Month: January 2016

Carbon Games or the scapegoat of a bad initiative

Blocking sites with no supervision whatsoever... what can possibly go wrong?

Blocking sites with no supervision whatsoever… what can possibly go wrong?

So… The implementation of a protocol to fight online piracy has led to the imposition of technical restrictions on the access to the website of Carbon Games in Portugal.

Indeed, a few weeks ago, any person, player or consumer who tried to access the website was prevented to do so by restrictions imposed by the Portuguese ISPs, namely Cabovisão, Meo, Nos and Vodafone. Any attempt to reach the site resulted in the following message “the site that you’re trying to reach was blocked due to an order from the Regulator Agency”.

Those who are neither Portuguese nor familiar with the case might fail to grasp the myriad of subjacent issues which are wrong with this statement.

Therefore let me explain.

Last year, a protocol was signed – more specifically a ‘memorandum of understanding’ – between the content industry representatives and telecom operators according to which the latter will be required to restrain the access – i.e. blocking – websites with copyright infringing content.

Among the involved parties one can outline IGAC (Inspeção Geral das Atividades Culturais – General Inspection of Cultural Activities), DGC (Direcção Geral do Consumidor – Directorate General of Consumer), APRITEL (Associação dos Operadores de Telecomunicações – Telecom Operators Association) and MAPINET (Movimento Cívico Anti-Pirataria na Internet – Civic Movement for Anti-Piracy on the Internet).

Following the long judicial process which ended with the Portuguese Intellectual Property Court giving ISPs Vodafone, MEO and NOS the order to block the access to the The Pirate Bay website, such entities felt that a faster and less-expensive site-blocking mechanism was required. One that would not require an individual judicial assessment of copyright infringements.

The abovementioned memorandum intends to frame the cooperation of the signatory parties regarding the protection of authors’ copyright rights, while intending to circumvent the limitation arising from the absence of any duty to monitor of ISPs in regards of the information they transmit or store, thus attributing to IGAC such monitoring obligation.

Thus, under these new incumbent responsibilities, IGAC ought to collect and analyse claims of infringements and to order ISPs to prevent the access to legally protected contents unlawfully made available online.

According to the memorandum, the infringement claims ought to demonstrate the lack of authorization of the copyright owner in regards of the works thus made available. In that regard, claims must also be accompanied by a document certifying that, following the request to remove infringing contents, no answer was obtained from the website administrator.

The specifics are as follows: websites which deal predominantly with making available works protected by copyright without the authorization of the rights’ holders will be denounced by the entities representing the rights owners and, once the claim is confirmed by the IGAC, telecom operators are notified to block the websites at stake. The denouncing claims are expected to be filed periodically (twice a month) through MAPINET and referring to a block of up to 50 allegedly infringing websites. However, it is possible to file individual claims in situations particularly detrimental to copyright owners.

In this context, websites containing more than 500 non-authorized works or distributing repositories containing at least two thirds of illegal copies are deemed to predominantly making available works protected by copyright without the authorization of the rights’ holders.

The protocol has been diligently implemented in practice since its signature as, as far as I am aware, up to 180 websites have been blocked under this procedure.

As the case regarding Carbon Games demonstrates, there are several flaws in this system.

To start with, it is important to clarify that Carbon Games is a US videogames developer and its website deals with games of which they are the original creators.

Secondly, this process is undertaken by several private entities and one public body, the IGAC. While it is expected that the interests of private entities will not forcefully coincide with the general interest of the public, one would at least risk hoping that IGAC, within its recently established obligations of analysing claims of infringements, would not rush such analysis.

While one would expect that the infringing nature of the activity of a website should be adequately assessed, it is evident that the system does not work properly, considering that Carbon Games legally produces videogames and, all considering, should have its interests protected by the implementation of the initiative.

Additionally, the fact that ISPs ought to be compensated for all the trouble that the implementation of this protocol may entail for them actually risks to disincentive the establishment of any internal assessment system regarding the legitimacy of the infringement claims raised.

Moreover, the requirement of 500 illegal works or two thirds of illegal copies seems absolutely discretionary. What is the expected outcome of this decision? That websites containing 499 illegal works will remain fully operational? And if this is really the criterion, then it makes the Carbon Games case all the more ludicrous.

One would expect that a website allegedly managing illegal content would have the chance to contra-argument and present its defence. Apparently, it is not the case. In fact, considering the communication of Carbon Games on its own website, it was not aware of any suspicion of infringement content, any administrative proceedings nor of any blocking order prior to the occurrence of the effective blocking. In fact, it seems that no mechanism has been put in place in order to appreciate the wrongful blocking of websites.

In the meantime, it has been admitted that the order of blockage was unduly given and, accordingly, all the providers of online services have been notified that the blocking should be annulled, thus enabling the proper functioning of the website.

I cannot help but wonder how such an error is even possible. Isn’t the list provided to IGAC supposed to be validated?

While the efficacy of such an agreement is questionable considering that it is quite easy to circumvent such technical restrictions implemented by the ISPs by simply altering DNS servers or by changing the website’s domain, the users not aware of this are actually prevented to access the content of blocked websites.

More gravely, it seems that having a website, disregarding the legal nature of its content, is sufficient to be exposed to such mistakes. And the economic consequences can be quite worrisome for the website considering that an unjustified blocking leads platforms to be deprived from the access of their customers for an undefined period of time. In fact, in the Carbon Games case, it took up to two months (!!) to correct the error.

From the reading of the protocol, I honestly fail to see how the owner of a website, facing an unfounded blocking order, is expected to react and speedily regain control of its full functioning. Of course there are proper judicial means such as filing for an injunction. Nevertheless, considering that all this implemented ‘administrative’ procedure disregards any judicial assessment, it seems counterproductive to only foresee such judicial intervention when it is needed to react to unfounded orders.

It is evident that creativity should be rewarded and incentivized through a great protection and enforcement of IP rights. However, it has been made evident that, without proper legal and judicial oversight, access to legitimate content can be unjustifiably restricted. And while the e-Commerce Directive already includes procedures for removing illegal content, considering this whole experience, this specific solution does not seem to be the right path.

The dangers of certain apps or how to put your whole life out there

Finding love, one data breach at a time.

Finding love, one data breach at a time.

One of my past flatmates was actively looking for love online. Besides having registered in several websites for that end, I remember he also had several mobile applications (apps) installed in his Smartphone. I think he actually subscribed pretty much anything that even remotely could help him find love but outlined Tinder as his main dating tool.

Another of my closest friends is a jogging addicted – shout out P. He has installed on his Smartphone various apps which enable him to know how much steps he has made in a particular day, the route undertaken, and the heart rate via external device, which enables him to monitor his progresses.

What both of my friends have in common? Well, they actually use mobile apps to cover very specific necessities. And in this regard they can rely with almost anybody else.

Indeed, it is difficult to escape apps nowadays. Now that everyone (except for my aunt) seems to have a Smartphone, apps are increasingly popular for the most diversified purposes. For my prior flatmate it was all about dating. For my friend, it is to keep track of his running progresses. But their potential does not end there. From receiving and sending messages, using maps and navigation services, receiving news updates, playing games, dating or just checking the weather… You name a necessity or convenience, and there is an app for it.

On the downside, using apps usually requires to provide more or less personal information to the specific intended effect. Something that has become so usual that most consider as a natural step, without giving it further consideration.

In fact, a detail that most seem to be unaware of, apps allow for a massive collection and processing of personal – and sometimes sensitive – data. In fact, the nature and the amount of personal data accessed and collected raises serious privacy and data protection concerns.

For instance, in the case of my abovementioned flatmate, who was registered on several similar apps, and considering that he did not create fake accounts nor provided false information, each of them collected at least his name, age, gender, profession, location (enabling to presume where he worked, lived and spend time), sexual orientation, what he looks like (if he added a picture to his profiles), the frequency of his accesses to the app, and eventually the success of his online dating life.

In fact, in Tinder’s own words:

Information we collect about you

In General. We may collect information that can identify you such as your name and email address (“personal information”) and other information that does not identify you. We may collect this information through a website or a mobile application. By using the Service, you are authorizing us to gather, parse and retain data related to the provision of the Service. When you provide personal information through our Service, the information may be sent to servers located in the United States and countries around the world.
Information you provide. In order to register as a user with Tinder, you will be asked to sign in using your Facebook login. If you do so, you authorize us to access certain Facebook account information, such as your public Facebook profile (consistent with your privacy settings in Facebook), your email address, interests, likes, gender, birthday, education history, relationship interests, current city, photos, personal description, friend list, and information about and photos of your Facebook friends who might be common Facebook friends with other Tinder users. You will also be asked to allow Tinder to collect your location information from your device when you download or use the Service. In addition, we may collect and store any personal information you provide while using our Service or in some other manner. This may include identifying information, such as your name, address, email address and telephone number, and, if you transact business with us, financial information. You may also provide us photos, a personal description and information about your gender and preferences for recommendations, such as search distance, age range and gender. If you chat with other Tinder users, you provide us the content of your chats, and if you contact us with a customer service or other inquiry, you provide us with the content of that communication.

Considering that Tinder makes available a catalogue of profiles of geographically nearby members, among which one can swipe right or left, according to each one personal preferences, with the adequate analysis, it is even possible to define what type of persons (according to age, body type, hair colour) users find most attractive.

And because Tinder actually depends on having a Facebook profile, I guess that Facebook also gets aware of the average climate of your romantic life. Mainly if you start adding and interacting with your new friends on that platform and, why not, changing your status accordingly.

In the specific case of Tinder, as it mandatorily requires to be provided with a certain amount of Facebook information in order to ensure its proper functioning, these correlations are much easier for this app.

Thus said, a sweep conducted by 26 privacy and data protection authorities from around the world on more than 1,000 diversified apps, thus including Apple and Android apps, free and paid apps, public sector and private sector apps, and ranging from games and health/fitness apps, to news and banking apps has made possible to outline the main concerns at stake.

One of the issues specifically pointed out referred to the information provided to the users/data subjects, as it was concluded that many apps did not have a privacy policy. Therefore, in those cases, users were not properly informed – and therefore aware – about the collection, use, or further disclosure of the personal information provided.

It is a fact that most of us do not read the terms and conditions made available. And most will subscribe pretty much any service he/she is willing to use, disregarding what those terms and conditions actually state.

Nevertheless, a relevant issue in this regard is the excessive amount of data collected considering the purposes for which the information is provided or how it is sneakily collected. For instance, even gambling apps, such as solitaire, which seem far more innocuous, hide unknown risks, as many contain code enabling the access to the user’s information or to his contacts’ list and even allow to track the user’s browsing activities.

This is particularly worrisome when sensitive data, such as health information is at stake. This kind of data is easily collected through fitness orientated apps, which are quite in vogue nowadays. Besides any additional personally identifiable information which you will eventually provide upon creating an account, among the elements which most certainly are collected, one can find: from the name or user name, date of birth, current weight, target weight, height, gender, workouts frequency, workout settings and duration of your workout, heart rate. Also, if you train outdoors, geo-location will most certainly enable to assess the whereabouts of your exercising, from the departure to the arrival points, which will most probably coincide with your home address or its vicinities.

And, if you are particularly proud of your running or cycling results, and are willing to show up to all your friends in what good shape you actually are, there is a chance that you can actually connect the app to your Facebook and display that information in your profile, subsequently enabling Facebook to access the same logged information.

And things actually get worse when considering that, as demonstrated by recent data breaches, it seems that the information provided by their users is not even adequately protected.

For instance, and if I remember it well, due to a security vulnerability in Tinder – that apparently has been already fixed – it seemed that there was a time where the location data, such as longitude and latitude coordinates of users were actually easily accessible. Which is actually quite creepy and dangerous, as it would facilitate stalking and harassment in real life, which is as bad as it is happening online.

Anyway, it is actually very easy to forget the amount of data we provide apps with. However, the correlations that can be made, the conclusions which can be inferred, the patterns that can be assessed amounts to share more information than what we first realise and enables a far more detailed profile of ourselves than most of us would feel comfortable with others knowing.

The limits of government surveillance according to the ECtHR

Limits? What do you mean by 'limits'?

Limits? What do you mean by ‘limits’?

In two very recent judgements, the European Court of Human Rights (hereafter ECtHR) has made several essential points in regards of surveillance conducted by public authorities and its relation with Article 8 of the European Convention of Human Rights (hereafter ECHR).

Article 8 provides that governmental interference with the right to privacy must meet two criteria. First, the interference must be done e conducted “in accordance with the law” and must be “necessary in a democratic society”. Such interference must aim to achieve the protection of the “interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

In previous cases regarding surveillance conducted by public authorities, the ECtHR had already concluded that any interference with the right to respect for private life and correspondence, as enshrined in Article 8 of the ECHR, must be strictly necessary for safeguarding the democratic institutions. However, it has now further clarified its interpretation.

In these recent decisions, the ECtHR concluded that the secret surveillance, as carried out in the manner described in the facts of the cases, violated Article 8 of the Convention.

The Roman Zakharov v. Russia decision, issued on the 4th December 2015, concerned the allegations of the editor in chief of a publishing company that laws enabling the installation of equipment which permitted the Federal Security Service (“the FSB”) to intercept all his telephone communications, without prior judicial authorisation, three mobile network operators interfered with his right to the privacy of his telephone communications.

The Court considered that “a reasonable suspicion against the person concerned, in particular, whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures, such as, for example, acts endangering national security” must be verified and the interception shall meet the requirements of necessity and proportionality.

The Szabó and Vissy v. Hungary decision, issued on the 12th January 2016, concerned the allegations of members of a non-governmental organisation voicing criticism of the Government that the legislation enabling police to search houses, postal mail, and electronic communications and devices, without judicial authorization, for national security purposes, violated the right to respect for private life and correspondence.

The Court considered that: “the requirement ‘necessary in a democratic society’ must be interpreted in this context as requiring ‘strict necessity’ in two aspects. A measure of secret surveillance can be found as being in compliance with the Convention only if it is strictly necessary, as a general consideration, for the safeguarding the democratic institutions and, moreover, if it is strictly necessary, as a particular consideration, for the obtaining of vital intelligence in an individual operation. In the Court’s view, any measure of secret surveillance which does not correspond to these criteria will be prone to abuse by the authorities with formidable technologies at their disposal.” Consequently, it must be assessed if “sufficient reasons for intercepting a specific individual’s communications exist in each case”.

In both cases, by requiring surveillance activities to be individually targeted, the ECtHR has established that any indiscriminate interception is unacceptable. This is a most welcomed position considering the well-known legislative instruments and initiatives intended to strength the legitimacy of massive monitoring programs in many EU Member States.

Practical difficulties of the GDPR – the ‘right to be forgotten’ applied to online social platforms

From all the legal challenges that the GDPR will present for businesses in general, I would like to address in this post the issues raised by its implementation in regards of social network platforms, which are quite popular nowadays.

Article 17 of the GDPR establishes the ‘right to erasure’ or the right to be forgotten, as it has come to referred to, which provides data subjects with the right to require from data controllers the erasure of their personal data held by the latter, and the consequent obligation of controller, upon that request to abide, without undue delay, when certain conditions are fulfilled.

Considering that infringing the ‘right to erasure’ may lead to the application of significant economic sanctions, there is the risk that social platforms will be tempted to adopt a preventing approach by complying to all the deletion requests, disregarding their validity, thus erasing content on unfounded grounds. This is particularly worrisome because it may directly lead to the suppression of free speech online. Consequently, online businesses are not and should not be deemed competent to make any assessment in regards of the legitimacy of such claims, a point that I have already tried to make here.

While it seems that a notice and take down mechanism is envisaged without much detail being provided in regards of its practical enforceability, a particular issue in this context is the one related to the identities upon which such obligation impends. Indeed, the obligation to implement the ‘right to be forgotten’ can only be required from those who qualify as data controllers.

As data controllers are defined as the entities who determine the purposes and means of the processing of personal data, it is not clear if online social platforms providers can be defined as such.

Considering the well-known Google Spain case, it is at least certain that search engines are deemed to be controllers in this regard. As you may certainly remember, the CJEU ruled that individuals, provided that certain prerequisites are met, have the right to require from search engines, such as Google, to remove certain results about them, subsequently presented to a search based on a person’s name

Thus said, it is questionable if hosting platforms and online social networks, focused on user generated content, as it is the case of Facebook, qualify as such, considering that the data processed depends of the actions of the users who upload the relevant information. Therefore, the users themselves qualify as controllers. The language of Recital 15 of the GDPR about social networking is inconclusive in this regard.

The abovementioned Recital provides as follows:

This Regulation should not apply to processing of personal data by a natural person in the course of a purely personal or household activity and thus without a connection with a professional or commercial activity. Personal and household activities could include
correspondence and the holding of addresses, or social networking and on-line activity undertaken within the context of such personal and household activities. However, this Regulation should apply to controllers or processors which provide the means for processing personal data for such personal or household activities.

This is not an irrelevant issue, though. In practice, it will amount to enable someone to require and effectively compel Twitter or Facebook to delete the information about her/him despite being provided by others.

And considering that any legal instrument is proportionally as efficient in practice as it is capable of being enforced, the definition of whom is covered and ought to comply with it is unquestionably a paramount element.

As I remember to read elsewhere – I fail to remember where, unfortunately – one wondered if the intermediary liability as foreseen in the e-Commerce Directive would be an appropriate mechanism for the enforcement of the right to erasure/right to be forgotten.

Articles 12-14 of the e-Commerce Directive indeed exempt information society services from liability under specific circumstances, namely when they act as a ‘mere conduit’ of information, or engage in ‘caching’ (the automatic, intermediate and temporary storage of information), or when ‘hosting’ (i.e., storing information at the request of a recipient of the service).

Article 15 establishes the inexistence of any general duty impending on online intermediaries to monitor or actively seek facts indicating illegal activity on their websites.

Having into account the general liability of online intermediaries foreseen in the E-commerce Directive (Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market), a particular distinction will perhaps apply according to the level of ‘activity’ or ‘passivity’ of the platforms in the management of the content provided by their users.

However this liability does not fully clarify the extent of the erasure obligation. Will it be proportionate to the degree of ‘activity’ or ‘passivity’ of the service provider in regards of the content?

Moreover, it is not clear how both regimes can be applied simultaneously. While the GDPR does not refer to any notice and take down mechanism and expressly refers that its application is without prejudice of the e-Commerce Directive liability rules, the fact is that the GDPR only establishes the ‘duty of erasure’ to controllers. As the intermediary liability rules require accountability for the activities of third-parties, this is a requirement not easy to overcome.

Thus considering, the most awaited GDPR hasn’t entered into force yet but I already cannot wait for the next chapters.

The EU copyright law reform – the end of the Internet as we know it?

All means ALL! Even the ones we will think about in the future.

All means ALL! Even the ones we will think about in the future.

One would optimistically think that certain ideas are so unrealistic that no one would ever think about them, let alone dare expressing them. However, and contrarily to one’s best hopes, as it is getting more and more usual in the ambit of protection of IP rights, it seems that there is no limits for the manifestation of the most unbelievable ideas.

Which brings us to copyright, i.e., precisely, the protection conferred upon the expression of ideas and in relation to which the most ludicrous ideas have been expressed.

A recent communication of the EU Commission on copyright reform, entitled ‘Towards a modern, more European copyright framework’ does not bring good tidings.

Apparently it is a welcome document as it aims to address the current lack of harmonization of the copyright laws in the EU. Indeed, it is unquestionable that the current EU copyright legislation requires an update. For instance, the InfoSoc Directive (Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society) intended to address a reality prior to the existence of Twitter, Youtube and Facebook. Consequently, adapting the EU copyright rules to the new online realities is of paramount importance.

However, alongside some seemingly positive approaches of the intended reform, and while it is not wordily stated in the document that the necessity of conferring copyright protection to the acts of using snippets in acts of linking, the reference to ‘rights of communication to the public’ and of ‘making available’ leaves the door opened to such interpretation.

So you can understand why this expression is relevant, Article 3 of Directive 2001/29 provides as follows:

Member States shall provide authors with the exclusive right to authorise or prohibit any communication to the public of their works, by wire or wireless means, including the making available to the public of their works in such a way that members of the public may access them from a place and at a time individually chosen by them.

Copyright holders therefore have the exclusive right over their works and are thus entitled to authorise or prohibit, with certain exceptions and limitations, the making and distribution of copies as well as communication to the public.

The scope of the concepts of “communication to the public” and of “making available” therefore determines what constitutes an act on the internet over which creators and related industries can claim copyright rights and, consequently, negotiate licences and be remunerated upon.

In the EU Commission own words:

The Commission is reflecting and consulting on the different factors around the sharing of the value created by new forms of online distribution of copyright-protected works among the various market players. The Commission will consider measures in this area by spring 2016. The objective will be to ensure that the players that contribute to generating such value have the ability to fully ascertain their rights, thus contributing to a fair allocation of this value and to the adequate remuneration of copyright-protected content for online uses.

In this context, the Commission will examine whether action is needed on the definition of the rights of ‘communication to the public’ and of ‘making available’. It will also consider whether any action specific to news aggregators is needed, including intervening on rights.

It further states that:

Rights that cannot be effectively enforced have little economic value, particularly when infringements occur on a commercial scale that free-rides on the work and investment of creators, the creative industries and legal distribution services.

This explicit reference to new regulation for news aggregators can be interpreted – and most probably is – as an intention to proceed to an ancillary copyright law.

Indeed, the copyright laws directed to news aggregators – which unquestionably led to restrictions on linking – as adopted in certain Member States (Spain and Germany, I presume) are cited as failures which carry the risk of more fragmentation in the digital single market.

Thus said, in a fact sheet, the EU Commission has clarified that it does not intend to tax links:

We have no intention to ask people to pay for copyright when they simply share a hyperlink to content protected by copyright. Europeans share and post hyperlinks every day and they should remain free to do so.

The Commission will look at the activities of different types of intermediaries in relation to copyright-protected content. This is a different issue.

News aggregators, for example, are not only using hyperlinks but also extracts of articles and may gain revenue doing so.

Different solutions related to news aggregators, both legislative and market-led, are being tested at national level. We are closely looking into them and are analysing whether they deliver on their objectives.”

So the use of snippets by news aggregators appears to tbe the cornerstone of the issue. Unfortunately, it does not come as a surprise. In fact, it sounds quite familiar. Lurid ideas as this one have been expressed – and protected too – through legislative means in some Member States, as I already addressed here.

More worryingly, they are motivated by the pressure of publishers who seem to not get over the fact that their content is promoted for free elsewhere than their websites and want to be compensated be the decrease of sales. Allegedly because others make money out of it. If doubts remain, the EU Commission confirms that it will adopt a ‘follow the money’ approach, which seems to confirm that the aim is to force search engines and news portals to pay publishing companies for linking to their content.

This seems to contradict the spirit of the Svensson ruling. The case involved a website providing its clients, according to their needs, with lists of clickable Internet links to articles published by other websites, in which the copyright holders alleged that their exclusive right to make their respective works available to the public had been infringed by the services provided.

In that context, the CJEU clarified some issues in regards of the relation between linking and copyright in the information society, ruling as follows:

1. Article 3(1) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, must be interpreted as meaning that the provision on a website of clickable links to works freely available on another website does not constitute an ‘act of communication to the public’, as referred to in that provision.

Particularly relevant in this regard was the fact that it was interpreted that the communication at stake (making available the works concerned by means of a clickable link), despite concerning the same works as those covered by the initial communication and by the same technical means (the Internet) was not directed to a new public, meaning “a public that was not taken into account by the copyright holders when they authorized the initial communication to the public”. Consequently, such acts were deemed as not requiring the authorization of the copyright holders.

This conclusion is not altered by the circumstance that “when Internet users click on the link at issue, the work appears in such a way as to give the impression that it is appearing on the site on which that link is found, whereas in fact that work comes from another site”.

However, the Court outlined that

where a clickable link makes it possible for users of the site on which that link appears to circumvent restrictions put in place by the site on which the protected work appears in order to restrict public access to that work to the latter site’s subscribers only, and the link accordingly constitutes an intervention without which those users would not be able to access the works transmitted, all those users must be deemed to be a new public, which was not taken into account by the copyright holders when they authorised the initial communication, and accordingly the holders’ authorisation is required for such a communication to the public. This is the case, in particular, where the work is no longer available to the public on the site on which it was initially communicated or where it is henceforth available on that site only to a restricted public, while being accessible on another Internet site without the copyright holders’ authorisation.

The ruling left many questions unanswered. Therefore the intention would not be a bad thing if it addressed the relevant unattended points and if the wrong interests would not dictate the initiative. In this context it seems that the lobby pressures are stronger that the European Parliament’s express opposition on the matter.

On the bright side, it seems that the copyright protection for links in general, which would affect end users and, ultimately the very basic premise of the Internet as we know it, characterized by the open and free communication, by the unlimited sharing of information and opinions, has been put aside.

However it is questionable what is the utility of using a link without a short extract from the linked webpage. It is a common usage on the Internet. From a practical viewpoint, if the intention actually proceeds, the immediate consequence would be that, as explicit permission from the copyright holder would be required for that purpose, any Internet users linking to freely available content for commercial purposes on the Internet could be held liable for primary copyright infringement if using those snippets. As the commercial reuse or retransmission of copyright-protected content appears to be the main motivator, and considering the new arising of new forms of businesses online, such as blogs depending on publicity, it is reasonable to fear that pretty much everyone can be affected.

Furthermore, if the system of exceptions allowing for copyright-protected works to be used, in defined circumstances, without prior authorisation from the rights holders, does not ensure the proper protection in this context, the outcome will be disastrous beyond imagination.

Thus said, the whole raison d’être of copyright laws – to produce incentive to creativeness – is completely going amiss, considering that their protection is conceded uniquely to protect businesses that refuse or are just unable to adapt their strategies to the fast-changing online reality.

Monitoring of employees in the workplace: the not so private parts of a job in the EU private sector

Monitoring you? Us?

Monitoring you? Us? 1)Copyright by MrChrome under the CC-BY-3.0

In a case referring to the employees’ rights to the privacy of their correspondence and communications, the European Court of Human Rights (hereafter ECtHR) has ruled that employers are entitled to monitor their employees’ private online communications conducted through means of a messaging account provided for professional purposes.

The details of the case are as follows: the employment’s contract of Romanian engineer was terminated by his employer, back in 2007, after the company he worked for found out that he was using messaging services, such as Yahoo Messenger, to conduct personal contacts, namely with his brother and fiancée. The account was created, at the employer’s request, strictly for professional purposes and a personal use was specifically forbidden by the company policy, of which the employee was made aware. The internal regulation established, inter alia, that “it is strictly forbidden to disturb order and discipline within the company’s premises and especially … to use computers, photocopiers, telephones, telex and fax machines for personal purposes.”

While the company considered that the employee had breached the company rules by using the service for personal purposes, and thus the termination of the employment’s contract was justified, the employee argued that the termination decision was illegal due to be founded on a violation of his rights to respect for his private life and correspondence.

Among the pertinent legal instruments deemed applicable and referred by the ECtHR are, obviously, the European Convention of Human Rights (hereafter ECHR), the Directive 95/46/EC and the Art.29WP “Working document on the surveillance and the monitoring of electronic communications in the workplace”, which I also have addressed here, in regards of the issue of the monitoring of employees.

The core issue at stake was whether, considering the factual context described, the employee could have had a reasonable expectation of privacy when communicating from the Yahoo Messenger account that he had registered at his employer’s request and considering that the employer’s internal regulations, of which he was aware, strictly prohibited employees from using the company’s computers and resources for personal purposes.

Having into consideration that the use of messaging was only allowed for solely professional purposes, the Court deemed that it was not “unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours.” (par. 59)

In this regard, it considered that “the employer acted within its disciplinary powers since, as the domestic courts found, it had accessed the Yahoo Messenger account on the assumption that the information in question had been related to professional activities and that such access had therefore been legitimate. The court sees no reason to question these findings.” Particularly relevant to the formation of that assumption was the fact the employee had initially claimed that he had used the messaging account to advise the company’s clients. (par. 57)

Therefore, despite concluding that an interference with the applicant’s right to respect for private life and correspondence within the meaning of Article 8 of the ECHR indeed occurred, the ECtHR concluded that there has been no violation of such rights, because “the employer’s monitoring was limited in scope and proportionate”.

The claim that the employee’s right to privacy and the confidentiality of his correspondence had been violated was therefore dismissed.

This ruling is in line with that respecting the Benediktsdóttir v. Iceland case, in which the ECtHR concluded that the right to privacy and to correspondence has to be balanced with the other rights, namely those of the employer.

However, the dissenting opinion of the judge Pinto de Albuquerque deserves particular mentioning. Particularly based on the very personal and sensitive nature of the employee’s communications, the non-existence of an Internet surveillance policy, duly implemented and enforced by the employer and the general character of the prior notice given to employees in regards of the monitoring conducted on the communications, it leads one to wonder if the assessment regarding the respect of the necessity and proportionality principles could have been as straightforward as it firstly seemed. Namely considering that the employer also accessed the employee’s own personal account.

Thus said, the specific details of the case should not be overlooked and rushed or generalized conclusions should be avoided.

As pointed out by Pinto de Albuquerque, in the absence of a prior notice from the employer that communications are being monitored, the employee has a reasonable expectation of privacy. Moreover, the  complete prohibition of the use of the Internet by employees for personal purposes is inadmissible. Furthermore, the practice of complete, automatic and continuous monitoring of Internet usage by employees is also forbidden.

The fact that the employee was adequately informed of the internal regulations imposing restriction upon the use of the messaging service for personal purposes and that employer had accessed the communications in the belief of their professional nature are paramount elements in this context. In no way must this ruling be interpreted as a general faculty of employers to monitor or snoop on their employees’ private communications.

Indeed, as clearly put by the Art.29WP in the above mentioned document, the simple fact that monitoring or surveillance conveniently serves an employer’s interest could not justify an intrusion into workers’ privacy.

In fact, as outlined by the judge Pinto de Albuquerque in his dissenting opinion: “if the employer’s internet monitoring breaches the internal data protection policy or the relevant law or collective agreement, it may entitle the employee to terminate his or her employment and claim constructive dismissal, in addition to pecuniary and non-pecuniary damages.”

Therefore, employers should take special care in providing appropriate information in regards of the use that employees are allowed to make of the company’s communication means, namely for personal purposes. Moreover, employers intending to conduct monitoring activities over their employee’s activities should implement a proper and clear monitoring policy, restricted to what is necessary and proportionate to its interests and goals. It is of paramount importance that employees are able to understand the nature, scope and effects of the monitoring, namely how their communications are controlled, what content is accessed, how is it analysed and what information is recorded and kept and for what purposes. In this context, data protection rules fully apply, namely conferring employees with the rights to access all the information held about them and to obtain a copy of such records.

And to completely prevent unpleasant surprises, a word of advice to employees: do not rely on your employer’s good judgement. Avoid altogether using means provided to you for professional purposes to conduct private activities or communications.

References   [ + ]

1. Copyright by MrChrome under the CC-BY-3.0

Foolish patents or the inventive step of idiocy

It is very frustrating that the rationale of a legal mechanism such as patents, intended to enable inventors to recover from their creative efforts, the investment of time and of financial resources that they have put into the development  of new and non-obvious inventions, and therefore promote innovation, has been subverted for the monetary compensations it entails when infringement occurs.

Patents confer an exclusive right upon their owner, enabling him to exclude others from making, using, importing, and selling the patented innovation for a limited period of time and making the practice of those acts by third parties dependent of an authorization of the patent owner, i.e., a license.

In this context, patents are intrinsically linked to competition. A particular concern is to not attribute such an exclusive right to creations that do not amount to an invention, i.e., based upon a basic or common function which does not contain any inventive step considering the prior art. Indeed, patenting something that is elementarily required to produce a given functionality would amount to conferring to the right owner a monopoly that would prevent any further competition and, consequently, future innovation.

In the computer software context, considering that most patents are conferred for very restricted elements of a given product, a particular danger is the development of patent thickets, which can be described as a web of interdependent and overlapping IP rights which require new inventions to depend upon licensing from different patent owners. This is so because it is possible to own a patent on an element crucial for the proper functioning of other parts of a software product.

Understandably, patent trolls can find here the greatest of motivations.

It is important to distinguish, in this context, design patents and utility patens, with which most of us are more familiar with.

Utility patents are meant for new, non-obvious and, as their name might have you guessing, useful inventions, having into consideration the specific functionality of the product.

By contrast, design patents address new, non-obvious, non-functional, aesthetic or ornamental aspects of products, provided that the design is not exclusively mandated by the function of the product. In practice, this amounts to demonstrate that alternative designs enabling the same function exist. Therefore, these patents are often associated with the ‘look and feel’ of the product.

As with any other patent, the exclusive right conferred by design-patents aim to prevent competitors from copying another company’s products designs. Hence, these patents assume particular importance when a product presents key features which enable consumers to immediately associate a design with a particular brand.

Design patents have been particularly popular in the field of computer software, namely in regards of the user experience and user-interfaces. From what I have had the chance to learn last trimester in the respective module of the post-grad program I am currently undertaking, I would risk saying that computer software patents do not really need any more complexities added to them. In fact, I am still recovering from the European Patent Office’s case law regarding what constitutes the proper technical character of an invention.

Thus said, a design patent was at stake, among other claims, in the Apple v. Samsung case regarding the ‘slide-to-unlock’ patent, describing a way to unlock a touch screen device. I still fail to comprehend how taking the general existing logic of opening gates, doors or fences and applying it to a computerized device passes the assessment of the inventive step test.

Similarly, just recently, among other allegations, Microsoft claimed that its patent over the design of a slider, which it named “User Interface for a Portion of a Display Screen” and which allows users to zoom in or out of documents, has been infringed by Corel.

Just so you get a complete idea of the claim, you can find below the design at stake:

Microsoft slider.

In its defence, it must be noted that the patent claim does not refer to a generic slide, but to the specific design of the slider and its placement in the bottom right corner of the User Interface.

Disregarding the consideration if the design at stake qualifies as new and non-obvious version of existing designs (i.e., prior art), such claim – if successful – might have serious economic repercussions for Corel as it will entitle Microsoft to all of the profits attributed to that design even if respecting a part of the product and not the entire product.

Nevertheless, the Electronic Frontier Foundation (EFF) has qualified this claim as the most stupid patent of December 2015. And despite any good will one might want to manifest in favour of Microsoft, it is indeed difficult to escape the obviousness of all this nonsense.

When the information asked from job applicants is simply too much…

We also need your credit card info, body size and a blood sample just for the application.

We also need your credit card info, body size and a blood sample just for the application. 1)Copyright by Kathryn Decker under the Creative Commons – Attribution 2.0 Generic

I am currently looking for new professional opportunities and, in my quest, I have faced some very peculiar data collection policies in the context of some recruitment processes.

From being required to provide my full name, my ID number, my social security number, my complete address as mandatory information to be provided to apply for a certain job or to file a spontaneous application… I have pretty much been asked everything. At this point, I wouldn’t be surprised anymore to be asked for my bank account, my bloodtype or my electoral numbers, which are as useless information to be required for such purpose.

And when this comes from big companies which actually ought to know better and have data protection policies implemented, it is all the more astonishing!

Perhaps this may come as a surprise for some, as I am prone to conclude considering my recent experiences, but when personal data is collected as part of a recruitment process, the Data Protection rules do apply.

With regards to the balance which ought to be stricken between a potential employer’s need for information in order to select among applications and the applicants’ right to respect for their private life, I think that it is pretty straightforward that requiring the abovementioned elements is pointless and disproportionate in a recruitment process.

In fact, it amounts to collect from job applicants information that is only necessary if you are going to eventually appoint a specific applicant as an employee. Which only happens at a later stage.

Besides being annoying to be required to mandatorily provide pointless personal information to a recruiter from whom one might never hear again, it is actually a breach of data protection rules to collect irrelevant or excessive information.

Having this into consideration, if you collect such unnecessary information in the context of recruitment processes and if you have received my application, you should seriously consider calling me for an interview. :o)

 

References   [ + ]

1. Copyright by Kathryn Decker under the Creative Commons – Attribution 2.0 Generic

© 2017 The Public Privacy

Theme by Anders NorenUp ↑