the Model Law. Available at http://statutes.agc.gov.sg. 0267-3649/$ - see front matter ª 2005 Ter Kah Leng, NUS Business School, National University of Singapore. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.06.004

424 be a sufficient note or memorandum in writing and signed by the party to be charged. Prakash J concluded that the e-mail of a specified date with its attachment, the draft Logistics Service Agreement and the acceptance of its terms together constituted the necessary memorandum.4 Furthermore, they contained the identities of the parties, the description of the subject mater and the consideration as were required by the CLA.

C. Does e-mail correspondence satisfy ‘‘writing’’? It was argued on behalf of Schenker that since all written communication was conducted by e-mail, such correspondence could not constitute the written evidence of the lease nor satisfy the requirement of signature under the CLA. No hard copy of any e-mail was exchanged. It was further argued that SMI could not rely on electronic records as the functional equivalent of paper records5 because leases came within the list of transactions excluded under section 4(1)(d) of the ETA.6 The original reason for the exclusions is relevant to the grounds of judgment. When the ETA was first enacted in 1998, e-Commerce was thought to be in its infancy and a conservative approach was taken so as not to establish a complete functional equivalent between a paper and an electronic record.7 Since then, IT (including controls against fraud) has developed so significantly that a review of the ETA is timely. This is undertaken by the Infocomm Development Authority of Singapore (IDA) and the Attorney-General’s Chambers (AGC) which have released a Public Consultation Paper.8 The Paper suggests a wide 4

Halsbury’s Laws of Singapore Vol 7 Butterworths Asia, 2000 at para 80.133. 5 Section 7 ETA provides that an electronic record satisfies a rule of law that requires information to be written if the information therein is accessible so as to be usable for subsequent reference. The Guide to Enactment of the UNCITRAL Model Law (Article 6) states that ‘‘accessible’’ is ‘‘intended to mean that computer data should be readable and able to be interpreted and that the software required to satisfy those requirements may need to be retained. The word ‘‘usable’’ is intended to cover not only human use but also computer processing’’. 6 This excludes inter alia, leases from the application of Part II and IV of the ETA. 7 Electronic Transactions Bill, Parliamentary Debates 1998, Column 254. 8 Joint IDA-AGC Review of Electronic Transactions Act, Stage II e Exclusions Under section 4 of the ETA, 25 June 2004. Available at www.agc.gov.sg under Publications & Speeches. Moreover the Minister has power to modify any of the excluded transactions by virtue of section 4(2) of the ETA.

T. Kah Leng application of the ETA provisions rendering electronic records the functional equivalent of paper records, which will be consistent with the aims of the ETA.9 It recognizes that the law lags behind technology and so ‘‘should not place obstacles in the way of adopting practical and commercially viable electronic means as they become available’’. Furthermore, any lack of appropriate technology to effect ‘‘an electronic equivalent of a paper transaction should not by itself dictate that such a transaction must be excluded from section 4 of the ETA’’. On the other hand, it also recognizes that continued exclusion might be justified on grounds of public policy, such as the need to protect the uninformed or the unwary.10 It is interesting to note that leases have not been identified as being one of the transactions in need of continued exclusion from the functional equivalent of paper. Returning to the argument made on behalf of Schenker that the exclusionary section 4 prevented reliance on the recognition of electronic records as the written equivalent, SMI counterargued that the ETA could not be so construed as disabling reliance on electronic records, having regard to the need to construe the ETA consistently with what is commercially reasonable in the circumstances and to facilitate e-Commerce. The learned judge, Prakash J, accepted SMI’s submission that the requirement of writing and signature in section 6(d) of the CLA could not be construed in such a manner as to exclude the use of electronic forms. While noting the ‘‘conservative approach’’ taken by the ETA in respect of leases falling within the section 4 exclusions, the judge held that this did not mean that, as a matter of law, electronic means of communication could not satisfy the requirements of section 6(d) of the CLA. She went on to state that the ETA did not change the common law position in relation to the CLA. Whether an e-mail could satisfy the requirements of writing and signature would be decided by construing section 6(d) itself and not by ‘‘blindly’’ relying on section 4(1)(d) of the ETA. Prakash J found support for this view in the IDA-AGC Consultation Paper mentioned above: ‘‘Even where legal form requirements apply, exclusions under section 4 may not necessarily prevent such transactions from being done electronically. Electronic records or signatures 9

Which are to facilitate E-commerce, eliminate barriers arising from uncertainties over writing and signature requirements, and to promote legal and business infrastructure for secure E-commerce: section 3(b) ETA. 10 Note 8, para 2.3.

Electronic contracting could still possibly satisfy the legal requirements without reliance on the provisions of the ETA. It would be a matter for legal interpretation whether an electronic form satisfies a particular legal requirement for writing or signature.’’11 The learned judge derived further support from section 2 of the Interpretation Act12 which defines writing to include ‘‘printing, lithography, typewriting, photography and other modes of representing or reproducing words or figures in visible form’’. SMI had submitted that the natural meaning of the term should be extended to include technological developments as there is a presumption that: ‘‘Parliament intends the court to apply to an ongoing Act a construction that continuously updates its wording to allow for changes since the Act [CLA] was initially framed [an updating construction].’’13 In any case, SMI argued, e-mail messages are ‘‘words. in visible form’’ when displayed on the monitor screen, although the underlying digital information will not be ‘‘writing’’ for the purposes of the Interpretation Act. The e-mail messages and attachments could also be printed out as they were in the present case and included in the agreed bundle of documents. The learned judge found the above submissions, based on the UK Law Commission’s advisory paper ‘‘Electronic Commerce: Formal Requirements in Commercial Transactions’’ (December 2001) to be persuasive. Turning to section 6(d) and its predecessor, the Statute of Frauds 1677, Prakash J stated that the aim of requiring written evidence in certain contracts was to protect against fraud and sharp practice. The recognition of electronic correspondence as writing would be entirely consistent with this aim as long as the existence of the writing could be proved. This was not a problem in the present case as the parties readily admitted sending and receiving the relevant e-mail messages and no one testified that the documents in the agreed bundle were not true copies of the e-mail correspondence. The learned judge also accepted the views of foreign law commissions and foreign courts relied upon by SMI. In the advisory paper mentioned above, the UK Law Commission took the view that e-mail satisfied the definition of ‘‘writing’’ under

425 the Interpretation Act 1978,14 although there was a lack of consensus on this matter. The opposite view was that there must be some physical memorial but this, in the Commission’s view, could be satisfied by storing and printing out a copy of the electronic communication.15 Similar reliance was placed on Wilkens v. Iowa Insurance Commissioner, where the Court of Appeals of Iowa held that the keeping of records in a computer satisfied the requirement of keeping a ‘‘written record’’, there being nothing in the relevant legislation that precluded the keeping of these records in a computer. The court noted that the advent of the computer age changed substantially record-keeping procedures. In another American case, Clyburn v. Allstate Insurance Company,16 the District Court of South Carolina held that a computer floppy diskette could constitute ‘‘written notice’’ under the terms of a statute. The information on the floppy diskette could be retrieved and printed as ‘‘hard copy’’ and in today’s paperless society; the court was not prepared, in the absence of a legislative provision, to find that such a diskette would not constitute the requisite ‘‘written’’ notice. Agreeing with SMI’s submissions, the learned judge held that the e-mail correspondence which constituted the memorandum of the contract was ‘‘in writing’’ for the purpose of section 6(d) of the CLA. She was pleased to arrive at this conclusion which was ‘‘dictated by both justice and common sense’’ and considering that so much business is now transacted via the Internet and likely to increase further. An ordinary man in the street would be amazed to find that he had not made a binding contract when all the terms had been agreed upon. On the other hand, it is submitted, a person would be astonished to find that he had made a paperless contract through e-mail. This, the learned judge suggested, could be avoided by making the agreement ‘‘subject to contract’’.17

D. Was the e-mail signed? It was argued on behalf of Schenker that no party had ever signed a hard copy letter or document. Hence there was no memorandum that had been signed by the party to be charged [Schenker]. SMI’s response was that the common law takes 14

11

Note 8, para 2.1.5. 12 Cap 1, 2002 Rev Ed. Available at http://statutes.agc.gov.sg. 13 Bennion, Statutory Interpretation, Butterworths, 4th Ed, 2002 at p 762.

The definition of Schedule 1 is in pari materia with the Singapore definition. 15 At para 3.17. 16 826 F Supp 955 (DSC 1993). 17 Note 1, para 85.

426 a pragmatic approach as to a signature requirement. It looks at the function of a signature namely, as authentication, rather than the form of the signature. The signature that is required under section 6(d) has been liberally construed so that it need not be at the foot of the memorandum or a signature in the popular sense of the word. A printed slip may suffice if it contains the name of the defendant.18 SMI contended that the typed names in the e-mail were sufficient to satisfy the requirement under section 6(d) because the authenticating intention of the ‘‘signatories’’ had been clearly demonstrated. SMI also relied on various Australian and American authorities which concluded that electronic communication satisfied the ‘‘signature’’ requirements. The UK Law Commission in the advisory paper mentioned above, also held the view that the typing of a name into an e-mail was capable of satisfying a statutory signature requirement.19 Of relevance are two recent American decisions. In Shattuck v. Klotz Bach,20 the Superior Court of Massachusetts, in interpreting the equivalent of section 6(d) of the CLA, held that an e-mail correspondence which contained a typed signature at the end was ‘‘signed’’ with the intent to authenticate the information contained in the correspondence. In the second case, Cloud Corporation v. Hasbro, Inc21 the US Court of Appeals for the Seventh Circuit held that although the e-mail contained no signature, the presence of the sender’s name on an e-mail would satisfy the signature requirement under the Statute of Frauds. This is directly applicable to the present case where there was no signature appended by Schenker’s authorized representative to the bottom of any of his e-mail messages. His name appeared in the line reading: From:. but he confirmed that he had sent out the relevant messages. The learned judge inferred from this that he knew that his name appeared at the head of every message next to his e-mail address so clearly that there could be no doubt as to who the sender was. Prakash J therefore held that the requirement of signature had been satisfied. The learned judge further stated that the common law did not require handwritten signatures for the purpose of section 6(d) of the CLA. A typewritten signature or one typed onto an e-mail and sent or 18

Andrew Phang, Cheshire, Fifoot and Furmston’s Law of Contract e Second Singapore and Malaysian Edition, Butterworth Asia, 1998 at p 368. 19 Paras 3.28, 3.29 and 3.34. 20 14 Mass L Rep 360 (2001). 21 314F 3d 289 (2002).

T. Kah Leng forwarded is sufficient. Alluding to the possibility of ‘‘spoofing’’, Prakash J said that the true owner of the e-mail address could dispute the authenticity of the messages purportedly sent out by him. That, however, was not the case here. Having found that SMI had proved that there was a concluded contract between the parties, duly evidenced by a written memorandum and signed by Schenker, the learned judge awarded the damages that SMI sought.

E. Comment It is apparent that the evidence in the present case was clear-cut. There was no dispute as to the originator or signatory to the e-mail correspondence. But this may not always be the case. For this reason, additional safeguards may be desirable. The Guide to Enactment of the UNCITRAL Model Law article 7 states that: ‘‘In an electronic environment, the basic legal functions of a signature are performed by way of a method that identifies the originator of a data message and confirms that the originator approved the content of that message.’’ This, as is submitted, is best achieved by an electronic signature, probably the most secure functional equivalent of a handwritten signature. In addition, a name typed on the e-mail or appearing beside the e-mail address at the top of the message has been held to suffice, if properly proven. Overall, the judgment has far-reaching implications for e-Commerce. It represents an enlightened and progressive approach which facilitates electronic transacting in a convenient, cost effective and efficient way. The traditional protection against fraud secured by writing and signature has served its purpose but the advent of paperless electronic transactions renders these requirements incompatible when technological tools are available to provide the necessary on-line security. The intention never to cast the ETA exclusions in stone is far-sighted. The present case represents a valiant attempt on the part of the law to keep up with new business practices as e-Commerce evolves. The decision is timely and consistent with imminent legislative changes. Ter Kah Leng, NUS Business School, National University of Singapore. E-mail address: [email protected]

Computer Law & Security Report (2005) 21, 427e431

EU REGULATION OF THE ONLINE GAMING MARKET

From Gambelli to Placanica to a European framework for remote gaming Ewout Keuleers Bar of Brussels

Abstract This article reviews the difficulties facing national courts in respect of the regulation of online gambling activity in the wake of two recent decisions of the European Court of Justice that, in mixed messages, may be moving towards liberalization of the European gaming market. More than a year after the Gambelli and Lindman decisions of the European Court of Justice (ECJ) and the first report of the European Commission on the application of the electronic commerce Directive, the impact of these recent European (r)evolutions for the gaming industry has not always been very clear. In the Netherlands and Belgium, existing jurisprudence was confirmed in the so-called post-Gambelli decisions. In Germany, where most of the competences to regulate gaming activities have been attributed to the autonomous La ¨nder, some courts have recognized that, in the absence of a consistent gaming policy, the imposed restrictions on the cross-border provision of gaming services could not be justified by the imperative reasons of public order. In Spain, the Loterı´as y Apuestas del Estado (LAE) is maintaining its position that it has the exclusive right to offer and promote games on the Internet. In Italy, a regional court has had to refer a gaming case to European Court of Justice (ECJ). The conclusion of one year post-Gambelli case-law is that the Gambelli and Lindman requirements are applied in a very diverging manner. In the Dutch Betfair appeal case, it was even insinuated that Gambelli was not relevant! Before commenting on these national decisions, the Gambelli and Lindman decisions will be reviewed again. ª 2005 Ewout Keuleers. Published by Elsevier Ltd. All rights reserved.

0267-3649/$ - see front matter ª 2005 Ewout Keuleers. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.06.003

428

A. The Gambelli and Lindman judgments of the European Court of Justice Pursuant to article 4 of the Italian Act no 401/89, the organization of bets on sports events, supervised by the CONI1 or UNIRI,2 is reserved for companies having a public concession. The Italian public prosecutor initiated a criminal prosecution against Piergiorgio Gambelli and other intermediaries for the organization of and reception of bets for the British bookmaker Stanley International Betting. The operation was performed as follows:  The bettor notifies the person in charge of the Italian intermediary of the events on which he wishes to bet and how much he intends to bet;  The intermediary sends the application for acceptance to the established and authorised UK bookmaker via the Internet, indicating the national football games in question and the bet;  The bookmaker confirms acceptance of the bet in real time by Internet;  The confirmation is transmitted by the Italian intermediary to the bettor and the bettor pays the sum due to the agency, which sum is then transferred to the bookmaker into a foreign account specially designated for this purpose. In the appeal procedure the Italian Court of Ascoli Piceno evoked two reasons to introduce a request for a preliminary ruling at the European Court of Justice (ECJ). In the first place, the Italian court raised some questions concerning the proportionality between the adopted measure, i.e., criminal repression, and the objective pursued. In the second place, the Court estimated that there was a contradiction between the national conservation of the monopoly and the expansive policy conducted by Italian authorities, for instance, to raise public funds.3 In its opinion of 13 March 2003, Advocate General Alber held that the Italian legislation in the field of sports betting constituted a discriminatory obstacle to the freedom to provide services throughout the European Union that failed the required justification on grounds of general interest. The ECJ in its full judgment did not go that far. At first glance, the decision of the European Court

1 2 3

Comitato olimplico nazionale. Unione italiano per l’incremento delle razze equine. Gambelli, Opinion of Advocate General Alber, paragraph 19.

E. Keuleers of Justice 6 November 2003 has little to qualify it as a landmark decision that would break the European gaming market open. Indeed, the ECJ did not explicitly say that the Italian regulation in the field of sports bets imposed a discriminatory and unjustified restriction on the freedom to provide services.4 In fact, one could even argue that the ECJ only confirmed its standing jurisprudence, following which Member States have the right to impose restrictions on the cross-border provision of gaming services, provided that certain strict requirements and conditions are met.5 A closer look, nevertheless, unambiguously reveals that the European Court did more than just sending the issue back to the Court of Ascoli Piceno, i.e., the competent national court. The ECJ restricted the scope for interpretation of the national authority to the extent that it was obliged to come to the conclusion that Italian law operated an unjustified restriction upon the freedom to provide services.6 Moreover, the European Court of Justice gave a clear indication that:  In the absence of a ‘‘consistent gaming policy’’, Member States must stop calling upon pressing reasons of public order to justify these restrictions, while the actual objective being pursued was the protection of the national markets from (foreign) competition;  To the extent that the ECJ had to leave the final decision to the national court, it would define clear ‘‘guidelines’’ as to how the latter should de facto use its discretionary power to interpret the facts of the case;  The level of protection offered by the country of establishment and the control this exercised over the legality of the gaming operation, should be taken into consideration when the authorities of the destination country assessed the proportionality and necessity of the restrictive measures (Country of Origin principle).

4 See Also, Thibault Verbiest and Ewout Keuleers, Gambellli makes it harder for nations to Restrict Gaming, Gaming Law Review, Volume 8, Number 1, 2004. 5 Case C-275/92, 24 March 1994, Her Majesty’s Customs and Excise v. G. Schindler & J. Schindler, ECR, 1994, I-1039, opinion GULMANN, C; Case C-124/97, 21 September 1999, ¨¨ ¨, Cotswold Microsystems Ltd, Oy TransMarkku Juhani La ara ¨ja ¨, Suomen Valtio, atlantic Software Ltd. v. Kihlakunnansyytta ECR, 1999, I-6067, opinion LA PERGOLA, A.; Case C-67/98, 21 October 1999, Questori di Verona v. D. Zenatti, ECR,1999, I7289, opinion FENNELLY, N. See also, Thibault Verbiest and Ewout Keuleers, Cross-border gaming: The European regulatory perspective, Gaming Law Review, August 2003. 6 Judgment, paragraphs 63e64.

EU regulation of the online gaming market In this regard, the ECJ recognized that the UK established bookmaker was already subject to rigorous controls exercised in his country of establishment by a private audit company and by the Inland Revenue and Customs and Excise.7 It might be too optimistic to consider that the European Court had implicitly recognized that the internal market clause of article 3 of Directive 2000/31/EC on electronic commerce was applicable.8,9 Had it done so this would mean that the Court was derogating from the exception foreseen in article 1.5 of that Directive. Nevertheless, it underscores the relevance of the character of protection offered e and control exercised in e by the home state. One week after this decision, the European Court of Justice recognized in its Lindman decision that European consumers had the right to receive services across borders and that the restrictive Finnish (tax) measure was infringing article 49 of the EC Treaty.10 Even though this case does not relate to the provision e or reception e of remote gaming services, Advocate General Stix-Hackl held that the situation at hand was comparable with situations in which a person was taking part in a foreign-based lottery by telephone, fax or Internet.11 In its judgment of 13 November 2003, the ECJ held that: ‘‘The reasons which may be invoked by a Member State by way of justification must be accompanied by an analysis of the appropriateness and proportionality of the restrictive measure adopted by that State. In the main proceedings, the file transmitted to the Court by the referring court discloses no statistical or other evidence which 7

Judgment, paragraphs 12 and 73. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market. 9 In the important Article 3, it is stated that (i) each Member State shall ensure that the information society services, including online gaming services, provided by a service provider established on its territory comply with the national provisions applicable in that Member State and (ii) that Member States may not restrict the freedom to provide information society services from another Member State. 10 In this case, Mrs Lindman, Finnish citizen on vacation in Sweden, bought a ticket from the Swedish Svenska Spel lottery. By mere coincidence she won 1,000,000 SEK10. Under the terms of the Finish Lottery Act 1992 and the general law on revenue tax profits coming from lotteries organized outside Finland are considered as a normal revenue, subject to the Finish tax rate. In contrast, participants in a Finish lottery do not have to pay taxes on winnings from lotteries organized in Finland. 11 Opinion Advocate General Stix-Hackl, paragraph 54. 8

429 enables any conclusion as to the gravity of the risks connected to playing games of chance or, a fortiori, the existence of a particular causal relationship between such risks and participation by nationals of the Member State concerned in lotteries organised in other Member State’’.12 By stating so the EC Court seems to indicate that a Member State imposing a restrictive and discriminatory measure must (i) demonstrate that the restrictive measure is compatible with the EC Treaty; (ii) demonstrate the risks and dangers in relation to the cross-border provision and consumption of gaming services; and (iii) submit to the competent authority statistical or other evidence that backs its arguments. In conclusion, it can be argued that Member States have a right to impose restrictions, but when imposing or enforcing them, they must provide sufficient proof with evidence that (i) their gaming policy is consistent, (ii) there is a clear and present danger to public order, e.g., that the operations of a UK online bookmaker will be used to launder the proceeds of crime, and (iii) that the objective pursued, e.g., protection of consumers, cannot be achieved by imposing less restrictive measures.

B. Overview of post-Gambelli case-law Since November 2003, authorities in various Member States have had to apply the above-mentioned requirements. In some countries, notably Finland, the Netherlands, Sweden, Belgium, Italy and Germany, the Supreme and Constitutional courts were called upon to deliver their views. In contrast to the Swedish Administrative Supreme Court (Regeringsra ¨ttens), the German Bundesgerichtshof (BGH) held that the editor of an online newspaper could not be held liable for inserting a link to an Austrian licensed bookmaker. Furthermore, the BGH explicitly questioned whether current German gaming policy could be reconciled with the requirements of European law. Moreover, the BGH referred to the decision of the Landgericht Mu ¨nchen I of 27 October 2003. In this so-called second ‘Bet-at-home’ case, the Landgericht held that the organization of sports bets and lotteries was subject to a monopoly. However, this monopoly was not adopted and maintained for reasons of public order, but mostly for tax reasons. For this reason, the court stated that it would not be justified to impose to upon 12

Lindman, paragraphs 25 and 26.

430 attorney at the Bar of Brussels an Austrian licensed bookmaker an obligation to obtain an additional German license.13 There have been strong rumours that the German Constitutional Court will soon issue a groundbreaking ruling that may be an important step to opening the German gaming market. It is expected that, by July 2005, the highest German court will rule in a case relating to the freedom to exercise a profession and bring some fundamental clarifications to the law in this area. Even though this debate is focused on Article 12 of the German Constitution, i.e., the freedom to exercise a profession, e.g., act as an intermediary for a foreign gaming provider, the fundamental question is very similar to the one relating to the provision and promotion of gaming services across borders. One should only be allowed to restrict this freedom if German gaming policy was consistent and the so-called reasons of public order justifying the restrictions are not being used merely to protect the German gaming market from foreign competition. On this view, the aggressive commercial behaviour of State lotteries and Oddset, one of the six official suppliers of the 2006 World Cup, can be criticized. In line with the February 2004 decision of the High Administrative Court of Hessen and the December 2004 decision of the Landgericht of Baden e Baden, some other courts have already held that German gaming policy does not meet the required justifications imposed by the EC Treaty and the jurisprudence of the European Court of Justice. For the time being, with its landmark decision still pending, the Constitutional Court has asked local authorities to act prudently and refrain from acting too restrictively against local intermediaries. In the Netherlands, the situation is more confusing. On 18 February 2005 the Dutch Supreme court ruled in the Ladbrokes summary proceedings and rejected the appeal lodged against a September 2003 decision that recognized the exclusive right of the Dutch betting operator De Lotto. With this decision the debate in the summary proceedings seems to have come to an end. However, the situation in the main proceedings is different, if not quite opposite. In its interlocutory judgment of 2 June 2004, the lower court of Arnhem requested proof of a consistent gaming policy. The court lacked the inconsistency of the Dutch gaming policy for a number of reasons. In the first place, the annual reports of De Lotto demonstrated that the objec-

13

Cf., supra on the Country of Origin principle.

E. Keuleers tive pursued was to increase its turnover, notably by exploring new markets and attracting new customers. No reference was made to compulsive gambling and the protection of consumers. Secondly, the marketing campaigns of the Dutch licensees, in particular the direct and indirect promotion of their gaming activities on radio and TV shows, were omnipresent. The Arnhem court concluded that the marketing campaigns, in particular the ‘‘not-won-money-back’’ guarantee for new subscribers, were designed to stimulate the demand for games, even when such a demand was non-existent. A final decision in the main proceedings is expected in September 2005. In Italy, the Supreme Court’s April 2004 ruling in the ‘‘Bruno Corsi’’ case went directly against the European Court’s Gambelli decision. Given the manifest contradiction between the ECJ case-law and the Supreme Court’s April 2004 decision, the Tribunale di Larino, referred the case to the European Court of Justice. In an identical case to the Gambelli case, the Larino District Court, questioned whether the Italian gaming restrictions could be reconciled with European Internal Market principles. In its referral, the national court underlined the difference between the interpretation emerging from the decisions of the European Court of Justice, notably the Gambelli judgment, and the jurisprudence of the Italian Supreme Court.

C. The need for a community initiative One must recognize that European institutions have, so far, not adopted gambling specific regulations. The Dutch Supreme court recently confirmed that, in absence of any Community rule in the field of gaming, one should only apply national (Dutch) law. As Dutch residents can obtain online access and participate in games organized by Ladbrokes without many difficulties, Dutch law applies. For this reason a local Dutch license is required. By ruling in this way, the Dutch Supreme Court fails to consider the de facto cross-border character of the Internet and its European dimension. The fact that the gaming platform is licensed, hosted and operated in another Member State would seem to be irrelevant. It is clear that this conflicts with statements made by the European Commission and the landmark decision of the Finish Court of Appeals in Turku. In accordance with the Directive on electronic commerce and the decision of the Landgericht Mu ¨nchen I of 27 October 2003, the Turku Court

EU regulation of the online gaming market held in its decision of 31 March 2003 that the organization of gaming services is exclusively subject to the laws of the place of establishment (Country of Origin). For this reason, authorities in Finland or the Netherlands cannot impose additional requirements or conditions to, for example, a Maltese based and licensed remote gaming operator. Furthermore, reference can be made to the opinion of Advocate General Gulmann in the Schindler case. Gulmann held that, by virtue of the principle of equivalence, the Member State of destination may not impose additional restrictions to the cross-border provision of services if those services are already subject to adequate rules from the home state. Recognising the necessity to limit the overall supply of gaming services and in absence of any Community rules in this field, restrictive measures necessarily had separately to be taken by each Member State. A contrario, this implied that when European rules in the field of gaming and associated services were adopted, e.g., via the proposal for a Service Directive, the arguments evoked by Member States to justify the restrictive measures, notably the protection of society at large, would lose their relevance. With the new Placanica case pending before the European Court, 2005 seems to have become a very important year for the European remote gaming industry. Not only is there the European Commission’s study on gambling and the second review of the electronic commerce Directive, but also the famous Service Directive will be debated in the European Parliament. Both the Directive on electronic commerce and the proposal for a Service Directive contain the Internal Market principle. According to this principle, a gaming operator need only comply with the law of its Country of Origin and cannot be ordered to submit to additional requirements for the cross-border provision and promotion of its services. The inclusion of this principle in the proposed Service and Electronic Commerce Directives will be an important step towards a single European remote gaming market. Indeed, an established

431 bookmaker in Malta, for instance, will only be subject to Maltese legislation whereas Dutch authorities must recognize the adequacy of the protection offered in Malta. For the same reasons, a Dutch gaming license is not required. Nevertheless, at this moment, both the proposal for a Service Directive and the Directive on electronic commerce exclude the application of the Internal Market principle. On the occasion of the first report on the application of the Directive on electronic commerce, the European Commission announced, in November 2003, that it would reconsider the latter Directive. It stated that: ‘‘Online gambling is a new area in which action may be required because of significant Internal Market problems and that it would examine the need for a possible new EU initiative’’. Indeed Article 1.5 of the e-commerce Directive excludes gambling activities, which involves wagering a stake with monetary value in games of chance, including lotteries and betting transactions, from its scope of application. Therefore, in Article 3 the foreseen internal market clause concerning the cross-border provision of information society services cannot be invoked. One must not forget that, eventually, it is very likely that regulatory models adopted by the United Kingdom, Malta and Slovakia will lead to serious Internal Market distortions, and thus complaints, underlying the need for a European initiative in the field of remote gaming and associated services. In the end, maybe it is too optimistic to anticipate that the European Commission will fully liberalize the European gaming market. However, it is clear that Member States must stop invoking imperative reasons of public order to justify gaming restrictions, while the actual objective being pursued is the protection of national markets from foreign competition. Ewout Keuleers (LL.M) is an attorney at the Bar of Brussels (www.gaminglaw.be) and a senior researcher at the Centre of Computer and Law (University of Namur, Belgium). [email protected]

Computer Law & Security Report (2005) 21, 432

BOOK REVIEWS Computer contracts

Telecommunications law

Drafting and negotiating computer contracts Rachel Burnett, Paul Klinger. 2nd ed. Tottel Publishing, 2005, 736 pp. hard-cover, £175, ISBN 0 406 90809 5

Telecommunications law and regulation Ian Walden, John Angel (Eds.). 2nd ed. Oxford University Press, 2005, 731 pp. soft-cover, £75.00, ISBN 0 19 9274479

The focus of this book remains, as with the original text published in 1993: ‘‘to offer a perspective to drafting and negotiating computer and other IT contracts which is practical rather than narrowly academic, drawing on our own experience in the industry’’. In their Preface the authors note that since the first edition was published, the computer and telecoms industries have continued to evolve and expand, whereas in parallel the Internet has become a dominant feature of the information society. New contracts are needed to be covered and, therefore, chapters added to consider application service provision, web site development and e-commerce agreements. There is also a new chapter examining leasing arrangements since, particularly in relation to hardware supply contracts, this is the preferred means of financing. For the rest of the book the authors note that substantial revisions have taken place to account for commercial and legal developments over the past 10 years. In addition to the contract analysis the authors have responded to requests and now provide a precedent format within a CD supplied with this edition. This contains examples of the contracts reviewed. Available from Tottel Publishing Ltd., Maxwelton House, 41/43 Boltro Road, Haywards Heath, West Sussex, RH16 1BJ. Tel.: C44 (0) 1444 416119, email: [email protected], Internet: www. tottelpublishing.com.

This text originally arose from the authors (ongoing) involvement in the University of London’s LL.M course in telecommunications law. The first edition was published in 2001 by Blackstone and the second edition now published by Oxford University Press is, in the editors’ words, ‘‘built on the success of the first and is designed to meet the needs of both students and the wider practitioner community’’. The new edition extends the scope of the first edition with new chapters added on content regulation; telecommunications, intellectual property and standards; and designing regulatory frameworks for developing countries. The work has been restructured into five sections dealing with the fundamentals; the UK and EU regulatory regimes; key issues and transactions; communications content; and international regulatory regimes. The book is recommended for legal practitioners involved in the communications industry as well as to management consultants, bankers and accountants for whom an awareness of the legal implications of this area of law may be appropriate. Available from Oxford University Press, Great Clarendon Street, Oxford OX2 6DP. Tel.: C44 (0) 1865 556767; Internet: www.oup.com.

doi: 10.1016/j.clsr.2005.06.017

doi: 10.1016/j.clsr.2005.06.018

Computer Law & Security Report (2005) 21, 433

Calendar of Events For a more detailed listing of IS security and audit events, please refer to the events diary on http://www.compseconline.com 18e22 September 2005 COSAC 2005 Location: Naas, County Kildare, Ireland Website: www.COSAC2005.org

11e12 November 2005 SCL Annual Conference Location: Oxford, UK Website: www.scl.org

29e30 September 2005 Legal and Strategic Guide for e-Discovery East: Best Practices for Corporate Counsel Location: New York, USA Website: www.marcusevans.com/events

13e15 November 2005 Computer Security Institute 32nd Annual Conference and Exhibition Location: Washington DC, USA Website: www.gocsi.com/annual/

27e28 October 2005 Computer Law Association European Conference Location: Stockholm, Sweden Website: www.cla-stockholm.com/

6e8 December 2005 Infosecurity New York Location: New York, USA Website: www.infosecurityevent.com

27e28 October 2005 ISC 2005 Location: Dusseldorf, Germany Website: www.uni-duesseldorf.de/isc2005

8e9 February 2006 Legal IT 2006 Location: London, UK Website: www.legalitshow.com

7e9 November 2005 International Computer Crime Conference Location: Willingen, Germany Website: http://public.afosi.amc.af.mil/ICCC_ 2005/iccc.html

doi:10.1016/S0267-3649(05)00165-2