6LAW0087 - Cyber Law 2010-2011 - Module Guide

Cyber Law
Module Guide Jordan Woodley
University of Hertfordshire
School of Law
CYBERLAW MODULE GUIDE 20010/11 (USE THIS ONE)
1 2
Module Code: Title of Module: Full: Short:
6LAW0049
Cyberlaw Cyberlaw 1 30 3
3 4 5 6
Version: Credit Points: Level: Law School
Module leader: Maureen Johnson; Room A31; Tel (01707) 286268, e-mail m.c.1.johnson@herts.ac.uk Other contributing staff: Kevin Rogers: Room A61: Tel (01707) 286212, e-mail k.rogers@herts.ac.uk
Law School Office: Room 10; Tel (01707) 286200. 7 Module Aims The aims of this module are to enable students to gain a knowledge and understanding of a) the legal implications of the use of computer technology for criminal purposes, and b) the types, scale and nature of computer crimes. gain a knowledge and understanding of the generic problems associated with the prevention, detection and prosecution of computer crime. be stimulated into adopting an enquiring and critical appreciation of the law. develop a range of skills, including transferable intellectual skills and key skills. 8 Learning Outcomes: Knowledge and Understanding
Successful students will typically: Demonstrate an up-to-date and in-depth knowledge of issues relating to Cyberlaw (ASL2, ASL3). Demonstrate ability to apply knowledge to problem/essay style questions (ASL4). 9 Learning Outcomes: Skills and Attributes
Successful students will typically: demonstrate ability to evaluate and make a critical judgement of the merits of a particular viewpoint, as well as to make and present a reasoned choice between alternative solutions (GTS4). demonstrate ability to inter-relate topics studied (GTS5). demonstrate ability to present knowledge or a complex argument in written form in a way which is comprehensible to others (KS7). 10 List of Key Words for Skills Development: Problem solving, critical evaluation, synthesis.
Undergraduate Programme 2010/11
Cyber Law
School of Law
11
Module Content The course will examine the international jurisdictional and choice of law aspects related to contracts, torts and crimes created or perpetrated in cyberspace. Substantively the course examines e-contracts; the conclusion of such contracts, the incorporation of terms and regulatory provisions affecting those contracts. Closely related is an overview of cryptography and electronic signatures. The course also looks at e-privacy issues including data security, commercial communications (including spam) and defamation. Issues of cyber governance are noted. There is an examination of intellectual property issues related to cyber-structure and content. The course also includes an examination of fraud, hacking and related offences under the Computer Misuse Act 1990 including cyber-pornography.
12
Assessment Details: Coursework : Exam: 40% 60%
Students are required to complete one 3000 word piece of coursework (10 pages of the standard template) for 40% of the final mark of the module. This will require an element of independent study and require students to synthesise and inter-relate and evaluate Cyberlaw concepts. The coursework will be released on StudyNet on. A written, closed book examination counts for the remaining 60% of the final mark for the module. The examination is 3hours in duration. Students are required to answer 4 questions out of 8. 13 14 Assignment Details: Location/Campus: School of Law St. Albans Campus. Semester/s Module will run: Semester A/B None
15 16 17
Pre and CoRequisites and prohibited Modules: Reading and other Resources The following book is recommended for purchase:
Andrew Murray Information Technology Law The Law and Society Oxford University Press
The following books are ones that students may use for additional reading, whether directed to it or of their own accord: Lloyd, I Information Technology Law (2008) 5 Edition, Oxford University Press. Hedley: The Law of Electronic Commerce and the Internet in the UK and Cavendish Publishing Wild, Weinstein and MacEwan: Internet law, Old Bailey Press.
st th
Ireland
Furnell: Cybercrime (1 Edition) Addison Wesley th Reed and Angel: Computer Law (5 Edition) Blackstone Press st Akdeniz, Walker and Wall: The Internet, Law and Society (1 Edition) Longman
Cyber Law
School of Law
Lloyd: Legal Aspects of the Information Society (1 Edition) Butterworths nd Rowland and Macdonald: Information Technology Law (2 Edition) Cavendish Criminal Law Review Special Edition: Crime, Criminal Justice and the Internet (Sweet & Maxwell) 1998. The following is a list of Law Reports, Journals and Government Reports etc. to which students will be referred at times during the course: Law Reports Masons Computer Law Reports All England Reports Weekly Law Reports Appeal Cases Reports World Internet Law Reports Journals The Computer Bulletin (British Computer Society) Computing InternetNews Computers and the Law International Journal of Law and IT Information and Communications Technology Law Journal of Information, Law and Technology Internet Lawyer Government etc.Reports Law Commission: Computer Misuse (1988) Working Paper 110. Scottish Law Commission: Report on Computer Crime (1987) No.106. Law Commission Report No. 186, Computer Misuse (Cm 819) HMSO, 1989). National Audit Office Study: IT Security in Government Departments HMSO 1995. UK Audit Commission Survey of 1991. UK Audit Commission 1998: Ghost in the Machine: An analysis of IT Fraud and Abuse. Computer-Related Criminality (report by the European Committee on Crime Problems, Strasbourg, 1990). European Convention on Cybercrime (2001).
st
Cyber Law
School of Law
18
Weekly Programme/Timetable CYBERLAW LECTURE AND SEMINAR PROGRAMME 2009/10 SEMESTER A Week 1 04/10/10 Week 2 11/10/10 Week 3 18/10/10 Week 4 25/10/10 Week 5 01/11/10 Week 6 08/11/10 Week 7 15/11/10 Week 8 22/11/10 Week 9 29/11/10 Week 10 06/12/10 Week 11 13/12/10 Lecture 1 Introduction to Cyberlaw NO seminar Internet Governance: Who cares? Introduction to Cyberlaw Online Pornography Internet Governance: Who cares? Indecent images of children Online Pornography Online harassment and grooming Indecent images of children Privacy and Data Protection 1 Online harassment and grooming Privacy and Data Protection 2 Privacy and Data Protection 1 Web 2.0 Privacy and Data Protection 2 Defamation Web 2.0 Online marketing Defamation Cookies Online marketing
th
Lecture 2 Seminar 1 Lecture 3 Seminar 2 Lecture 4 Seminar 3 Lecture 5 Seminar 4 Lecture 6 Seminar 5 Lecture 7 Seminar 6 Lecture 8 Seminar 7 Lecture 9 Seminar 8 Lecture 10 Seminar 9 Lecture 11 Seminar 10
AUTUMN TERM ENDS FRIDAY 17 DECEMBER 2010 th SPRING TERM BEGINS MONDAY 24 JANUARY 2011 Week 12 24/01/11 Lecture 12 Seminar 11 Summary Lecture Cookies
COURSEWORK AVAILABLE ON STUDYNET Week beg 31/01/11 Week beg 07/02/11 Inter-Semester Gap/ Semester A Examination Week No lectures or seminars Blended learning/Managed Learning Week Details to follow
Cyber Law
School of Law
SEMESTER B Week 13 14/02/11 Week 14 21/02/11 Week 15 28/02/11 Week 16 07/03/11 Week 17 14/03/11 Week 18 21/03/11 Lecture 13 Seminar 12 Lecture 14 Seminar 13 Lecture 15 Seminar 14 Lecture 16 Seminar 15 Lecture 17 Seminar 16 Lecture 18 Seminar 17 Online Contracting Summary Incorporation of Contractual Terms Online Contracting Distance Selling Incorporation of Contractual Terms E-money, payments and systems Distance Selling Fraud: Initial Problems E-money, payments and systems The Fraud Act 2006 & Governmental Policy Fraud: Initial problems
COUSEWORK HAND IN DATE 12.30 PM 21/03/11 Week 19 28/03/11 Week 20 04/04/11 Week 21 11/04/11 Lecture 19 Seminar 18 Lecture 20 Seminar 19 Lecture 21 Seminar 20 Hacking The Fraud Act 2006 & Governmental Policy Unauthorised Acts Hacking Revision Session 1 Unauthorised Acts
EASTER HOLIDAY FRIDAY 8th APRIL 2011 MONDAY 26th APRIL 2011 INCLUSIVE
Week 22 18/04/11 Week 23 25/04/11
Lecture 22 Seminar 21 Seminar 22
Revision Session 2 Revision Session 1 Revision Session 2
EXAMINATION PERIOD 03/05/2011 27/05/2011 (Referred/deferred examinations: 20/06/2011 01/07/2011)
The module is delivered through lectures and seminars, one hour each per week. This booklet provides the lecture and seminar programme with some lecture notes to aid students. You are expected to attend seminars having prepared the questions for that seminar.
Cyber Law
School of Law
LECTURE ONE INTRODUCTION TO CYBERLAW Required Reading: Andrew Murray chapter three Bainbridge, D Introduction to Information Technology Law (6 Edition) Pearson Longman, 2007, pages 1-5. (You may also find it useful to review the glossary at the beginning of this book, which provides definitions for some key terms). George, C & Scerri, J Web 2.0 and User-Generated content: legal challenges in the new frontier (2007) Journal of Information, Law and Technology, volume 2. Available at: http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2007_2/george_scerri
th
Dot.com boom and bust The Internet as we know it today started in the mid-1990s and is now central to the carrying st out of e-commerce in the 21 century business world. However, it has not been a smooth journey. During the late 1990s and early 2000s, the Internet as a marketing medium really took off. Companies advertised on the Internet, spending vast quantities of money, yet within a comparatively short period of time, many companies became bankrupt, others were valued at vastly inflated values. Wegenek points to the example of Priceline.com (an Internet company for holiday companies and airlines, who are still trading) that floated on the stock market in 1999 and within weeks were worth $25bn dollars; this is despite the fact that in 1998 the company had lost $114m dollars. Various reasons have been mooted for the boom of dot.com. The subsequent bust of the dot.com market had severe repercussions for website designers, advertisers, creative agencies and other stakeholders, thus arguably consumers became reticent to conduct business online, as perhaps for the first time, the shortcomings in the Internet system had been highlighted. Consumer reticence in the online marketplace The fallibility of the Internet is not the only reason for consumer reticence in transacting online. Although, online transactions continue to increase, arguably concerns such as security, a perceived lack of enforceable laws and lack of trust on the part of consumers (mainly due to the lack of physical proximity) are a selection of reasons why there is a reluctance to transact online. A key issue to understand about the Internet is that it is borderless in nature. No one country or jurisdiction is responsible for legislating on behalf of the Internet. It is an international medium, which operates through virtually every country in the world. A recurring idea throughout this module, which is introduced in various different guises, is the conflict between commercial needs and consumer protection. This friction is not exclusively found in law pertaining to the Internet, although there are various examples. For instance: BUSINESS NEEDS V (To advertise, promote and sell goods) Online Opportunities But the characteristics of the Internet, such as the international nature of the medium and the dematerialisation of goods and services, create new challenges. On the one hand, usage of the Internet often involves a multiplicity of States, laws, individuals, companies and cultures CONSUMER NEEDS (To be protected from bad online practice)
Cyber Law
School of Law
are confronted every day. This creates problems, for instance, what is socially accepted in one part of the world may not be in another. For example, the eulogy of Nazism is a crime in France, but is tolerated in the US under the First Amendment. In a real world, composed of physical borders, it is difficult to face the phenomenon of internationalisation that is the essence of the Internet. On the other hand, the international dimension of the Internet offers unlimited opportunities to reach a global customer base. This can be done at a reduced cost, as there is no need to open branches abroad to find a presence. Although a website is not enough to be successful, it is possible to reach customer that could be inaccessible in a more traditional form of commerce. The Internet opens a new era for our consumer society. It allows through its different applications and mainly the World Wide Web to buy and receive services directly delivered online. Yet, it is noted, that not all people have access to the Internet and cannot reach the benefits the Internet provides. This could be due to cost, education or connectivity and is termed as the digital divide. Another potential obstacle, today removed, was the necessity of paper in the proof of certain transaction or for their very existence. The need for signatures and for many documents to be in writing caused problems for the Internet. The enactment of the Electronic Communications Act 2000 (now annulled) removed the majority of these obstacles. Where is cyberspace? Lloyd suggests; undertaken. the apparent or virtual location within which electronic activities are
What is cyberlaw? Hedley argues (p1) that there is no such thing because all this word means is how other areas of law relate to the internet eg contract law. Therefore that element of cyberlaw is properly called a branch of contract law and for contract lawyers to worry about. It is highly unusual for an entire area of law to centre around a single piece of technology. However; Today, microprocessors outnumber humans on the planet, and it is estimated that by the year 2010, 95% of telecommunications traffic witll be between machines. Lloyde - p3 This course will look at the interaction of information technology systems with various established areas of law: Contract Tort Patent Law Intellectual property Trademarks Data protection Criminal Law As well as newer areas where there may not be ready answers as yet such as the concept of virtual worlds or how human rights are protected in the online environment. The issue of privacy and freedom of expression in particular may be a cause for concern as the cyberspace is a global environment and the actors within it have global equivalence. It is therefore unhelpful to restrict our knowledge to the law of the nation state. As we will see, the most successful ideas for managing aspects of cyberspace are the ones based on international treaty or (in the UK) through the European Union.
Cyber Law
School of Law
The problem of Cyberspace Legal systems are set up to deal with the tangible and the present in general. A particular sort of contract may need a signature with witnesses, a thing cannot be stolen unless it is property as defined by the Theft Act 1968 s1(1). The problem of cyberspace is that it is not present and is not tangible. How is the problem solved?
Flexible legislation Judicial interpretation Computer specific legislation New legislation It can be seen that judges are able in some cases - to interpret the UKs legislation to cover situations which were not conceived of when the statute was enacted. See; R v Fellows This also applies to common law decisions dating back for many years, but which are equally applicable to the modern internet environment. See: Duke of Brunswick v Harmer (1849) Loutchansky v Times Newspapers Ltd (2002) There is only one piece of computer specific primary legislation in the UK (as opposed to secondary legislation enacting EU regulations and directives). The Computer Misuse Act (1990) as amended by the Police and Justice Act 2006 Although many modern statutes are specifically drafted with a wide remit to encompass Computer crimes in particular. The Fraud Act (2006)
The problem of convergence With current multi media technology, it can be difficult to decide which laws are applicable to which technology. Is a short film clip about the Rockies in the Encarta encyclopaedia a video for the purposes of the Video Recordings Act 1984? Is a web enabled phone a television? In the UK there is no definition of a computer in legislation. Two other enormous problems that the law in cyberspace must confront are Perceived lack of governance who is in control? Multi-jurisdictional issues whos law applies? What about Human Rights? The use of such a global medium inevitably raises issues of human rights, such as privacy and freedom of expression. Governments, supermarkets and telecommunications networks are all keen to target customers and so need information on their likes and dislikes. Many of these issues could have arisen before the rise of the Internet phenomenon, but the sheer scale and complexity of the systems now makes some people feel uneasy. Data protection
Cyber Law
School of Law
Cookies Freedom of expression debate HAVE YOU READ THESE? Terms and Conditions Welcome to StudyNet StudyNet is the Universitys managed learning environment and intranet. StudyNet is designed to help you with your studies at the University and will over time include resources for the courses you are studying as well as for your personal information management and communication facilities in connection with your studies at the University. StudyNet is provided for academic purposes only. Using StudyNet is generally a matter of common sense and courtesy. The regulations for its use reflect this. Please note that rudeness or other unreasonable behaviour will not be tolerated This system does hold personal information about you (initially your name, course information and LIS account details) and have facilities for you to create and store other information. You must keep your personal StudyNet username and password confidential and change your password regularly and at any time when you suspect that someone else might know it. Use of StudyNet is subject to English law. This means you have a responsibility to ensure that any information or material which you post to StudyNet will not be intentionally false, offensive, defamatory, threatening, obscene or unlawful and will not infringe the rights of any third party and you indemnify and will keep the University indemnified against any loss or damage the University may suffer as a result of your breach of such warranty. Remember that all published materials are subject to copyright legislation which prohibits any scanning and storage of electronic copies without the written permission of the copyright owner. You should be aware that StudyNet is logged and monitored by authorized staff as permitted by English law. This includes monitoring and evaluation of StudyNet usage so that staff can evaluate the effectiveness of their teaching and student support and for institutional purposes to measure achievement against targets. Further analysis of stored files and/or interception of communication is allowed for a range of purposes, including, but not confined to, recording evidence of transactions, detecting unauthorised use, ensuring compliance with the University regulations and in connection with any criminal investigation. The University does not need to gain consent from staff and students before monitoring or intercepting takes place for any of these purposes, although in undertaking these operations the privacy of individuals will be respected Please read the University regulations for Internet/Intranet Based Information Systems which is section GEN/D/2 in the University Policies and Regulations Series for more information.
IF NOT, WHY NOT?
Cyber Law
School of Law
LECTURE TWO Internet Governance: Who cares? Required Reading Andrew Murray chapter 4 Murray, A Information Technology Law: The Law and Society Oxford University Press, 2010, pages 55-82. Murray, A The Regulation of Cyberspace, Routledge Cavendish (2007), Chapter 1 (pages 3-21) and chapter 4 (especially pages 94-125). Rogers, K M. The Early Ground Offensives in Internet Governance (March 2007) International Review of Law, Computers and Technology, Volume 21, Number 1, pages 5-14. (Available through Voyager). Rogers, K. M. Who gives a Triple-X about Triple-X? (2007) Communications Law (Tottel Publishing), Volume 12, Number 1, pages 2-7. (Available on Westlaw). Kleinwachter, W WSIS and Internet governance: the struggle over the core resources of the Internet (2006) Communications Law, Volume 11, number 1, pages 3-12.
With Intenet-usage hitting around the 1bn people mark, the Internet opened up a whole new sovereignty-focused can of worms. With increased trade, communications and commerce, caused in no small measure by rise of the Internet, individual countries are concerned to ensure that the Internet (and power to exert a form of control over it) does not slip away from their oversight. This has been of particular interest and controversy over the last couple of years, with the various World Summit on Information Society meetings, although academically it has been of interest for a great deal longer. In chapter one of his book, Murray discusses the early academic protagonists surrounding Internet governance. He highlights two main lines of thought, the cyber-libertarian approach (forwarded by people such as David Johnson and David Post), who believed that the rules and laws relating to the Internet are formed from the collective will of individuals involved (perhaps similarly to the development of commercial laws Lex Mercatoria. The other early approach was the cyber-paternalistic approach (suggested by people like Joel Reidennberg), who argued that the Internet was eroding national/sovereign borders (it is said that the Internet is a supra-national medium) and that rules are being established, not only by national governments but also the Internets own architecture and network rules. What does Internet Governance mean? As the internet has an international reach, there is a lot of controversy over who is responsible for its management. As mentioned, the Internet has a supranational existence, meaning that it exists over and above national borders. The nature of the Internet is that it allows ideas and information to be passed around speedily and freely with only some limited regulation (by ISPs, or national governments). As the Internet developed from an American defence tool, mainly by default, have the American Department of Commerce overseen the development of the Internet through the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN are the body responsible for handing out top-level domain names and are the closest the Internet is to a government. Handing out domain names may only seem to be a small job, however without a domain name a person or company does not have a presence on the web. This has caused considerable disquiet among the international community as the perception has been that the United States runs the Internet. Accordingly, due to international recognition about the nature of the information society and the effect it was having on the future of the world, in 2001 a two-year process was put into action to enable world leaders to consider a global vision to ensure an all-inclusive and equitable system. A two-stage meeting process was established. In 2003, a meeting would be held in Geneva, Switzerland and the second stage at the end of 2005 in Tunis, Tunisia. The conclusion from the first stage (held in 2003 in Geneva) was to create a committee to
10
Cyber Law
School of Law
examine the area of Internet governance, involving definitions, public policy issues and strategic approaches. The Working Group on Internet Governance (WGIG) reported in June 2005 in their document entitled Report of the Working Group on Internet Governance (Available at: http://www.wgig.org). On page 4 of this Report, Internet Governance is defined as: the development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet. The Report recommended four systems of governance, ranging for the creation of a new multi-stakeholder forum, to leaving the status quo in place. It was also noted that if the Internet structure is to successfully defeat problems, such as spam, cyber-crime, privacy and security concerns, then a degree of international co-operation is required. Alongside the official reasoning for the working group, the political edge to the issue was apparent. The dilemma was, and is, predominantly political in nature and one founded upon freedom of expression. Countries, such as China, Brazil and Iran are seeking a greater say on the governing of the Internet and are seeking a move towards a multi-national, multi-stakeholder body and a move away from the ICANN method of regulation, overseen by the American Department of Commerce. Prior to the second stage of the summit in Tunisia, press briefings became very tense. A line was drawn in the sand between the Americans, who sought to retain management through ICANN and other countries who sought a more fluid governance model, allowing them a greater input. For instance, John Dolittle, a Republican from the House of Representatives, stated: Turning the Internet over to countries with problematic human-rights records, muted free-speech laws, and questionable taxation practices will prevent the Internet from remaining the thriving medium it has become today. Furthermore, Senator Norm Coleman stated there is no: rational justification for moving Internet Governance to the United Nationswe cannot stand idly by as some governments seek to make the Internet an instrument of censorship and political suppression. We must stand fast against all attempts to alter the Internets nature as a free and open global system. The Tunis decision Two main issues were discussed in November, first Internet governance and secondly the digital divide (ensuring access to the information society for the developing areas of the world). The agreement reached in Tunisia in relation to Internet governance allowed ICANN to remain in overall oversight of the Internet, in relation to domain names. However, alongside ICANN, a non-binding Internet Governance Forum (IGF) was to be established including governmental stakeholders from around the globe. The aggressive metaphors that greeted this outcome were indicative of the international tension prior to the meeting. The IGF is intended to be a multi-lateral, multi-stakeholder non-binding body. Thus, the remit is broad, but the power is minimal. The UN have taken the lead in formulating this body, and in February 2006 organised a consultation in Geneva to discuss its structure. It is expected to meet formally in Greece later this year. The Triple-X decision Seen as a test case of ICANNs (Internet Corporation for Assigned Names and Numbers) independence, the .xxx domain name controversy, although decided in May, has yet to be it is contended fully concluded. ICM Registry, the body seeking to introduce .xxx as a toplevel domain name have issued proceedings against three American government departments after the decision by ICANN in May 2006 to refuse permission to create an
11
Cyber Law
School of Law
online red light district. Their view is that American involvement by the Bush Administration (through the Department of Commerce) led to the 9-5 decision against adoption of the domain name. In July 2006, there was a degree of confusion over whether America announced that they were relaxing the hold that they have on the Internet via ICANN, however this was just a couple of months after the Department of Commence vetoed the adoption of a .xxx domain name for more sexually-explicit sites. Instead they will just maintain hold of the root, which is a purely technical arrangement. On announcing that .xxx would not be adopted, ICM, naturally upset at having spent around $3 million over six years, began a legal campaign. They have filed three lawsuits under various headings (under the Freedom of Information Act) to obtain proof that the American government interfered in the final decision. The first seeks to obtain documents from the Department of Commerce (documents already obtained show that there was fierce lobbying by some right-wing Christian groups, however significant portions of this information had been blanked out). The second is for documents sent between US communications secretary John Kneuer and ICANN president Paul Twomey. ICM are particularly interested in documentation from around the time that ICANN voted against the .xxx domain name and the Department of Commerce stated that ICANN could remain in charge of the Internets foundations. The third request asks for copies of communication between the Department of Commerce and internet naming authority IANA shortly after the Department of Commerce sent a letter to ICANN outlining its concerns for the .xxx domain. They have also provided a 176-page Amended Request for Reconsideration of Board Action to ICANN Issues surrounding the Internet Governance Forum, the adoption (or not) of a .xxx domain name and America reducing their grip on the Internet are very current. Accordingly, it is strongly recommended that you keep yourself aware of the latest news in these areas. Indeed, in January 2007 it was reported that ICANN were considering a change of approach to the .xxx dispute and in 2009 the.xxx domain was allow as a top level domain. Furthermore, earlier in 2008, ICANN announced that rules relating to top-level domain names were being relaxed and that using languages other than English was being investigated. Finally, in September 2009 the Affirmation was signed between the American Department of Commerce and ICANN, It appears that this is the first key step for securing automony for ICANN, meaning they will no longer be under the oversight of the American government. This st agreement came into effect on 1 October 2009.
12
Cyber Law
School of Law
LECTURE THREE ONLINE PORNOGRAPHY Required Reading: Andrew Murray Chapter 14, sections 14.1 and 14.2 Murray, A Information Technology Law The law and society. Oxford pp 379 383 McGlynn and Rackley, - Criminalising extreme pornography: a lost opportunity (2009) Crim. L. R. 245
Introduction The problem of pornography on the internet is well documented. There is a lot of material on the Internet which may be classed as obscene or pornographic and the criminal law has a role to play in the fight against its creation and distribution. An additional problem posed by the nature of the Internet is a states jurisdiction over material accessible within its borders. An example is provided by the report of the UKs Internet Watch Foundation. Therein, of the 453 reports made concerning the presence of pornographic material, in only 67 cases was the material held on a UK-based server. The legal response to Computer Pornography We will be dealing specifically with indecent images of children in the next lecture. Until very recently, adult pornography was legal in the UK unless it fell under the Obscene Publications Act 1959. Obscene Publications Act 1959 Section 2 makes it an offence for any person who, whether for gain or not, publishes an obscene article or who has an obscene article for publication for gain (whether gain to himself or another). Section 1 states that an article shall be deemed to be obscene if its effect is such as to tend to deprave or corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it. Bainbridge states that there may be some difficulty with the requirements for an Article but this is defined as any description of article containing or embodying matter to be read or looked at or both, any sound record, and any film or other record of a picture or pictures. He goes on to conclude that there is no reason to doubt that it will include a magnetic disk or other form of electronic storage media (Bainbridge: Introduction to Computer Law (Longman) th 4 Edition, 2000, @ page 335). The case of Perrin concludes that an image is published when it is uploaded onto the internet AND when it is downloaded. See the facts of this case.
13
Cyber Law
School of Law
The Criminal Justice and Immigration Act 2008 The OPA 1959 only places liability on the publishers of obscene material. A perceived proliferation of pornographic images of increasing violence and victim degradation has led to the enactment of the CJIA 2008 s 63 67, which criminalises the possession of extreme pornography. See Coutts, [2005] EWCA Crim 52 Possession of extreme pornographic images S63 (1) It is an offence for a person to be in possession of an extreme pornographic image. (2) An extreme pornographic image is an image which is both (a) pornographic, and (b) an extreme image. (3) An image is pornographic if it is of such a nature that it must reasonably be assumed to have been produced solely or principally for the purpose of sexual arousal. . Sections 4 and 5 not included here (6)An extreme image is an image which (a) falls within subsection (7), and (b) is grossly offensive, disgusting or otherwise of an obscene character. (7) An image falls within this subsection if it portrays, in an explicit and realistic way, any of the following (a) an act which threatens a persons life, (b) an act which results, or is likely to result, in serious injury to a persons anus, breasts or genitals, (c) an act which involves sexual interference with a human corpse, or (d) a person performing an act of intercourse or oral sex with an animal (whether dead or alive), and a reasonable person looking at the image would think that any such person or animal was real.
These prohibitions relate to a moving or still image produced by any means (s63(8)). What is possession? The offence is not complete if the D is not in possession of the images. What if he views extreme pornography and then deletes the images? The reasoning would appear to follow that in the PCA. See the cases of Smith and Jayson [2002] Crim LR 659 Porter [2006] EWCA Crim 560 and [2006] All ER (D) 236 (Mar)
Defences to a s63 offence S65 CJIA 2008 1) Where a person is charged with an offence under section 63, it is a defence for the person to prove any of the matters mentioned in subsection (2).
14
Cyber Law
School of Law
(2) The matters are (a) that the person had a legitimate reason for being in possession of the image concerned; (b) that the person had not seen the image concerned and did not know, nor had any cause to suspect, it to be an extreme pornographic image; (c) that the person (i) was sent the image concerned without any prior request having been made by or on behalf of the person, and (ii) did not keep it for an unreasonable time.
These are the same defences that are found in the Protection of Children Act 1978 A person also has a defence under s66 based on his or her own participation in consensual acts. This may apply as long as there has been no non-consensual harm. The s66 defence is NOT mirrored in the PCA as there can be no consent to the acts by a minor. As this is a relatively new act it will be up to magistrates and juries to interpret these defences and decide their meanings. Problems may arise in the definitions of; Legitimate reason Unreasonable time
15
Cyber Law
School of Law
LECTURE FOUR - INDECENT IMAGES OF CHILDREN
Essential reading
Andrew Murray - Chapter 14, sections 14.3 onwards M Johnson - Camera Obscura- the CJIA2008 and Virtual Pornography JP Vol 172 No 29 July 19, 2008. M Johnson Picture Perfect the Coroners and Justice Bill and illegal images of children SJ Vol 153 No 34 15 -09-2009 Akdeniz, Y - Possession and dispossession: a critical assessment of defences in possession of indecent photographs of children cases (April 2007) Criminal Law Review, pages 274-288
Protection of Children Act 1978 Section 1 makes it an offence to take or permit to be taken any indecent photograph of a child or to distribute or show such a photograph or to have it in possession with an intention to distribute or show it. There is a maximum sentence of ten years imprisonment. S160 of the Criminal Justice Act 1988 criminalises the mere possession of such material, so the prosecution does not need to prove intent to distribute or show. This carries a maximum sentence of five years imprisonment. Since the advent of the internet as a major source of indecent images of children, there has been a widening of the definition of making. See R v Fellows (1997) 1 Cr App R 244 The Criminal Justice and Public Order Act 1994 (section 84) extended the ambit of the Protection of Children Act 1978 to include so-called pseudo photographs: Pseudo Photographs Section 7(7) of the Protection of Children Act 1978 (as amended by Criminal Justice and Public Order Act 1994) provides that an offence will occur in the following circumstances: If the impression created by a pseudo-photograph is that the person shown is a child, the pseudo-photograph shall be treated for all the purposes of this Act as showing a child and so shall a pseudo-photograph where the predominant image conveyed is that the person shown is a child notwithstanding that some of the physical characteristics shown are those of an adult. Thus, a pseudo-photograph is an image, whether made by computer graphics or otherwise, which appears to be a photograph. The definition of a photograph within the Act includes data stored on a computer disc or by other electronic means which is capable of conversion into a photograph section 7(4)(b). The Sexual Offences Act 2003 (in force from May 2004) increases the age of protected persons from 16 to 18 for the purposes of the Protection of Children Act 1978 section 45. This is subject to a clause to be inserted after section 1 PCA 1978 dealing with the situation where the subject of the photograph (or pseudo-photograph) are married or lived together as partners in an enduring family relationship
16
Cyber Law
School of Law
What about virtual children? The Criminal Justice and Immigration Act 2008 s69 was meant to provide a safeguard against manipulated images of child abuse which appear to be a cartoon or a Computer Generated Image see M Johnsons article Camera Obscura- the CJIA2008 and Virtual Pornography JP Vol 172 No 29 July 19, 2008. References to a photograph also include (a) a tracing or other image, whether made by electronic or other means (of whatever nature) (i) which is not itself a photograph or pseudo-photograph, but (ii) which is derived from the whole or part of a photograph or pseudo-photograph (or a combination of either or both); and (b) data stored on a computer disc or by other electronic means which is capable of conversion into an image within paragraph (a); and subsection (8) applies in relation to such an image as it applies in relation to a pseudo-photograph. An image of a virtual child then has two hurdles to overcome to be illegal under the PCA 1978. It has to be classified as indecent and then it has to be classified as a photograph or a pseudo photograph. With the advent of computer painting and photo packages, and a real concern that some images may not fall into the photograph definition. The problem of s69 appears to have been overcome by the new Coroners and Justice Act 2009. S62 defines a new offence of being in possession of prohibited images of a child. This section refers to non-photographic images only. Photographic images will still be dealt with under s1 PCA. s52(2) defines image as (a) a moving or still image (produced by any means), or (b) data (stored by any means) which is capable of conversion into an image within paragraph (a) This leaves the definition of a prohibited image enormously wide. Even images of the cartoon characters in The Simpsons have been held to be images of children. See McEwen v Simmons (2008). Defences ISPs could attempt to use the defence in section 1(4)(b) of the Protection of Children Act 1978 on the basis that they did not know or have any cause to suspect, them to be indecent. Section 46 of the SOA 2003 inserts a new section (1B) into the PCA 1978 allowing a defence to what would otherwise be an offence under S1(1)a PCA if the D can prove it was necessary for him to make the photograph, or pseudo-photograph for the purpose of prevention, detection or investigation of crime. Note the reverse burden of proof. Sentencing guidelines for conviction under s1 PCA 1978 were laid down in R v Oliver (2003). Restraining orders can also be made under s5A of the Sex Offenders Act 1977 see R v Jonathan Collard (2004) EWCA Crim 1664.
The legal position of Internet Service Providers (ISPs)
17
Cyber Law
School of Law
Given that it is impossible for ISPs to continually monitor the material which is being passed through their networks, these companies/organisations (and their managers) are at risk of attracting criminal liability. In August 1996, the then Science and Technology Minister, Ian Taylor, publicly warned that the police would prosecute ISPs who provided their users with illegal content (see Uhlig: Ministers warning over Internet Porn, Daily Telegraph, 18 August, 1996). This was in the light of a warning which had been issued to the ISPs by the Metropolitan Police after its attempt to ban around 130 Usenet discussion groups which were allegedly carrying child pornography. Self-regulation of the Internet industry was deemed to be the best way forward. This led to the establishment of the Internet Watch Foundation (IWF) in September 1996 (see http://www.internetwatch.org.uk) The IWF informs all British ISPs once they locate illegal content, thereby depriving those ISPs of the legal excuse that they were unaware of the relevant material. The UK police will then be entitled to take action against any ISP which does not remove any material the IWF has requested them to remove. However, crucially, it must be noted that the regulators of the ISP industry (the Internet Watch Foundation (IWF) and the Internet Service Providers Association (ISPA)) do not represent the whole of the industry within the UK. It has been suggested that there are upwards of 300 UK-based ISPs (Internet Magazine, December 1998), only 85 of which were, at the time, members of the ISPA. The Electronic Commerce Regulations 2002 give effect in the UK to the EC Electronic Commerce Directive. These regulations give civil and criminal immunity to ISPs under section 17 providing they operate within certain parameters. Section 15 of the regulations make it clear that an ISP is under no general obligation to monitor the content of its sites. In practice however, ISPs remove illegal material promptly once warned of its presence by bodies like the IWF see the IWF website. Should ISPs be able to get off so lightly, and with so little responsibility for the material they convey? It must be remembered, however, that the ISPs are only one link (admittedly a crucial one) in the chain there must always be a person willing to post such material, and someone willing to access it.
18
Cyber Law
School of Law
LECTURE FIVE ONLINE HARASSMENT AND GROOMING Required Reading Andrew Murray Chapter 15, section 15.2 Bainbridge, D Introduction to Information Technology Law (6 Edition) Pearson Longman, 2007, pages 476-485. Basu, S & Jones, R Regulating Cyberspace Journal of Information, Law and Technology (2007), Volume 2. (Available online). N. Geach and N. Haralambous, Regulating Harassment: Is the law fit for the Social Networking age?
th
Introduction On-line harassment can take several forms: Sending to another person unwanted e-mails which are abusive, threatening or obscene. Electronic sabotage: a) Sending the victim hundreds or thousands of junk e-mail messages known as spamming. b) Sending computer viruses. Indirect harassment: a) Impersonating the victim on-line (e.g. sending abusive e-mails or fraudulent spam in the victims name). b) Subscribing the victim, without their permission, to a number of mailing lists with the result that they receive hundreds of unwanted e-mails everyday. c) Posting fake messages from the person on blogs and message boards
Victims of on-line harassment suffer a range of emotions (which can lead to psychological injury) from mere annoyance through anxiety to considerable distress and beyond. The real fear, however, is that offensive and threatening behaviour that originates on-line will escalate into real-life stalking. Ellison & Akdeniz: Cyberstalking: The Regulation of Harassment on the Internet Crim LR Special Edition: Crime, Criminal Justice and the Internet (Sweet & Maxwell) 1998, @ page 31. Note also the new offence of Grooming within s15 of the SOA 2003 The Legal Response The United States of America The USA introduced an anti cyber stalking provision into federal law in January 2006 via an amendment to section 223 of Title 47. It provides: (a) Prohibited general purposes Whoever-- (1) in interstate or foreign communications-(C) makes a telephone call or utilizes a telecommunications device, whether or not conversation or communication ensues, without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person at the called number or who receives the communications; (h) Definitions For purposes of this section-(1) The use of the term "telecommunications device" in this section--
19
Cyber Law
School of Law
(C) in the case of subparagraph (C) of subsection (a)(1), includes any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet The offence may bring a fine or two years imprisonment. However, due to the First Amendment to the US Constitution the USA to justify suppression of free speech there must be reasonable ground to fear that serious evil will result if free speech is practiced. There must be reasonable ground to believe that the danger apprehended is imminent. - per Brandeis J in White v California 274 US 357 (1927). See also the Jake Baker case reported in Ellison & Akdeniz: Cyberstalking: The Regulation of Harassment on the Internet Crim LR Special Edition: Crime, Criminal Justice and the Internet (Sweet & Maxwell) 1998, @ page 33. United Kingdom Although the United Kingdom does not have specific cyberstalking legislation it has been said that existing United Kingdom laws are sufficiently flexible to encompass on-line stalking and e-mail harassment Ellison & Akdeniz: Cyberstalking: The Regulation of Harassment on the Internet Crim LR Special Edition: Crime, Criminal Justice and the Internet (Sweet & Maxwell) 1998, @ page 34. Communications Act 2003 S.127: (1) A person is guilty of an offence if he (a) sends by means of a public electronic communications network, a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or (b) causes any such message or matter to be sent. (2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he (a) sends by means of a public electronic communications network, a message that he knows to be false, (b) causes such a message to be sent; or (c) persistently makes use of a public electronic communications network. (3) A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both. s.151: "public electronic communications network" means an electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public; "public electronic communications service" means any electronic communications service that is provided so as to be available for use by members of the public This means an internal employment network not applicable] Malicious Communications Act 1988 S.1: (1) Any person who sends to another person (a) a letter, electronic communication or article of any description which conveys (i) a message which is indecent or grossly offensive; (ii) a threat; or (iii) information which is false and known to be false or believed to be false by the sender; or
20
Cyber Law
School of Law
(b) any article or electronic communication which is, in whole or part, of an indecent or grossly offensive nature, is guilty of an offence if his purpose, or one of his purposes, in sending it is that it should, so far as falling within paragraph (a) or (b) above, cause distress or anxiety to the recipient or to any other person to whom he intends that it or its contents or nature should be communicated. (2A) In this section "electronic communication" includes-
(a) any oral or other communication by means of [an electronic communications network; and (b) any communication (however sent) that is in electronic form. (4) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both. This section however is only applicable to England and Wales s.3 Protection from Harassment Act 1997 The Act provides a combination of civil and criminal measures. There are two criminal offences contained within the Act, one a summary offence and the other an indictable offence. The summary offence Criminal Harassment Section 2. S. 2 (1) A person who pursues a course of conduct in breach of section 1(1) or (1A) is guilty of an offence. S.2(2) makes this an offence punishable by a maximum of six months imprisonment and/or a fine (level 5). S.1 (1) (1) A person must not pursue a course of conduct-(a) which amounts to harassment of another, and (b) which he knows or ought to know amounts to harassment of the other. (1A) A person must not pursue a course of conduct-(a) which involves harassment of two or more persons, and (b) which he knows or ought to know involves harassment of those persons, and (c) by which he intends to persuade any person (whether or not one of those mentioned above)-(i) not to do something that he is entitled or required to do, or (ii) to do something that he is not under any obligation to do. A person ought to know that it amounts to harassment of another if a reasonable person in possession of the same information would think that it would (i.e. an objective test) s.1(2) A course of conduct must involve conduct on at least two occasions in relation to s.1(1); but only involves conduct on one occasion towards each person for the purposes of s.1(1A) s.7(3). Kelly v DPP [2003] Crim LR 45 A course of conduct can occur within a five minute period; it is not dependent on the number of times a person is made fearful for the purposes of s. 2 Conduct includes speech s.7(4) Harassing a person includes alarming them or causing them distress s.7(2) The indictable offence Putting People in Fear of Violence Section 4.
21
Cyber Law
School of Law
S.4
(1)
A person whose course of conduct causes another to fear, on at least two occasions, that violence will be used against him is guilty of an offence if he knows or ought to know that his course of conduct will cause the other so to fear on each of those two occasions.
A person ought to know that the conduct causes another to fear violence (on each occasion) if a reasonable person would think that it would (i.e. again, an objective test) s.4(2) Indictable, in this statutory context, means triable either way. It carries with it a maximum sentence of 5 years imprisonment and/or a fine. A person not guilty of this offence may still be guilty of an offence under section 2 s.4(5) Caurti v DPP [2002] Crim LR 131 The Divisional Court confirmed that the essence of the section 4 offence is that the accuseds conduct causes someone, on at least two occasions, to fear that violence will be used against them. The Act also gives the courts the power to impose restraining orders on convicted offenders (who are found guilty of either this or the section 2 offence) s.5 Breach of a restraining order carries a potential sentence of up to five years imprisonment s.5(5) Specific Defences Sections 1(3) and 4(3) These subsections afford a defence to a person who is charged with either a section 2 or a section 4 offence in the following circumstances: that the course of conduct was pursued for the purpose of preventing and detecting crime, or that it was pursued under any enactment or rule of law or to comply with any condition or requirement imposed by any person under any enactment. A further defence which is peculiar to the section 2 offence is: That in the particular circumstances the pursuit of the course of conduct was reasonable.
A further defence which is peculiar to the section 4 offence is: That the pursuit of the course of conduct was reasonable for the protection of himself (i.e. the individual charged) or another or for the protection of his or anothers property.
In relation to any of these potential defences, the burden of proof lies with the accused but the standard of proof is set as being on the balance of probabilities the usual civil standard. Lastly, it should also be noted that the PHA 1997 may not represent a panacea for cyberstalking and other forms of on-line harassment. One reason for this is because sections 1-7 only apply to England and Wales, as does section 1 of the Malicious Communication Act 1988. As such cyber stalking could be a prime example of how our attempts to protect the wider community from cyber crimes are hindered by a failure on the part of policy makers to appreciate that the Internet offers access to domains beyond the reach of traditional legislative frameworks. - Dr Emma Ogilvie from her paper The Internet and Cyberstalking presented at the Australian Institute of Criminology Conference Stalking: Criminal Justice Responses 2000.
GROOMING
22
Cyber Law
School of Law
Some of the statutes above were used to try to combat the growing problem of adult (usually) men contacting minors of either sex, befriending them online and then arranging to meet their new friends. Rarely were the befrienders honest about their age or even their sex. Older legislation was thought to be insufficient to combat the issue of grooming a child for sexual purposes, and new legislation was brought in under the Sexual Offences Act 2003 s15. S 15 prohibits meeting or travelling to meet a child following the grooming, which includes meeting or communicating with the child on at least two occasions. The groomer must have the intent when travelling or meeting the child, of committing a relevant sexual offence.
23
Cyber Law
School of Law
LECTURE SIX Privacy and Data Protection (1) Required Reading
Murray, A Information Technology Law: The Law and Society Oxford University Press, 2010, pages 463-495 Klang, M & Murray, A Human Rights in the Digital Age (2006) Routledge Cavendish, chapters 12 & 14. Watts, M Information, data and personal data Reflections on Durant v Financial Services Authority (2006) Computer Law and Security Report, Volume 22, Issue 4, pages 320-325. Rogers, K M Restricted subject access under the DPA (2006) Data Protection Law and Policy, Volume 3, Issue 3, pages 14-16. Aries, N Durant and the FSA: still struggling after all these years (November 2005) ECommerce Law and Policy, pages 12-13
To date there is no acceptable definition of privacy. Academic debate has raged for decades, with Warren and Brandeis paper in the Harvard Law Review in 1890 with multitudes of additions to the current day Article 8 (respect for the private life) in the European Convention on Human Rights. It is not strictly the purpose of this module to debate the rise of privacy, although we shall be focusing on the concept of privacy in the digital world. The Data Protection Act 1998 sets out how personal data should be managed or processed. It replaced the Act of 1984 The Act applies if either the person who processes the data, or equipment used for the processing is situated in the United Kingdom. It is a key Act in relation to maintaining the privacy of an individual, and is particularly important when the use of the Internet is considered and the ease of passing information about a person through Cyberspace. The basics/definitions The Data Protection Act sets out how personal data (data including opinion relating to a living individual, who can be identified) should be managed or processed. The definition of processing is very wide (Jay and Hamilton, 2003) and encompasses actions such as obtaining, recording, altering, disclosing or holding the information. The Act applies if either the person who processes the data, or equipment used for the processing is situated in the United Kingdom. An example is found in the case of Michael Douglas v Hello! Ltd (No. 2) [2003] EWCA Civ 139, (one of the infamous series of cases involving publication of the wedding pictures of Michael Douglas and Catherine Zeta-Jones) the Court held on appeal that the use by Hello of an ISDN line to send pictures through was analogous to fax transmission. Therefore, despite the fact that the photographer and his equipment was from America, the Act did have jurisdiction in this case as the data had been processed in the UK. The Data Protection Act is relevant when data relating to a living individual is processed. Key definitions are provided by Section 1 of the Act. Data means information which: (a) (b) (c) (d) is being processed by means of equipment operating automatically in response to instructions given for that purpose; is recorded with the intention that it should be processed by means of such equipment; is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; or does not fall within paragraph (a), (b) or (c) but forms part of an accessible record, as defined by section 68. (Section 1(1))
24
Cyber Law
School of Law
However, to come within the remit of the Act, the data in question must be Personal Data as defined in Section 1(1) as: data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Two obvious points need to be made in relation to this definition. First, it only applies to individuals who can be identified and second, those individuals must be alive. The Act ceases to be applicable once a person has died. This is a very wide definition notice particularly the use of likely to come into the possession of This means that even data likely to come into their possession would come within the remit of the Act. Personal data is an important commodity in todays borderless jurisdiction, most notably exemplified in the Internet. The obtaining of personal data by a company is enormously valuable, as they may be able to use the details for marketing purposes. The issue of whether a person can be identified is confusing. The Information Commissioner, responsible for enforcing the Act states in their Legal Guidance on the Act that: The Commissioners view is that it is sufficient if the data are capable of being processed by the data controller to enable the data controller to distinguish the data subject from any other individual. This would be the case if a data subject could be treated differently from other individuals. (Page 11). The exact definition of personal data is essential, because if data is of a personal kind, then the data subject (the person who is the subject of the information) has a right of access to it, under s7 of the Act. The Durant decision The definition of personal data has been clarified in the recent important decision of Durant v Financial Services Authority [2003] EWCA Civ 1746. Mr Durant was in dispute with Barclays Bank in the early 1990s. After an unsuccessful legal battle, he approached the Financial Services Authority to complain, but also in the hope they would get the documents referring to him, which could assist a later action against Barclays. (The FSA had obtained these documents as they were and still are responsible for supervising the bank) He was unsuccessful. The Court of Appeal decided that personal data should be defined narrowly. In this case, the information that the FSA held was about the situation involving Mr Durant; it focused on the complaints that Durant made, as opposed to Mr Durant himself. Personal data needs to go beyond merely retelling the involvement of an individual in an event and the right of subject access under s7 is not applicable if a person is just mentioned in a document. The Court provided a two-stage approach to assist in the defining of personal data. Specifically: 1. The data is biographical in a significant sense that is, going beyond the mere recording of the putative data subjects involvement in a matter or event which had not personal connotations, a life event in respect of which his privacy could not be said to have been compromised. Secondly whether the information has the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest such as, in this case, an investigation into some other persons or bodys conduct that he may have instigated. (Paragraph 28 of the judgment).
2.
25
Cyber Law
School of Law
In the Durant judgment, the Court of Appeal decided that the information that the FSA held was not biography of Mr Durant in a significant sense and he was not the focus of the information; the complaints were the focus. Furthermore, the information must affect a persons privacy, whether in his family or personal life or even in his professional or business capacity. The decision therefore was focused on the need for the data to relate to an individual. [Please note: On 29 November 2005, the House of Lords refused Mr Durant leave to appeal against the decision of the Court of Appeal because he had not successfully proved that he could win, although there is still a suggestion that he could take his case to Europe). Therefore the decision of the Court of Appeal on personal data is currently the law as it stands]. The Durant decision was also considered by the House of Lords in the case of Scottish Information Commissioner v Common Services Agency (July 2008). Although this case considered the overlapping nature of the Data Protection Act and the Freedom of Information Act, it did not review the Durant judgment. Relevant filing systems The decision in Durant was not only limited to the definition of personal data, but also discussed the meaning of a relevant filing system. This is also defined in s1(1) of the Act as: any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. The Act only applies to personal data that is held in a relevant filing system. This applies to computer files and manual files, although in the current context the court was examining manual files. The Court of Appeal in Durant stated: Parliament intended to apply the Act to manual records only if they are of sufficient sophistication to provide the same o similar ready accessibility as a computerized filing system. That requires a filing system so referenced or indexed that it enables the data controllers employee responsible to identify at the outset of his search with reasonable certainty and speed the file or files in which the specific data relating to the person requesting the information is locatedwithout having to make a manual search of them. Accordingly, the recipient of a request for personal data must know that there is a system in place which allows the retrieval of the file directly relating to an individual. Furthermore, the content of the file needs to be sub-divided so that the searcher can go directly to the correct category, without having to leaf through the papers. Chronological order is not adequate for a relevant filing system. The Court of Appeal held that the FSAs files on Mr Durants complaints were neither structured nor referenced with Durants personal data in mind, nor was the information about him that he requested readily accessible. Therefore, his claim failed. Please read Information Commissioner The Durant case and its impact on the interpretation of the Data Protection Act 1998 for more details in this area. Post-Durant The European Commission are investigating the Act because there is a possibility that it does not conform to the European Unions Data Protection Directive 95/46/EC. A private letter was
th
26
Cyber Law
School of Law
sent to the government, fairly shortly after the Durant decision. Again, this investigation is still to be concluded. There is however a small although slowly developing body of case law, which has arisen since the Durant decision: Johnson v Medical Defence Union (MDU) [2005] 1 WLR 750 Smith v Lloyd TSB Bank Plc [2005] WL 636009 Ezsias v Welsh Ministers [2007] All ER (D) 65. In both the Johnson and Smith decision (above) the court indeed the same judge followed the line of thought from Durant, thus restricting the scope of the Act. It is also important to be aware of the decision of R v Rooney [2006] EWCA Crim 1841 (a commentary can be found in E-Commerce Law Reports (2006), Volume 6, Issue 4, page 19). This case concerned a police employee in the Personnel department, who used her access to the police computer system to find out where her sisters former partner (also a police officer) had relocated to. It is important to remember that this case did not expressly make reference to Durant, however the information disclosed (in this case the name of a town) is not (following Durant) information that is biographical in a significant sense, yet even so the court found Rooney guilty and fined her 700, plus costs. In late 2008, rumours were abounding that the definition of personal data provided in Durant would be challenged in the House of Lords in the Scottish case of Common Services Agency v Scottish Information Commissioner [2008] 1 WLR 1550. This case concerned the refusal of an NHS agency to reveal statistics about childhood leukaemia figures, which were requested under the Freedom of Information Act 2002 by a member of the Scottish Parliament, who was researching into the health effects of children being located near to nuclear facilities. The Agency refused to release the data arguing that as there were such a small number of individuals involved that there was the potential to be able to indirectly identify those involved, even though the data had been anonymised by a process called barnardisation. The view of the Common Services Agency was that as the individuals could be indirectly identified, the data held was personal data and therefore was exempt from release under section 38 of the Freedom of Information Act. In a two day hearing in April 2008, the House of Lords considered that if the barnardisation of this data did make the information anonymous it could no longer be classified as personal data. At the same time, if the information could not be adequately anonymised, then the data could be classified as personal data and the Agency would not be required to release it. The House of Lords noted that anonymised data would undoubtedly relate to an individual (or individuals), but for it to be personal data it also had to identify individuals. Accordingly, the judgment was for the question of identifiability to be referred back to the Scottish Information Commissioner to determine, as a question of fact, whether or not the information was sufficiently anonymised for it not be personal data or whether it could be adequately disguised for release of the information under the Freedom of Information Act to be permitted. The Law Lords were also of the view that as this information was connected to medical records, it would be classified as sensitive personal data and therefore they considered that there was no need for them to review the Court of Appeals decision in Durant.
27
Cyber Law
School of Law
LECTURE SEVEN PRIVACY AND DATA PROTECTION (2) Required Reading Bainbridge, D Introduction to Information Technology Law (6 Edition) Pearson Longman, 2007, pages 527-595.. th Lloyd, I Information Technology Law (5 Edition) Oxford University Press, 2008, pages 60-178. Grant, J International data protection regulation Data transfer safe harbour (2005) Computer Law and Security Report, Volume 21, Issue 2, pages 257-261. Cooper, D EU-US Safe Harbor regime: five years on (November 2005) Data Protection Law and Policy, Volume 2, Issue 11, pages 12-14 Information Commissioners Office Annual Report 2006/07, July 2007, page 7. Available at: http://www.ico.gov.uk/upload/documents/annual_report_2007_html/ index.html. House of Commons Justice Committee Protection of Private Data, First Report of th Session 2007-08, 4 December 2007, Question 4. Available at: http://www.publications.parliament.uk/pa/cm200708/cmselect/cmjust/ 154/154.pdf
th
The Data Protection Act places a series of requirements on Data Controller, those who determine the purpose that the data is processed. A controller must comply with the Eight Data Protection Principles, which are in effect a list indicating good practice for handling data and state specifically that: The data shall be processed fairly and lawfully; It is only obtained for one or more specified and lawful purposes; It shall be adequate, relevant and not excessive; It is accurate and up to date; It is not kept for longer than necessary; It is processed in accordance with the data subjects rights; It is kept secure using technical and organisational methods; and It is not transferred out of the European Economic Area (EEA) unless there is an adequate level of protection for data subjects.
The eighth principle in particular has caused recent difficult. Whilst companies are free to transfer data within the EEA, this freedom does not extend to countries outside of this area, which do not have equivalent data protection legislation. The European Union has the ability to determine whether countries have an adequate level of protection, and have done so with countries such as Canada, Argentina and Switzerland. The USA particularly has been embroiled in this controversy, as the EU were of the view that the US did not offer an equivalent level of protection. There is a philosophical difference between the American approach to privacy and the European approach, In general, the EU see protecting an individuals privacy as a priority. However, due to the First Amendment right of Free Speech, America place a greater emphasis on freedom of expression and relegate protection of privacy. This coursed problems. As more and more companies are working on an international footing, companies ran the risk of falling foul of the Information Commissioner if they transferred data to America. Accordingly, after the Data Protection Act, there was a great deal of negotiation between the EU and the USA, as the USA did not offer an equivalent level of data protection (indeed, the system in America is based upon self-regulation). Safe Harbour On 26 July 2000, and after two-years of negotiation, the compromise position of Safe Harbour was decided upon (520/2000/EC). This is a voluntary system, whereby American
th
28
Cyber Law
School of Law
companies can sign up to the scheme to say that they are meeting basic data protection principles, similar to those in the EU. To join Safe Harbour a company must: Comply with the principles of Safe Harbour; Make a public statement affirming compliance with the principles; Self-certify compliance to the US Department of Commerce.
There was a very slow uptake to Safe Harbour, with only a few dozen companies in the first six month, arguably mainly due to the annoyance of American businesses having to comply with EU direction. However, to date, over 830 companies have signed up. There are seven main principles of Safe Harbour, which are notice, choice, transfers, access, security, data integrity and enforcement. In October 2004, a European Commission working group examined the success of the Safe Harbour scheme. In a document entitled: The implementation of Commission Decision 520/2000/EC on the adequate protection of personal data provided by the Safe Harbour privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce they made a number of conclusions. These were: 1. 2. 3. Safe Harbour is beginning to be embraced by the American business community, although a greater uptake is needed; There are, however, a number of organisations who have signed up to Safe Harbour, who do not have a privacy policy, which is in contravention of the agreement; The Department of Commerce, responsible for enforcing Safe Harbour are carrying out their function well, although they need to make inter alia certain changes to their website; There are some problems with alternative dispute resolution schemes.
4.
The Commission also questioned whether the Federal Trade Commission is competent to deal with international data flow, where the data relates to human resources. This is an issue, considering that 30% of the companies who have signed up to Safe Harbour have done do for human resources purposes. James Grant sums up the Report by stating: Whilst the Commission says that, in general, as the body competent for ensuring selfcertification, the DoC [Department of Commerce] is carrying out its role in accordance with the Safe Harbor requirements, it could do better. There is a strong sense that the regime is toothless and some of the blame lies with the regulators themselves. The critical issue to examine is whether or not the Safe Harbour agreement is adequate is maintaining the data protection rights of an individual. Other Requirements The Data Protection Act requires that those who process personal data should notify the Office of the Information Commissioner. (Section 17). All data processing must adhere to the eight principles listed above. Furthermore, personal data may not be processed at all unless a condition listed in Schedule 2 of the Act is met: The data subject has consented; The processing is necessary for contracting; It is necessary for legal compliance; It is in the vital interests of the data subject; The processing is for Judicial/Governmental purposes; The processing is necessary for legitimate purposes.
However, under the terms of the Act there is the concept of Sensitive Personal Data. This is defined by Section 2 of the Act as information relating to an individual regarding their:
29
Cyber Law
School of Law
Racial or ethnic origin; Religious or political belief; Trade Union membership; Physical or mental health; Sex life; or Criminal record.
If the data being processed is Sensitive Personal Data, then a condition in Schedule 3 of the Act must be met. Specifically: The data subject has given his explicit consent; It is necessary for the purposes of employment obligations on the controller; It is in the vital interests of the data subject (if the controller cannot get consent from the data subject). It is carried out by a non-profit making organisation; It concerns legal compliance; It is necessary for the administration of justice It is necessary for medical purposes; It is necessary to maintain equal opportunity records; and It is to be processed following an order from the Secretary of State.
The issue of consent is somewhat controversial. There is currently no definition of consent as per Schedule 2. To confuse the issue further, if the personal data is that of a sensitive kind, then a criteria in Schedule 3 needs to be met. This time the data subject must have given his explicit consent. Once again, there is no express definition of this term, though it appears to require a stronger affirmation, than the consent required to fulfil Schedule 2. Rights of the Data Subject The Data Protection Act does not merely impose obligations upon those who process data, but also provides rights for the data subject. A data subject can write to the Data Protection Officer at the organisation who they believe holds personal data about them and request to see data held (a fee of 10 may be levied for this). A data subject has various rights: Right of access (within 40 days); Right to prevent processing that will cause damage or distress; Right to prevent processing for direct marketing purposes; Right to an explanation about how automated decisions are made; Right to compensation if damage has been caused due to a data controller not fulfilling their obligations under the Act; Right to correction, erasure or destruction of inaccurate data; and Right to request an assessment by the ICO on the legality of the processing.
Data subjects are unable to contract out of these rights. Exemptions The Data Protection principles and/or the Schedule 2/3 conditions may not apply if the purpose of processing data comes under one of the exemptions to the Act found in Part IV. Specifically: Section No. 28 29 30 31 32 33 Exemption National Security Crime and Taxation Health, education and social work Regulatory Activity Journalism, literature and art Research, history and statistics
30
Cyber Law
School of Law
34 35 36 37 38
Information available to the public under enactment Disclosures required by law Domestic purposes A Schedule 7 exemption The Secretary of State has discretion to add exemptions
Remedies If a data subject believes that their personal data is being processed in contravention to the Data Protection Act, they can under Section 42 request that the Information Commissioner makes an assessment as to whether this is the case. The Commissioner has the right to give an information notice under Section 43 to the data controller asking for all the relevant information. A data subject can obtain damages under Section 13 if the Act is deemed to have been contravened, although it is a defence for the data controller to show that they took such care in all the circumstances. The Data Protection Act celebrates its tenth birthday in 2008, yet it seems only data protection failings within governmental departments and other organisations are the only attendees at this particular party. The failings, leading to high-profile data protection breaches has seen the Act attacked on many sides, including from amongst others the House of Lords Science and Technology Committee Report on Personal Internet Security. The Report refers to inherent weaknesses within the Data Protection Act, including the legal constraints surrounding the Act and its failure to offer any practical incentive for those holding customer data to take steps to protect it. Whilst some portion of the blame for many of these problems should lie with the governmental departments, organisations and with the Information Commissioner (who is responsible for enforcing the Act), it is contended that concern should also be raised about judicial handling of the Act. Alongside providing analysis of the public sectors handing of the problems in recent months, this paper will examine whether these case law decisions are in accordance with the Act and explore whether the Information Commissioners guidance is aligned with approach of the courts. At the same time, consideration will be given to whether the judicial view is in line, not only with the demands of the Act, but also the original Data Protection Directive 95/46/EC. Systematic failings? The loss of data relating to approaching 25m people by HMRC in November 2007 should not have been a surprise. The two discs containing personal and banking details of all child benefit claimants are still unfound and is the latest data protection breach to hit HMRC. Other examples of recent high profile data breaches include the loss by the Driving Standards Agency of data relating to 3m people about to take their driving theory test, nine NHS trusts losing data relating to thousands of patients and sporadic disappearances of laptops in both the public and private sector. Indeed, as far back as 2003, the BBC reported that 1 in 17 of public sector workers had either lost their laptop or it had been stolen. Prior to these breaches, the Information Commissioner had been sending out warning signals about data security breaches. In the Information Commissioners Office Annual Report, published in July 2007, Richard Thomas highlighted the proliferation of data security breaches and commented: Recent security breaches permitting the wrong people to access confidential information provide a powerful illustration of the need to ensure that safeguards are achieved in practice. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying.
31
Cyber Law
School of Law
Furthermore on 25 October 2007 just a handful of days before the HMRC disaster was announced the Prime Minister stated during his Speech on Liberty, with no small degree of prophecy that: At the same time, a great prize of the information age is that by sharing information across the public sector - responsibly, transparently but also swiftly - we can now deliver personalised services for millions of people, something not dreamt of in 1945 and not possible even ten years ago. So for a pensioner, for example, this might mean dealing with issues about their pension, meals on wheels and a handrail at home together in one phone call or visit, even though the data about those services is held by different bits of the public and voluntary sectors. But if Governments do not insist on accountability where people's data is concerned - and are not held independently to account - then we risk losing people's trust which is fundamental to all these issues and more. The aims behind the speech were to highlight plans for reform the data protection and secrecy laws within the United Kingdom. The need to undertake this reform was intensified by the events within and around HMRC an incident, which Alan Beith MP Chairman of the Justice Committee referred to as (when taking evidence from Richard Thomas, the Information Commissioner) the situation of being required to deal with the stable door, not just after the horse has bolted, but also the entire racing stable has bolted, with really potentially very, very serious consequences. It is clear that the fact of the data protection breaches was not a surprise, with both the Prime Minister and the Information Commissioner making warning statements. However the sheer scale of the breaches certainly was surprising. Although there have been many suggestions as to fault, it is the contention of this paper that the defects lay in a number of area, including judicial interpretation of the law, enforcement weaknesses and system failures. Understandably, since the dire headlines at the end of 2007, many proposals for reform in this area have been forthcoming. A number of the reform suggestions have been connected to the role of the Information Commissioner, specifically increasing the powers available. The House of Lords Science and Technology makes the following observation about the current status quo: The only enforcement agency with a general responsibility for personal Internet security, insofar as it relates to the security of personal data, is the ICO. However, of all the regulatory authorities, the ICOs enforcement powers appear currently to be the weakest. The current scope of the available powers extends to information notices (under section 43 of the 1998 Act), which requires the supply of information relating to a matter under investigation and enforcement notices (under section 40), which is a document requesting that an organisation changes its practices. It is only upon breach of the information or enforcement notice that a criminal offence is committed under section 47. If a criminal offence is deemed to have been perpetrated, the ICO may then prosecute those involved. Examining the ICOs Annual Report for 2006/07, fourteen successful prosecutions were brought during this period, with the main penalty being a fine around 200-300 per offence. This sanction can be compared with other regulators, for instance the Financial Services Authority (FSA). In December 2007, the FSA fined Norwich Union 1.26m for failing to take reasonable care in its organisation of risk management systems. The system Norwich Union employed allowed fraudsters to use publicly available data (including names and dates of birth) to impersonate customers and obtain other sensitive data from its call centres. Furthermore, in the last couple of years, the FSA have also fined BNPP Private Bank 350,000 for having weak anti-fraud 1 systems, Nationwide Building Society 980,000 for information security lapses, the most high profile being the theft of a laptop containing sensitive customer details and Capita Financial Administrators 300,000 for poor anti-fraud controls over customer accounts. Other regulators in different sectors also have considerable power when it comes to penalties, yet the Information Commissioner only has information and enforcement notices at his disposal, followed by the possibility of taking fairly low-level legal action against the perpetrator.
th
32
Cyber Law
School of Law
LECTURE EIGHT Web 2.0 Required Reading: Home Office Task Force on Child Protection on the Internet published a comprehensive document entitled Good practice guidance for the providers of social networking and other user interactive services. The document (available at: http://police.homeoffice.gov.uk/publications/operational-policing/social-networkingguidance/) Gillespie, A. A. Indecent images, grooming and the law (May 2006) Criminal Law Review, pages 412-421. Mann, B. L. Social networking websites a concatenation of impersonation, denigration, sexual aggressive solicitation, cyber-bullying or happy slapping videos (2009) International Journal of Law and Information Technology, volume 17, issue 3, pages 252-267. Gillespie, A. A. Regulation of internet surveillance (2009) European Human Rights Law Review, issue 4, pages 552-565.
The Internet has seen a rapid development in terms of user interaction in recent years. Websites offering the user the ability to upload videos, record opinions through blogs, Wiki or twitter and dynamically communicate with individuals has radically altered Internet usage. Traditional Internet usage (termed Web 1.0) involved static websites, which allowed individuals to search different websites for information (often with the assistance of a search engine) and download the required content. This model has been replaced by a much more interactive, dynamic and user-driven approach, which allow people to chat, gamble, discuss, create, search, message, upload, download, blog and communicate. Social networking sites are at the forefront of this development as users are no longer simply engaging with the Internet in a passive manner, but through a huge range mediums and through a tranche of different interfaces, including personal computers, mobile phones and game consoles. Social Networking Sites Social networking sites have seen exponential growth in recent years. Audience growth in sites such as Facebook, MySpace, Bebo, LinkedIn and Flixster has been viral, due predominately to their appeal to a range of different interest groups, including schools, films, business and music. Although the functionality of each of the different social networking sites does differ, in general users can engage in an extensive range of activities. They allow users to create their own content, including a personal profile (containing some personal information) and then share it with the vast audience who have also joined the site. They provide ample opportunity to communicate with friends and contacts around the world through blogs and message boards. Many people take advantage of blogs as a way of diarising or journaling the events of their life. These events can be recorded and third parties can be tagged in any photographs, videos or films that are uploaded. News can be shared, arrangements can be made and online games and quizzes can be played. Individuals can also join an interest group and share information on their interest. Social networking sites are sociologically complex and they do not conform to the traditional boundaries of time. The work and private life distinction is becoming increasing blurred, as added friends could include family, friends, work colleagues, or even someone that you have never met before and a sense of worth arises from either the number of friends a social networking site user has or the number of famous people who have accepted a friendship request. Communicating any information on one of these sites means that the information is potentially available to any user around the world and the range of potential users is as wide as the demographics of the planet itself as their seems to be no demarcation in membership as old and young, rich and poor have to a large degree an equality of online opportunity. Social networking sites are becoming a new
33
Cyber Law
School of Law
organising system as dates, meetings, arrangements and updates can all be orchestrated through one of these sites. Unsurprisingly, the advantages of social networking sites do need to be balanced with the perceived disadvantages of which there are several. On a general level there are the thefts of identity theft as criminals may be able to build up a profile of a user and be able to impersonate them or potentially even obtain goods, services or credit in that users name. It would not require too much detective work for a criminal to ascertain the answers to key security questions, such as a date of birth or mothers maiden name. Equally, it is possible to be able to pass yourself off as another individual as there are very few, if any, adequate verification applications in place beyond this initial registration, meaning that there are no checks to see if the person is who they say they are. There are a broad range of data protection issues with these sites and at first glance it is not clear how far and in what ways the Data Protection Act 1998 and other similar legislation applies to this context. For instance, who is responsible for the management of the processing; it may be the user or the social networking site. The ease of disseminating information may appear to be advantageous; however it is coupled with a range of privacy and security concerns. Privacy concerns intensify when users seek to delete their profiles as policies towards total deletion of the web pages is the source of some considerable controversy. The problem areas of social networking sites are noted in two key arenas. First of all, the use of these sites by those under the age of eighteen years old is contentious and full of legal implications. Secondly, the use of social networking sites by employees of a company, either during the working day, or in their own time, but clearly indicating who their employer is. Use by minors The user of social networking sites by minors is surrounded with legal implications. Many of the sites are targeted at teenagers and so it is of little surprise that individuals in the age range of 14-18 years old form the main user group. Social networking sites need to secure a very delicate balance between ensuring that their site is user-friendly, engaging and welcoming to the teen-age groups, while ensuring that they safeguard their reputation by providing adequate security and privacy standards. The young person in the twenty-first century needs to be Internet-savvy and use of sites, such as Facebook, are a necessary social utility, encouraged by a strong inducement to register from within their peer group. European Commission Guidance With these dangers in mind, the European Commission published in February 2009 a document entitled Safer Social Networking Principles for the EU. This document was authored by the European Commission with the assistance of a large number of social network providers, as well as non-governmental organisations and researchers. The document provides seven good practice recommendations with the aim of enhancing the safety of children online. The principles are not legally binding, but provide a bench-mark against which providers can measure themselves against. The seven principles are: 1. To raise awareness of safety education messages and acceptable use policies and present them in a clear and age-appropriate manner. 2. To work towards ensuring that services are age-appropriate for the intended audience. 3. To empower uses through tools and technology 4. To provide a use-friendly mechanism to report inappropriate content or conduct. 5. To expeditiously respond to reports of inappropriate content or conduct. 6. To encourage users to employ a safe approach to personal information and privacy. 7. To assess the means to review illegal or prohibited conduct or content. The document provides more detail on how these principles are to be achieved, including the provision of a report abuse button, ensuring that the privacy settings are always prominent and accessible and having the privacy default for those under the age of eighteen set at private and preventing those under the age of thirteen from using the service. In Annex II of
34
Cyber Law
School of Law
the document, a self-declaration form is included where social network providers can declare the extent to which they are complying with the principles. These principles are clearly a useful addition to other bodies that are in existence to protect children online, such as the Internet watch foundation (IWF) and the Child Exploitation and Online Protection Centre. Use by employees The use of social networking sites by employees is a potential legal minefield. There is the simplistic problem of employees wasting time online, instead of focusing on their work. Further problems exist as social networking sites are fertile ground for intellectual property or confidentiality leaks, data security breaches, harassment or bullying among staff and even damage to a companys reputation. The latter issue has seen a number of high profile examples of employees having their contract of employment terminated for airing grievances online. Towards the end of 2008, Virgin Atlantic dismissed thirteen cabin crew employees who had made disparaging comments about the safety and condition of the aeroplanes and insulted customers on the social networking site Facebook. There is a range of legislation that is applicable in this context. The Data Protection Act 1998 is of obvious relevance as the Act concerns the protecting of personal data, while the Human Rights Act 2000 is also of significance in this area in relation to the freedom of expression/right to a private life debate. In some circumstances, employers have the right to monitor Internet and email usage of employees, subject to the provisions in the Regulation of Investigatory Powers Act 2000 and also the Law Business Practice Regulations 2000. Employee usage and monitoring Employers may have a range of reasons for wanting to monitor the online activities of their employees. They may wish to ensure that the company or organisations brand and reputation is protected by ensuring that no defamatory, inaccurate, price-sensitive or secret commercial information is released, either inadvertently or intentionally. Employers may also consider monitoring to be necessary to safeguard the security and privacy of the computer network and also to try to avoid vicarious liability claims. The starting point for examining whether employee monitoring is permitted is the Regulation of Investigatory Powers Act 2000. Section 1 of the 2000 Act sets out the offence of intentionally and without lawful authority intercepting a communication transmitted by means of a public telecommunications system. Application extends to interference with a telecommunications system to make the contents available to someone other than the sender or recipient during transmission and also applies to the recording of a transmission to be read viewed at a later time. The offence carries an available sentence of two years. Section 2 of the Act explains that a person is intercepting a communication if they are modifying or interfering with the system or its operation or monitors the transmission made by means of the system. Various exceptions to the default position are found further on into part one of the Act. Section three deals with lawful interception without an interception warrant, while section four addresses the power to provide for lawful interception. Accordingly, the ability for an employer to monitor the Internet use of an employee is legitimate if they hold a reasonable belief that both the sender and recipient have consented. A second option for a business to be able to legitimately monitoring Internet usage is found within the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. These regulations state that businesses may monitor and record communications to establish the existence of facts to ascertain compliance with regulatory or self-regulatory practices or procedures or to ascertain or demonstrate standards which are or ought to be achieved; in the interests of national security; to prevent or detect crime; to investigate or detect unauthorised use of telecommunications systems or to secure, or as an inherent part of, effective system operation. The interception must be solely for the monitoring or recording of communications relevant to the business and it is essential that employers make all reasonable efforts to inform their staff that the monitoring is about to be
35
Cyber Law
School of Law
carried out. It should be sufficient to include an email/Internet statement with such a clause or include a section in the contract of employment highlighting that monitoring may take place. There have been a couple of cases within the United Kingdom, which have reached the European Court of Human Rights in relation to employee monitoring. In Halford v United Kingdom (1997) 24 E.H.R.R. 523 Halford became Assistant Chief Constable for Merseyside Police in 1983. She subsequently made numerous attempts for promotion, which were always refused, eventually leading to her commencing a sex discrimination action against her employers as Halford was of the view that her rebuttals at promotion were due to her gender. After winning her case, Halford brought a subsequent action against the government and her employers under Article 8 of the European Convention on Human Rights, which states that everyone has the right to respect for his private and family life, his home and his correspondence. Halford alleged that during the earlier case she had been the victim of telephone tapping by her employer, who had tried to obtain information about her which could harm her case. The European Court on Human Rights upheld Halfords complaint and held that even though the majority of the telephone monitoring was through her work telephone, several of these calls were of a personal or private nature meaning that her Article 8 right had been violated. This case does not however prevent employers from monitoring the activities of their employees and was decided on a narrow set of facts. Although Halford was not advised of the monitoring, she was told that she could use the work telephone to further her earlier sex discrimination case. The issue relating to work place monitoring was developed in the case of Copland v United Kingdom (62617/00) (2007) 45 E.H.R.R. 37. In this case, the complainant was employed in a college of further education and she complained that she was being subjected to monitoring of her telephone, email and Internet usage at work. The monitoring of the telephone calls was carried out by the employer to ensure that too many personal calls were not being made, while email addresses were being monitored, along with the time they were sent and websites were also being monitored to see the actual website visited, the time and the date. No monitoring policy existed within the college and Copland alleged that there had been a breach of her Article 8 right under the European Convention of Human Rights. The European Court of Human Rights upheld the decision in Halford and held that telephone calls even if made from a work telephone were still to be afforded protection under Article 8. The same principle was applied for emails and Internet usage. As there was no policy in force and Copland did not know that she was being monitored it was held that there was a breach of Article 8 in this circumstance. Implications for employee monitoring also arise out of the Data Protection Act 1998. It is clear that from the wide definition of processing contained within the Act, the act of monitoring would be included. It is likely that a large proportion of the data processed would be classified as personal data. Accordingly, as an organisation processes personal data they would need to register with the Information Commissioner. By virtue of registering with the Information Commissioner and aligning itself with the provisions of the Data Protection Act, the organisation would need to follow the eight data protection principles, which are located in Schedule One of the Act. A secondary issue with employees utilising social networking services is the ownership of the contacts obtained. A standard contract of employment states that discoveries, business secrets and methods, intellectual property rights and confidential information remain the property of the employer. Whether this extends to contacts obtained through a social networking site was part of the issue considered in the pre-action disclosure application in Hays Specialist Recruitment Limited v Mark Ions. Virtual worlds Previously, virtual communities have been said to be social aggregations that emerge from the Net when enough people carry on those public discussions long enough, with sufficient human feeling, to form webs of personal relations in cyberspace. Rheingold, H The Virtual Community, Minerva, London, 1994.
36
Cyber Law
School of Law
However, with the rapid growth of Massively Multiplayer Online Role Playing Games (MMORPGs) when we talk about virtual communities or worlds we are referring to fantasy locations within the likes of Second Life and World of Warcraft. In these worlds people leave their day to day lives behind and take on a new personas; they shape the world in which they live. Why are virtual worlds attracting the interests of the legal profession? As of February 2007 Second life alone had 4 million registered users while World of Warcraft had that many registered in China alone. The MMORPG market as a whole is worth US$1 billion. The sheer number of players involved all interacting through the virtual sales of goods and service in order to proceed through the game has led them to be described as not games [but] transaction spaces. By 2001 Norrath within Sonys Everquest had a higher per capita GNP than Bulgaria. Reported in Virtual worlds: Regulating virtual worlds: current and future issues. Birch, D ecommerce law & policy Volume 9 Issue 1 Jan 2007 So much commerce is done now within these virtual worlds, currency exchanges have opened to convert virtual currencies into real life currency. Further, more and more real world companies are joining the likes of Second Life to establish a commercial presence. Additionally, real world illegal behaviour is becoming more prevalent as players seek to progress quicker through the games and/or make large sums of real world currencies. Therefore, various legal questions arise as to the applicability of real world laws to what are effectively lawless virtual societies. Such as: 1. 2. 3. 4. 5. 6. Whether real world criminal behaviour can be, and should be, punishable if committed in a virtual world? Can you actually own the property that you inhabit and possess within virtual worlds, is it in fact property? Is the money to be made from virtual worlds taxable as real world income? Are contracts made within virtual worlds enforceable in real life, if not should they be? Do consumers within these worlds require the same protection as in the real world? Is there a case for using virtual worlds as a laboratory for testing legislation before it is introduced in the real world?
Ultimately the biggest issue is, do virtual worlds need regulating and if so how should they be regulated.
37
Cyber Law
School of Law
LECTURE NINE DEFAMATION Required Reading Murray, A Information Technology Law: The Law and Society Oxford University Press, 2010, pages 135-167. Mullis, A & Scott, A. Something rotten in the state of English libel law? A rejoinder to the clamour for reform of defamation (2009) Communications Law, volume 14, issue 6, pages 173-183. Klang, M & Murray, A Human Rights in the Digital Age (2005) Routledge-Cavendish Publishing, chapter 5 (by Diane Rowland Free Expression and Defamation) and Chapter 7 (by Gavin Sutter Internet Service Providers and Liability). James, S Social Networking sites: regulating the online wild west of Web 2.0 Entertainment Law Review, volume 19, issue 2, pages 47-50. th Rogers, K M Bloggers Beware! New Law Journal, 7 December 2007, pages 17181719.
Defamation is a tort and therefore a civil wrong. It is one of the oldest civil law concepts around today. An obvious cause for concern in this area is the international reach of the Internet and, coupled with jurisdictional problems, this is a difficult area for lawyers. The very nature of the internet, which allows anyone to be a publisher potentially extends this area of law very widely. There are in fact a large range of potential defendants in an internet defamation action including authors, editors, Internet Service Providers, the owner of the website, an individual who collates and distributes information and perhaps even a search engine. This chapter will consider some of the pertinent issues relating to the Internet and defamation in turn. What is online defamation: Libel or slander? Defamation is a published statement that tends to lower a persons reputation in the minds of right thinking members of society. If it is spoken, it is slander, if it is written down, it is libel. Libel is actionable in English law per se, that is, without proof of damage. The traditional demarcation of defamation of libel and slander is muddied somewhat by the ability of an individual to record their voice (for instance on a podcast or video) and then publish it online or to place a real time comment on a blog conversation. Would these be classified as libel or slander? It is likely that this would still come within the heading of libel as they would be in permanent form, but this is not entirely certain. This issue was partially considered in the case of Smith v ADVFN Plc [2008] EWHC 1797 where the court maintained the stay on proceedings for 37 libel claims where the comments were likely to found to be fair comment, or vulgar abuse, which was not defamatory. The actions were paused as it was felt that continuation of them would lead to an abuse of process. The comments were placed on bulletin boards and Mr Justice Eady considered that these types of posting were similar to a causal, heat of the moment, conversation at a bar, where people read a posting that they are interested in and then comment on it. They do not generally read the entire posting and just select the elements they are interested in. Based on this, his view was this type of posting should be the subject of an action in slander, rather than libel. Single or Multiple publication? There are two schools of thought concerning the bringing of an action in defamation, the single or the multiple publication rules. The single publication rule applies in the US. This means that only the first publication is actionable, no matter how many times that publication is repeated. This has been held applicable to websites in the US case of Firth v State of New York (2002). The other school of thought is the multiple publication rule, that is each time the defamatory statement is published a separate cause of action arises. This is the rule followed in the UK
38
Cyber Law
School of Law
and one which is significant when we come to consider material that might be posted on a website and potentially published every time it is accessed. The multiple publication rule is very well established in English law going back to the case of Duke of Brunswick v Harmer (1849) 14 QB 185 This is important because most torts have a time limitation on actions. In the UK it is 1 year for defamation as under the Limitation Act (1980) s 4A. An example of this is the case of Loutchansky v Times Newspapers Ltd (2002) QB 783, which was upheld by the European Court of Justice in 2009. (See: Times Newspaper Ltd v United Kingdom (Applications 3002/03 & 23676/03) [2009] E.M.L.R. 14). Identity The rights for bloggers to retain anonymity, while writing offensive or defamatory comments, and the action potentially defamed people may take to rectify the situation has been considered in the High Court decision in Sheffield Wednesday Football Club Limited et al v Neil Hargreaves [2007] EWHC 2375 (QB). Neil Hargreaves (the defendant), operated and owned a website called www.owlstalk.co.uk. This website invited fans of Sheffield Wednesday Football Club to post messages on matters relating to the club. The website was free to use, although prospective users needed to register with a username and password and give themselves a name by which they are known on the site (invariably a pseudonym). The terms and conditions of the website stated that users may not post defamatory or false comments and the website owner is entitled to remove such messages if he deemed it necessary. Sheffield Wednesday and seven directors of the club felt that eleven comments placed on the website consisted of comments posted were both false, defamatory and made serious allegations about them and accordingly they sought to commence an action for defamation. However, the key problem that was faced by Sheffield Wednesday was that the authors of the postings were hidden behind their anonymity and so the club needed to locate a responsible party. Accordingly, the club sought a Norwich Pharmacal order against the website owner, Mr Hargreaves. This principle was first established in the case of Norwich Pharmacal v Customs & Excise Commissioners [1974] AC 133, and was explained by Lord Reid as: if through no fault of his own a person gets mixed up in the tortuous acts of others so as to facilitate their wrongdoing, he may incur no personal liability but he comes under a duty to assist the person who has been wronged by giving him information and disclosing the identity of the wrongdoersjustice requires that he should co-operate in righting the wrong if he unwittingly facilitated its perpetration. (at page 175). This principle was developed in the decision of Mitsui Limited v Nexen Petroleum UK Limited [2005] EWHC 625 (Ch) in which Mr Justice Lightman introduced three conditions that must be satisfied prior to the court granting a Norwich Pharmacal order; specifically: a) A wrong must have been carried out or arguably carried out by an ultimate wrongdoer; b) There must be a need for an order to enable action to be brought against the ultimate wrongdoer; and c) The person against whom the order is sought must (a) be mixed up in the wrongdoing so as to have facilitated it; and (b) be able or likely to be able to provide the information necessary to enable the ultimate wrongdoer to be sued. The Judge in this case, Richard Parkes QC, was of the view that the three requirements for a Norwich Pharmacal order had been fulfilled in some of the entries posted on to the website. Out of the eleven postings he considered that seven of which were far from serious. The Judge considered that:
39
Cyber Law
School of Law
It seems to me that some of the postings which concern the Claimants border on the trivial, and I do not think that it would be right to make an order for the disclosure of the identities of user who have posted messages which are barely defamatory or little more than abusive or likely to be understood as jokes. That, it seems to me, would be disproportionate and unjustifiably intrusive (at paragraph 17). The judge drew a distinction between the eleven blog postings and held that seven of them consisted of material that could either not be classified as defamatory, was simply a joke, or was clearly saloon-bar moanings with just a small amount of personal abuse. However, the four remaining postings, were in the view of Parkes QC, much more serious in the nature of the material contained in the entry. Accordingly, the judgment went partly for the Claimants, and Mr Hargreaves was asked to reveal the identities of four of the authors who had posted potentially defamatory statements on the bulletin board as the right for the directors to maintain their reputation outweighed the right of the authors to protect their anonymity. The issue of identity was also considered by the High Court in Author of a blog v Times Newspapers Limited [2009] EWHC 1358. This case concerned a serving policeman who was the author of an anonymous blog. Under the pseudonym Night Jack, the police officer commented on his experience at work, including details on criminals and the struggles he faced with police bureaucracy. He also criticised government ministers and policy. The Times Newspaper came into the possession of the name of the anonymous blogger and Night Jack sought an injunction to prevent its disclosure. The blogger argued that his identity should be protected for two reasons. First of all, he contended that The Times had a duty of confidence in respect to the information the newspaper held about his identity, and secondly he argued that he had a right to privacy unless there was a public interest ground for identifying him. Mr Justice Eady rejected both of these arguments. In relation to the duty of confidence, Mr Justice Eady explained that this is only owed in situations where information is provided, which is clearly meant to be confidential. The Times discovered the identity of the anonymous blogger through their detective work and were not given the information in confidence. The second forwarded contention was also rejected by the court and the judge was of the view that there was no right to privacy in the publishing of a blog which is available to the public; even if there was, the public interest in disclosing the identity of the author would outweigh the right to privacy, particularly as he was writing about the shortcomings of a public body authenticity and accuracy would demand that the author be identified. The judge was of the opinion that it would be perverse for the author of a public blog, who concealed his identity, to expect a right to privacy if his identity were deduced, as blogging is essentially a public activity. Even though the blogger would invariably suffer harm once his identity were released (it is understood that he was disciplined by his police force) this should not be a bar to the disclosing of his identity. Social Networking Sites, Blogs and message boards The most high profile incident with a defamation action arising from user-generated content (and specifically social networking sites) was in the case of Applause Store Productions Limited v Raphael [2008] EWHC 1781 (QB). The facts were that in June 2007 Grant Raphael set up a false social networking site on Facebook for his former friend, Matthew Firsht. A Facebook group was also set up called Has Matthew Firsht lied to you? and a number of other false allegations, relating to his sexual preferences and his failure to pay his debts, were made. Firsht discovered the identity of this site in July 2007 and sought to commence a defamation action. After securing a Norwich Pharmacal order to identify the identity of the author a successful defamation claim was brought and Firsht was awarded 22,000 in damages. This level of damages was awarded, even though the judge could not be certain how many people had viewed the relevant Facebook pages, but based his view on the number of people who were connected to that particular network. Conversely, simply because an article is available in an open access website, does not mean that the article has been substantially published.
40
Cyber Law
School of Law
Publication and abuse of process There has been a range of case law where the courts have had to consider whether a defamatory article has indeed been published. These cases include: Jameel v Dow Jones and Co. Inc. [2005] EWCA 75. Mardas v New York Times Company [2008] EWCA 3135 Haji-Ioannou v Dixon [2009] EWHC 178 QB. Christopher Carrie v Royd Tolkien [2009] EWHC 29 Jurisdiction The decision is easy if the action comes within the Brussels Regulation. (Council Regulations (EC) 2001/44 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters). Article 2 says that if a defendant is in Europe the claim must be brought in the state where the defendant is domiciled, irrespective of the defendants nationality. OR under s5(3) in the state where the harm occurred ie where the publication took place and the claimant had a reputation in that place that was capable of being damaged. Art 27 of the Regulation states where there is more than one jurisdiction involved, and the same issue has been brought before courts in more than one member state, other courts must stay proceeding until the first courts jurisdiction is established. If that jurisdiction is established, the other courts must decline jurisdiction in favour of the first court. This is to stop forum shopping within the EU or the EEA (Via The Lugano Convention). Art 27 applies if an action is begun within the EU, even if another action is then begun outside the EU this is confirmed by the somewhat complicated case of Owusu v Jackson (t/aVilla Holidays Bal-Inn Villas) & Ors (2005) ECR I-1383. The court also said that the doctrine of FORUM NON CONVENIENS no longer applied to parties under the Regulation. Forum non conveniens means that a court in a certain jurisdiction will voluntarily give up jurisdiction on the basis that another court in another jurisdiction would be better hearing the case. So section 2 of the regulation in particular is very important for multiple jurisdiction defamation actions within the area to which the regulation applies. English tort law (England and Wales only, Scotland has its own system) has always been seen, internationally, as a good place to bring a defamation action, as having a sympathetic legal system in this respect and a jury system (almost uniquely for a tort) that is often prepared to award astonishingly large monetary awards. It is particularly liked by Americans as their system can be a bit snitty, requiring proof of actual malice to succeed and placing a high value on the protection of freedom of speech as demanded by the first amendment to the US constitution. So when Cameron Diaz wants to bring a case against the National Enquirer as she did just recently, she doesnt bring it before US courts, which is where hard copy of the magazine was published, she is able to bring it in England on the basis that people, albeit not many, saw it on the NE website in this country. The role of the Internet Service Provider There are a number of defences available for defamation. These are: Justification (that the comments were true); Fair comment on a matter of public interest; Absolute privilege (available for judicial and parliamentary proceedings only. For instance an MP calling the Prime Minister a liar during Prime Ministers Question Time, although a defamatory statement an action could not be brought as the MP has a defence through absolute privilege). Qualified Privilege; Innocent Dissemination;
41
Cyber Law
School of Law
Offer of Amends (to write a corrective statement, offer an apology and compensation see ss2-4 of Defamation Act ); Consent.
The Internet Service Provider (or ISP) is also exempted from liability. Liability of intermediaries can occur in relation to torts such as defamation and the provision of illegal materials. There are general provisions relating to liability of intermediaries under the Ecommerce directive and run alongside the terms on contracting. Liability related to illegal electronic information General liability of intermediaries Mere Conduit Article 12 [see regulation 17] provides that: A service provider shall not he liable, otherwise than under a prohibitory injunction, for the information transmitted, on condition that the provider: (a) does not initiate the transmission; (b) does not select the receiver of the transmission; and (c) does not select or modify the information contained in the transmission. Article 12 of the Directive of Electronic Commerce 2000/31/EC (implemented into the United Kingdom by Regulation 17 of the Electronic Commerce (EC Directive) Regulations 2002/2013) states that ISPs shall not be liable for the information that is transmitted on pages on their network, provided that they do not initiate the transmission, or select the receiver of the transmission or select or modify the information contained in the transmission. Article 15 [see regulation 22] provides further that Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12 to 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity. Caching Article 13 of the Directive states that the service provider is not liable where the service consists of the transmission in a communications network of information provided by a recipient of the service where the information is the subject of automatic, intermediate and temporary storage for the sole purpose of making more efficient the onward transmission of the information to other recipients of the service upon their request. Hosting Under Article 14 of the Electronic Commerce Directive, a service provider is not liable in respect of storage if the service provider does not have actual knowledge of illegal activity or information and, where a claim for damages is made, is not aware of the facts or circumstances from which the illegal activity or information would have been apparent or, upon obtaining such knowledge or awareness, the service provider acts expeditiously to remove or disable access to the information. However, this defence for ISPs cannot be relied upon if it becomes apparent that they have edited the comments, or have been told of its existence. Furthermore, they may be liable if they do not take reasonable care as to publication. (However, it needs to be asked whether it is appropriate that ISPs (in effect) censor information). A publishers defence is also found within section 1 of the Defamation Act 1996. If a person can show that they are not the editor, author or publisher of the statement, he took reasonable care in its publication and he did not know or have reason to believe that what he did contributed to the publication of a defamatory statement. To determine whether a publisher took reasonable care, examination is required of section 1(5), which considers the
42
Cyber Law
School of Law
extent of the publishers responsibility, the nature of the surrounding circumstances and the previous conduct of the publisher. The case of Godfrey v Demon Internet Limited (2001) QB 201 demonstrates however that this defence is fairly limited once an ISP has been warned that a statement has been published, which contains potentially defamatory material. In Godfrey, Demon was held to have defamed Godfrey, who was a lecturer in physics, by failing to remove a defamatory statement (purporting to come from Mr Godfrey, although did not) after Mr Godfrey had advised them of the defamatory nature of the remarks. Even though the Internet Service Provider was not the author of the statements, they were responsible for the site and were thus liable and were required to pay 15,000 in damages. However the more recent decision in Bunt v Tilley and others [2007] 1 WLR 1243 suggests a move away from the limited defence offered by Godfrey. In this case, Justice Eady stated: When considering the Internet, it is so often necessary to report to analogies which, in the nature of things, are unlikely to be complete. That is because the Internet is a new phenomenon. Nevertheless, an analogy has been drawn in this case with the postal services. That is to say, ISPs do not participate in the process of publication as such, but merely act as facilitators in a similar way to postal services. They provide a means of transmitting communications without in any way participating in that processI am also prepared to hold that as a matter of law that an ISP which performs no more than a passive role in facilitating postings on the Internet cannot be deemed to be a publisher at common law. (at paragraphs 9 and 36 respectively).
Defences General defamation defences apply here as to real world defamation. As far as the UK is concerned we are going to examine the defences which may be available to ISPs under the Defamation Act 1996 and the Directive on Electronic Commerce (more EU!). Are ISPs publishers? The Defamation Act 1996 s1(1) a person has a defence if he shows that: He was not the author, editor or publisher of the statement complained of He took reasonable care in relation to its publication, and He did not know, and had no reason to believe, that what he did caused or contributed to the publication of a defamatory statement
And s1(3) of the same act says a person shall not be considered the author, editor or publisher of a statement if he is only involved (c) in processing, making copies of, distributing or selling any electronic medium in or on which the statement is recorded, or in operating or providing any equipment, system or service by means of which the statement is retrieved, copied, distributed or made available in electronic form. (e) As the operator of or provider of access to a communications system by means of which the statement is transmitted, or made available, by a person over whom he has no effective control. So section 1(3) seems to establish that service providers will not be publishers, which is good news for them, but they still need to meet the requirements of section 1(1) conditions. If they are not a publisher they meet (a), but what about the other two? After the case of Godfrey v Demon Internet Ltd (1999) Demon held to be a publisher, it chose to be a host to a newsgroup.
43
Cyber Law
School of Law
However, in the recent case of Bunt v Tilley (2006) EWHC 407 (QB) The court held that whether publication had taken place was a question of fact for the individual circumstances of the case and an ISP that performed no more than a passive role in facilitating postings on the internet could not be deemed a publisher at common law and could rely on the defences under s1 of the DA 1996, because it had not been put on notice of the statements by the claimant. Held that ISPs do not have to act as Gatekeepers The main protection for ISPs in the UK comes from Europe from Directive 2000/31 the st Directive on Electronic Commerce. UK implemented on 21 August 2002 in the Electronic Commerce Regulations 2002. The directive adds a number of defences for ISPs and others providing information society services relevant to ANY illegal material ie pornographic, but specifically for our purposes, in this instance, potentially defamatory statements. The ISP has a defence in relation to three circumstances, where it is acting as; a mere conduit Art 12 information just passing through the ISP network not stored perhaps a telephone network. Caching Art 13 temporary storage performed for the sole purpose of making more efficient the informations onward transmission to other recipients of that service, upon request. Hosting Art 14 websites, e-mail, bulletin boards - storage of information provided by the recipient of the service. MS shall ensure that the service provider is not liable for the information stored at the request of a recipient of a service, on condition that The provider does not have actual knowledge of illegal activity and , as regards claims for damages, is not aware if facts or circumstances from which the illegal activity or information is apparent; or the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information. S15 no general obligation on ISPs to monitor information posted on the sites S17 19 ISP under initial evidential burden to raise issue of defence then claimant must establish reasonable doubt that defence can be used. If Claimant cannot, then the defence can be used. Service provider is under a general duty to remove or disable access to unlawful material.
Possible penalties? Normally damages, an apology and a retraction. In Michael Keith-Smith v Tracey Williams [2006] EWHC 860 (QB) the court awarded damages for defamation for defamatory and offensive postings made by Ms Williams against Mr KeithSmith on an Internet discussion group called In the Hole. She was offered, and rejected, the opportunity to apologise and accordingly the court awarded damages of 10,000, which included both compensatory damages and aggravated damages. Interestingly, Judge MacDuff added: If those damages appear to be modest in amount that is not any fault of the defendant, if fault be the right word. It is through the good fortune, or her good fortune, that these remarks did not get a wider publication elsewhere and were, happily, only seen by a relatively small number of people, most of whom, in all probability, did not believe what they were reading. (at paragraph 24).
44
Cyber Law
School of Law
LECTURE TEN ONLINE MARKETING Required Reading Murray, A Information Technology Law: The Law and Society Oxford University Press, 2010, pages 129-133. Hedley, S The Law of Electronic Commerce and the Internet in the UK and Ireland, Cavendish publishing 2006, pages 39-45. Hedley, S A brief history of Spam (2006) Information and Communications Technology Law, volume 15, number 3, pages 223-238. Rogers, K. M. Viagra, viruses and virgins: a pan-Atlantic comparative analysis on the vanquishing of spam (2006) Computer Law and Security Report, Volume 22, Issue 3, pages 228-240. Rogers, K. M, The Privacy Directive and Resultant Regulations The Effect on Spam and Cookies, Part I (October 2004) BLR 271-274 Please obtain a copy of the Privacy and Electronic Communications Regulations 2003, available at: http://www.opsi.gov.uk/si/si2003/20032426.htm. Communication from the Commission to the European parliament , the Council, the European Economic and Social Committee and the Committee of the Regions on Fighting span, spyware and malicious software Com (2006) 688 final. Available at: http://eur-lex.europa.eu/LexUriServ/site/en/com/2006/com2006_0688en01.pdf.
The Internet has opened many possibilities for individuals or businesses to advertise and solicit products online or through wireless devices. There are a number of ways for a business to advertise online (occasionally called webvertising), these include websites, banner advertisements, pop-ups (or pop-unders) and email. The power of Google and other search engines has transformed the manner in which businesses can advertise goods and services. The wealth of advertising opportunities leads to greater purchasing choice for the consumer, with search engines able to rank results not only in order of popularity, but also with reference to the preferences of the user. However, with the growing methodologies of marketing comes the competing desire to protect the individual from unscrupulous marketers who may misuse or abuse a customers data by sending advertisements that the consumer has no, or only negligible, interest in. Online traders want to make use of the advantages of the internet. The Internet supplier is able to reach a global customer base and offer goods and services at a more competitive price, often due to having lower financial overheads. How these traders advertise, negotiate with customers and invite offers for their products is key to their survival. A place on the st internet through a website is ubiquitous in the 21 century. The vast majority of companies will have a website and through this will be able to invite offers, communicate with customers, display their goods and take online payment for items purchased. The flexibility of a website is essential for the success of the business and so usability and accessibility are the basic elements required for consumers to return to sites. Additionally, secure payment systems and robust procedures for safeguarding the details of customers are also required to ensure that the goodwill of customers is retained. If a company can get the virtual face established the financial rewards will follow. Figures published in early 2010 by the Centre for Retail Research suggest that consumers in the United Kingdom spent 38bn online in 2009, which equates to around 10% of total retail sales during the year. The Centres prediction for 2010 suggests that online retail sales within the United Kingdom will continue to increase and be worth around 42.7bn. One of the main methods of advertising is through email, however most of which is Spam (also known as junk email or unsolicited commercial email) is, in general, advertisements often offensive, misleading or fraudulent in nature sent in bulk to email inboxes. This email is often although not exclusively - pornographic, sexual or financial in nature. It is often the
45
Cyber Law
School of Law
repeated mass mailing of unsolicited commercial messages. Often the senders identity will be concealed and the subject line will be forged. It is important that a distinction is made between spam emails and legitimately sent commercial email. It is suggested that spam is a critical issue in the growth of e-commerce. Approximate estimations put worldwide spam volume at around 60-70% and there are some extreme reports that suggest spam lead to the end of the Internet era (see diagram below). The problems of spam
Cost to Internet Service Providers.
Children have access to potentially damaging material.
Productivity of businesses is reduced.
It is often annoying and offensive in nature.
The problem of spam.
Invasion of individual privacy.
Threatens the overall speed of the Internet. Threat to legitimate internet advertisers.
Cost is placed upon the recipient and not the sender.
The Directive on Privacy and Electronic Communications (2002/58/EC) The European Unions Directive on the processing of personal data and the protection of privacy in the electronic communications sector received a fanfare introduction and is key to the fight against spam. The scope of the Directive is outlined in Article One. It states the Directive: harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication
46
Cyber Law
School of Law
sector and to ensure the free movement of such data and of electronic communication equipment in the Community. From this Article, it can be seen that the Directive is intended to be a harmonising measure. Its primary aim is to provide a balance between upholding individual privacy and allowing for free movement of information. Recitals 40 to 45 provide the first introduction reference to spam. Recital 40 states: Safeguards should be provided for subscribers against intrusion of their privacy by unsolicited communications for direct marketing purposes in particular by means of automated calling machines, telefaxes, and emails, including SMS messages. Furthermore, Recital 42 introduces the idea of consumers receiving direct marketing only after they have given their prior consent. A final Recital worthy of note is 43, which explains why it is necessary to prohibit false identities and return addresses: to facilitate effective enforcement of Community rules on unsolicited messages. The Directive was implemented into the UK as The Privacy and Electronic th Communications (EC Directive) Regulations 2003 and they came into force on 11 December 2003. The Regulations virtually adopt verbatim the terms laid out in the Directive. Regulation Two provides the definitions for terms, which run throughout the Regulations. While electronic mail and communication are defined, there is no mention of spam, junk email or unsolicited commercial email. The specific rules Regulations 22 and 23 deal with Spam. Regulation 23 (implementing Article 13(4)) provides that: A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; where a valid address to which the recipient of the communication may send a request that such communication cease has not been provided.
(b)
However, a term to this effect is not a new move. The Electronic Commerce (EC Directive) Regulations 2002 provided that where an unsolicited commercial communication is sent, it must be clearly and unambiguously identifiable as such as soon as it is received (Regulation 8). The importance of consent Regulation 22 (implementing Article 13(1-3) of the Directive) is arguably the lynchpin of the Regulations with regard to spam. This regulation sets out the legitimate methods by which unsolicited commercial email may be sent. Regulation 22(2), states that the sender must obtain consent from the recipient before a commercial email is sent. This means that the recipient must opt-in to receiving commercial email. This is problematic in itself, due to the undefined nature of unsolicited. However, the phrase of particular interest in this particular regulation is that the recipient has previously notified the sender that he consents to the sending. It is therefore contended that the definition of consent in the Data Protection Regulations and Directive 95/46/EC is not clearly defined. This does not help the E-Privacy Regulations as
47
Cyber Law
School of Law
consent, required by Regulation 22, is defined by reference to Recital 17, which draws the readers attention to Data Protection Directive 95/46/EC and the definition of consent included therein. While the exact definition of consent in the Regulations is arguably not very helpful, they continue by providing methods by which a recipient is deemed to have consented. Regulation 22(3) reads: A person may send or instigate the sending of electronic mail for the purposes of direct marketing where (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that persons similar products or services only; and; (c) the recipient has been given a simple method of refusing (free of charge except the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. Before examining the three requirements for sending such email, the High Court in Microsoft Corp v McDonald [2006] All ER (D) 153 considered inter alia the definition of instigate and what is meant by instigating the sending of an unsolicited commercial email. The judge suggested that: to urge or to incite somebody to do something requires something more than the mere facilitation of the action concerned; it requires in my judgment, some form of positive encouragement. This case (although only a High Court decision) is also helpful because it also confirms that a ISP can bring an action under the Regulations and it also provides a slightly wider scope for remedies (see below, Regulation 30) and extends to allowing for injunctions. The three methods for a recipient to consent to receiving direct marketing via email will now be examined individually. (a) The recipient is an existing customer This term allows for senders of commercial email to retain details of past or current customers to enable them to use their email address to forward future adverts. However, unsurprisingly from the point of view of defeating spam this has its critics. While the DTI consulted widely on the finding wording of this term it is suggested that the final product is weakened by the addition of the phrase or negotiations for the sale - a phrase not found in the Directive. The Information Commissioner (IC), responsible for enforcing these Regulations has maintained that the sale does not need to be completed for this exception to apply. If this is the case, how far does a sale need to have progressed for this exception to be valid? (b) Direct marketing in respect of similar products or services. This exception permits direct marketers to send commercial email to a customer, with whom they have an existing consumer-business relationship, for items, which are similar to an aforementioned product or service. Whilst this forms a level of protection for the consumer, the critical issue is what a person (who does not object to receiving future advertising emails
48
Cyber Law
School of Law
from any Internet company) would reasonably expect the future advert to contain. Specifically; what would be classified as similar products. In his guidance on the Regulations, the IC states that his office will be taking a purposive approach and will place the emphasis on action upon the consumer. If the consumer feels that adverts are being sent, which are beyond what he would reasonably expect, he would be able to opt-out from receiving them. Respectable marketers would want to avoid this, as it would limit their potential audience for advertising. (c) The recipient has a simple means of refusing such emails The Regulations are not clear, and little has been written on the meaning of this term and how it applies to senders and recipients alike. The IC suggests however, this term allows a recipient to opt-out of receiving direct commercial email, even after providing initial consent. Furthermore, enforcement proceedings will be taken against those businesses that refuse to positively act upon a recipients request. In July 2010, the Advertising Standards Agency listened to a case relating to a promotional email, for Virgin Media, which had the subject heading An important message from Virgin Media. This was considered under the CAP code, as opposed to the E-Privacy Regulations, although the principle is the same. The email was headlined What great stuff could you be missing out on?. The text below stated Weve noticed youre not currently registered to receive information from us and we just wanted to let you know that now that Virgin Mobile is part of the big Virgin Media family, you can get your hands on even more exclusive deals. All you need to do is tell us you want to hear about them! As a Virgin Media customer, youve got the chance to bag some brilliant perks, as well as extra useful stuff to help you keep on top of your services. So that you get the best value from us, well keep you up to date with exclusive offers as well as making sure youre up to speed with the latest product news. Plus, well tell you about our reward schemes and give you first dibs on V Festival tickets! And theres lots of other cool stuff too To hear about offers, news and the latest from Virgin Media simply register to hear from us. And dont worry we wont give your details to anyone else. As a thank you, youll be entered into our prize draw to win a free HTC HD2* phone If youre happy as you are and dont want to hear from us, you dont need to do anything, we wont change anything unless you tell us to The issue with this email is that a recipient had previously opted out of receiving communication from Virgin by email. The ASA noted Virgins argument that the e-mail was not a marketing communication but was an update to customers who might otherwise not have been aware of the change that had taken place. Because, however, it did not include only information about the change but included prize incentives and text such as "What great stuff could you be missing out on?", " ... you can get your hands on even more exclusive deals" and "As a thank you, youll be entered into our prize draw to win a free HTC HD2* phone ... ", we considered the e-mail was a marketing communication and therefore in breach of the code. (For more see: Out-law.com Virgins email to opted-out customer broke rules, th says ASA 30 July 2010. Available at: http://www.out-law.com/page-11269). The problems with the opt-in Regulations The basic rule provided by Regulation 23 is that unsolicited commercial email may not be sent to an individual unless they have consented to receiving it. This allows individuals the responsibility in deciding whether they wish to receive it; they may opt-in. However, Regulation 22(3) provides methods by which a person may give consent, which allows spam email to be sent to a passive recipient. If an individual has contacted a business for any reason, that individual is therefore likely to receive spam. Thus, the Regulations have provided what many commentators call a soft opt-in.
49
Cyber Law
School of Law
There are several deficiencies in these Regulations, however the critical issue with this entire piece of legislation is that the EU and the UK have (while trying to balance privacy and business needs) attempted to regulate spam, rather than outlaw it. This has the effect of proving a degree of legality for spam, instead of making them illegal. Therefore, while spam still makes money and it is financially beneficial for a spammer to send spam, loopholes can be found and exploited. Furthermore, the Regulations only extend as far as individual subscribers and not users (Regulation 22(1) and the definitions provided in Regulation 2(1)(h)) and they do not apply to businesses. On top of this the Regulations can only really apply to legitimate businesses, which are not the major problem. A legitimate business is not going to ignore a request from an individual asking for their details to be removed from the companys mailing list database, as they would not want to lose the goodwill of the customer or run the risk of potential enforcement proceedings for failing to comply with the Regulations. However, when the sender is an individual in an upstairs room, on his own, or even someone from outside the EU, who flouts the law willingly in the hope of earning a profit, the situation is completely different. They will disregard any request for a persons details to be removed and possibly bombard that individual with more spam, as they are certain that they have reached an active email address. Remedies and Sanctions The final consideration that needs to be made are the potential remedies for recipients and sanctions for those marketers, who flout the rules. Regulation 30 states: (1) A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage. (2) In proceedings brought against a person by virtue of this regulation it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the relevant requirement. Refusal to comply with the Regulations is therefore a criminal offence; with a penalty of a 5,000 fine (in a Magistrates Court) or unlimited if the trial takes place in a higher court. The IC will enforce the Regulations, yet from the wording, he will have a very difficult job to prove beyond all reasonable doubt that there had been a breach, as the defence is that he had taken such care as in all the circumstances. (Regulation 30(2)) This is a very broad defence and it is suggested that it would limit potential convictions, as a spammer would only need to show that he had taken reasonable care. To date, the Information Commissioner has not succeeded in any prosecutions under these Regulations. However, please be aware of the private prosecution brought by Nigel Roberts against Media Logistics, a company based in Scotland. Mr Roberts was awarded 300 in damages in December 2005. For more on this case, see Mr Roberts website at: http://spamlegalaction.pbwiki.com/. Furthermore, there has been a recent case in Scotland concerning a person called Gordon Dick. He was awarded 750 (plus costs) against an internet company, who had harvested his email address and sent him (and over 70,000 other people) an unsolicited email. Like Nigel Roberts, Mr Dick has set up his own website, th available at: http://www.scotchspam.com/transcom.html. (See also The Times, 6 March 2007 Courts orders firm to spam spam victim 750).
Reform
50
Cyber Law
School of Law
In October 2009, the European Commission adopted proposed changes to the Directive. The amending Directive also makes changes to Directive 2002/22/EC on universal service and users rights relating to electronic communications networks and services and Regulation 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws and is available at: http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf. One of the main changes is the introduction of a data security breach notification law for telecommunications companies, although there are changes for both the rules relating to cookies and commercial communications. Member States are required to implement these changes by May 2011. There are some minor changes to the sending of commercial communications proposed in the reform to this directive. First of all, recital 67 is introduced to make it clear that regulations 22 and 23 apply not only to the use of email, but also SMS, MMS and other forms of technology. Furthermore, Article 13 is extended and Article 13(6) seeks to make it easier for those adversely affected by a breach under this Article to commence legal proceedings. The right of an Internet Service Provider to bring an action against a spammer is enshrined in legislation (the case of Microsoft v McDonald, discussed above, did conclude that an Internet Service Provider would also be able to commence legal proceedings). Although, it is not clear the extent to which Member States will interpret the phrase any person adversely affected as this could include businesses that receive large volumes of spam email. Despite a wider net of people who could commence legal proceedings against a spammer, the effectiveness of these provisions is likely to be rooted in the enforcement regime and the Information Commissioner will need to push for greater funding and personnel to be successful.
51
Cyber Law
School of Law
LECTURE ELEVEN COOKIES Required Reading You will need a copy of the Privacy and Electronic Communications Regulations 2003, available at: http://www.opsi.gov.uk/si/si2003/20032426.htm, which we used during our discussion on spam. Rogers, K. M. The Privacy Directive and Resultant Regulations the Effect on Spam and Cookies, Part II (November 2004) Business Law Review, Volume 25, Issue 11, pages 293-296. Garrie, D. B. Parasiteware: Unlocking Personal Privacy (2006) Script-Ed, Volume 3, Issue 3. Kierkgaard, S. M. How the cookies (almost) crumbled: Privacy and lobbyism (2005) Computer Law and Security Report, Volume 21, Issue 4, pages 310-322. Debussere, F The EU E-Privacy Directive: A monstrous attempt to starve the cookie monster? (2005) International Journal of Law and Information Technology, Volume 13, Number 1, pages 70-97. Out-Law.com editorial: Robertson, S. Consent will be required for cookies in Europe th (9 November 2009). Available at: http://www.out-law.com/page-10510-theme=print
The advent of the Internet, some ten years ago, introduced a completely new method and system of advertising. Companies, which previously only had a High Street presence could now publicise themselves to a worldwide audience. Websites, banner advertisements, popups and bulk commercial email are all methods employed by e-retailers to advertise their goods. These are much cheaper and easier to use than some more traditional methods, such as newspapers and television. The utilisation of cookies is particularly pertinent in this area. Also known as spyware or adware, an examination of cookies needs to be taken in the context of whether they are damaging to individual privacy and whether the European legislation is helpful in curtailing their use. The Uses of Cookies A cookie has a number of uses. They are files, which attach themselves to the hard drive of a computer and then monitor and track the usage of the Internet by the user. Over a period of time a picture is put together of the main sites the Internet sites the user visits, which enables advertising to be targeted to that particular person. They are necessary to the running of the Internet and have been commonplace for sometime. They form, in effect part of the memory of the Internet. Therefore, you will often find if you access a website on a regular basis from your home computer, for instance your free email account, a cookie, if placed on your hard drive will remember your username and so you will only need to enter your password to access your emails. Barclaycard (a credit card service provider) use cookies on their website (www.barclaycard.co.uk). On their frequently asked question they state that a cookie is necessary for use because: The Barclaycard website cannot be accessed unless cookies are enabled. We use session cookies to prevent unauthorised access to your account online. The cookies are stored in your browser and expire once you've logged out of the Barclaycard website. Along with the application's programming, these cookies effectively ensure that once you've finished your online session, it cannot be re-launched until the full log in process has been completed again. We also use permanent cookies to record the pages you visit as you look around our site. We don't analyse this information at an individual level but instead use information from across our user base to create an overall picture of how our customers visit our site. This helps us to improve our service.
52
Cyber Law
School of Law
There are two types of cookies: Session Cookies These are temporary and are erased after use (or when the user exits the site). They do not have tracking ability. Persistent Cookies These are permanent until they are erased or they expire. They have tracking ability.
Cookies form a large part of the memory of the Internet and at the same time operate as the identification card for internet uses, thus assisting them in avoiding lengthy log-in procedures when they access a usual website. Furthermore, they are used when a customer uses a website, such as Amazon. Goods can be placed into a virtual shopping basket allowing individuals to browse through the reset of the site. At the end a customer can proceed to the checkout with the previously clicked on goods in a basket. The website remembers these goods by the use of a cookie. This increases the speed that an individual can use the Internet. Munir states: The common uses of cookies include the ability of web servers to determine how many and how often individuals visit their site, store user preferences (customisation), and implement shopping carts and quick check out option for customers. (Page 341) As mentioned, they assist website in their advertising to consumers, and it enables advertisers to monitor advertising sent to individuals to ensure they are not sent the same advert many times. By watching your viewing habits, they can load relevant pop-ups or alter banner advertisements to be more suitable to the viewer; in effect the advertiser builds up a profile of the web user. The Problems of Cookies Despite the fact that cookies have an important role in the running of the Internet and are essential to e-business, they present some key problems; most notably to the privacy rights of an individual. It is possible that through a cookie surveillance or monitoring equipment could be entered on to a computer to monitor the user. At the same time, excessive use of cookies could lead to the users computer working towards full memory capacity, thus slowing the speed of the computer. It is also possible that cookies could be used for monitoring email usage. Therefore, if a company sends an advertisement (solicited or otherwise), a recipient may open it and then delete it, but the mere opening of the email could notify the sender that the address is a live address and thus send more advertisements. The problem with companies making use of cookies is that individuals could potentially lose control of their personal details. The Data Protection Act 1998 states that individuals have the right to request the personal data held about them and data controllers are under an obligation to keep data up to date. This is not guaranteed with the use of cookies, as there is little protection for the data held. A survey from 2004, showed that privacy is a key concern regarding Internet usage, with 23% of Europeans stated that they do not trust the Internet because they fear their rights will not th be protected. These concerns were echoed in a Sunday Times article on Sunday 8 August 2010, which highlighted concerns about companies being able to target advertising based on the websites that an individual had viewed. European Legislation The key piece of legislation for cookies, alongside the Data Protection Act is Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector. (This is otherwise known as The Directive on Privacy and Electronic Communications).
53
Cyber Law
School of Law
This Directive is vital in the European Unions fight against Spam or unsolicited commercial bulk email, yet alongside it deals with the use of cookies. During the consultation period for the Directive it appeared that cookies would be completely banned. However, by the time the Directive was published, the situation had swung full circle. Recital 24 states: So-called spyware, web bugs, hidden identifiers and other similar devices can enter the users terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned. The Recital presents more questions than it answers. On the one hand it is stating that cookies and equivalent pieces of equipment can be an intrusion into the privacy of an individual, while at the same time, states they can be used for legitimate purposes. The question raised is what a legitimate purpose is: such devices, for instance so-called cookies can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising and in verifying the identity of users engaged in online transactions. Where such devicesare intended for a legitimate purpose, such as to facilitate the provisions of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC (Recital 25) The definition of a legitimate purpose is somewhat vague. This is not helpful as it is likely to cause confusion over what it and what is not a legitimate purpose. However, the Recital continues by stating what rights an Internet user should have in relation to cookies: Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipmentInformation and the right to refuse may be offered once for the use of various devices to be installed on the users terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. It appears that users can refuse a cookie, but the Recital states that they may only have one opportunity. This once-and-for-all agreement is weaker than in earlier drafts, as previously consent for using a cookie had to be obtained each time one was used. Recitals 24 and 25 are developed further by Article 5(3) of the Directive, which states: Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is allowed on condition that the subscriber or user concerned is provided with clear and comprehensible information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. Munir notes that the combined effects of the above provisions in relation to cookies are sixfold: 1. 2. 3. 4. They can only be used for legitimate purposes; In accordance with 95/46/EC the user/subscriber must be provided with clear and comprehensible information about the purpose of processing; The subscriber/user must have an opportunity to refuse a cookie (to opt-out); The opt-out opportunity may be offered on a one-off basis;
54
Cyber Law
School of Law
5. 6.
The method of opt-out must be as user friendly as possible; and A service can be conditional on the acceptance of a cookie, as long as it is used for legitimate purposes.
Implementation into the United Kingdom The E-Privacy Directive was implemented into the United Kingdom on 11 December 2003 as the Privacy and Electronic Communication (EC Directive) Regulations 2003. Regulation 6 and 7 are of particular interest to cookie usage. Building upon the terms of the Directive, Regulation 6 (which implemented Article 5(3) states that: a person shall not use an electronic communications network to sore information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph 2 are metthat the subscriber or user of that terminal equipment (a) is provided with clear and comprehensive information about the purposes of the storage of, or access, that information; and (b) is given opportunity to refuse the storage of or access to that information. The requirements found within the Directive that if a cookie is to be used, clear and comprehensible information must be provided alongside an option to opt-out of the cookie are mirrored within the Regulations. European Reform In October 2009, the European Commission adopted changes to the Directive. Member States are required to implement these changes by May 2011. The rules relating to websites that use cookies are the more substantive change under the reforms. Currently, cookies can be used for legitimate purposes as long as the users of the website are provided with clear and comprehensive information about the use of the cookie and are given an adequate means of opting out. The difficulty with this is that websites would insert the cookie on the hard drive of the users computer and would either provide the opportunity to opt-out afterwards, or contain details of how to opt out (or reject the cookie) within the websites terms and conditions. In practice, the section was not really applied. Article 5(3) (discussed above) is to be amended so that before a cookie is stored in the terminal equipment, the user is provided with clear and comprehensive information and has given the website operator his consent to the cookie being used. This is a substantial shift in approach and is controversial. First of all, the very nature of the process of storing a cookie on terminal equipment necessitates that personal data will be processed prior to the consent of the user is obtained, although the phrasing of the new section does not state explicitly that the consent needs to be given prior to the use of the cookie. Secondly, it is not clear whether this provision applies to all cookies, or to all cookies and spyware, or just those cookies that process personal data. Finally, the nature of consent is unclear. It is not certain how pro-active the consent needs to be. For example, if a user does not refuse use can the website automatically assume that the user has consented, or does the consent need to clear and unequivocal? It is not clear how the website owner is to obtain the necessary consent from the user. This is will not be confirmed until Member States implement the amended Directive. This initial difficulty with this amendment is that every website that users cookies will need the consent of the user. This could even extend to 2 websites that count or monitor the number of users.
th
See Out-Law.com editorial: Robertson, S. Consent will be required for cookies in Europe (9th November 2009). Available at: http://www.out-law.com/page-10510-theme=print.
55
Cyber Law
School of Law
LECTURE TWELVE SUMMARY LECTURE This lecture will provide a review of the substantive elements in the first half of the year.
56
Cyber Law
School of Law
LECTURE THIRTEEN - Online Contracting Required Reading: Andrew Murray Chapter 16, sections 16.1 and 16.2 Bainbridge, D Introduction to Information Technology Law (6 Edition) Pearson Longman, 2007, pages 357-372. th Lloyd, I Information Technology Law (5 Edition) Oxford University Press, 2008, pages 473-486. Hedley, S The Law of Electronic Commerce and the Internet in the UK and Ireland, Cavendish publishing 2006, pages 243-250. Rogers, K. M. Contract Conclusion on the web untangling the weakest link (2002) The Law Teacher, Volume 36, Number 2, pages 220-240 (especially 220-228). Niemann, J-M Cyber Contracts- A comparative view on the actual time of formation Communications Law 2000, Volume 5, Number 2, pages 48-53. Downing, S & Harrington, J The postal rule in Electronic Commerce: A reconsideration Communications Law 2000, Volume 5, Issue 2, pages 43-47.
th
Contracts play an essential part of everyday life; from the purchase of a small item in a supermarket, to a multi-million international transaction. The formalities to a contract have been commonplace in English law for sometime. Under English law for a contract to be valid several conditions must be satisfied:

Offer
Offer Acceptance Consideration Intention to create legal relations
An offer is the clear indication of the party to be bound by the terms of the offer, and becomes an agreement once the offeree has accepted. An offer can be communicated in a number of ways, including verbally, in written form or by electronic communications. For there to be a successful agreement, a clear, definitive offer must be made to another party, or to the public at large (a unilateral offer as in Carlill v Carbolic Smoke Ball Co [1893] 1 QB 256). Generally, an offer can be withdrawn before a valid acceptance is made (Payne v Cave (1789) 3 Term Rep 148) However, a revocation must be received by the offeree before the offer is accepted. An offer is terminated by a counteroffer, as in Hyde v Wrench (1840) 3 Beav 334, but note that a request for further information does not negate the original offer. Consider also the problem with battle of the forms (see Butler Machine Tool v Ex-Cell-O Co [1979] 1 All ER 965). The distinction between an offer and an invitation to treat The general difference is that an offer is a statement by which a person is willing to contract, whereas if a person is merely seeking to start negotiations, then that is deemed to be an invitation to treat. Examples of an invitation to treat include tenders, advertisements, calling for bids at an auction and goods on display in a shop window. An invitation to treat is not intended to be legally binding but unfortunately might be construed by the customer as such. The difference is most clearly seen in the shop-window cases, including Fisher v Bell [1961] 1 QB 394 and Pharmaceutical Society of Great Britain v Boots [1952] 2 QB 795. In the latter case, Lord Goddard CJ stated:
57
Cyber Law
School of Law
I think it is a well-established principle that the mere exposure of goods for sale by a shopkeeper indicates to the public that he is willing to treat but that does not amount to an offer to sell. Acceptance Generally acceptance has to be communicated in order to be effective. Unless specifically stipulated, the method of acceptance can be made by any communication method that is reasonable. The acceptance must be a clear and unequivocal acceptance of the original offer (a mirror image) and there must be an external form of assent on the part of the acceptor (silence cannot be conferred as acceptance). There are exceptions to the rule that acceptance must be communicated in order to be effective. The most obvious is the postal rule acceptance. Postal rule acceptance This was established at the time when post was the main method of communication and stipulates that a contract is made when a posted acceptance is placed into a post-box (provided it is properly addressed and stamped) and put beyond the reach of the acceptor. This has its roots as far back as Adams v Lindsell (1818) 1 B & Ald 681, and also in Byrne v Van Tienhoven (1880) 5 CPD 344, in which Lindley J stated: It may be taken as now settled that, where an offer is made and accepted by letters sent through the post, the contract is completed the moment the letter accepting the offer is posted, even though it never reaches its destination. (at page 348). The postal rule adds a degree of certainty to the contracting process and exists because the moment the acceptor has put his acceptance in the post box, he has done an act which he cannot revoke, and thus public policy appears to necessitate certainty in this situation. However, what is the situation when there is no intermediary? Instantaneous communication acceptance Naturally, it is possible to acceptance an offer where no intermediary is involved (for instance by telephone, fax or telex). The postal rule is not applicable for these situations, instead there is the instantaneous communication acceptance rule, as found in the cases of: Entores v Miles Far East Corporation [1955] 2 All ER 493, Brinkibon v Stahag Stahl [1983] 2 AC 34 and The Brimnes [1974] 3 All ER 88. Parker LJ in Entores stated: So far as telex messages are concerned, though the despatch and receipt of the message is not completely instantaneous, the parties are to all intents and purposes in each others presence just as if they were in telephonic communications, and I see no reason for departing from the general rule that there is no binding contract until notice of the acceptance is received by the offeror. (at page 498). The rule is that acceptance is deemed to have been communicated instantaneously when the acceptee has received it. This is because as the communication is instantaneous this is deemed to have the same effect as being physically in each others company. Communicating acceptance online Acceptance in online transactions has the potential to be extremely controversial. Usually the acceptance is communicated to a machine (the computer) or is made by a machine. This raises the question as to whether English law recognises a computer as a proper contracting party. In general, the law will attribute acts and omissions of a machine to the person who executes it. See Thornton v Shoe Lane Parking [1971] 1 All ER 686. See Murray page 415 416.
58
Cyber Law
School of Law
The point at which the acceptance is communicated is also important for determining when and where the contract is formed. In a face-to-face transaction these points do not usually give rise to difficulty but where parties are dealing at a distance, as in e-contracts, the exact point at which the contract is concluded can be controversial. The exact point at which the contract is concluded is important:a) because it establishes when a negotiating partys right to unilaterally withdraw is lost; b) because it establishes which acceptance is first in time if there are competing acceptances for a limited number of contractual opportunities, and c) because it establishes where the contract is concluded which, in cross-border transactions, can help to determine which jurisdictions law applies to the contract Brinkibon v Stahag [1983] 2 AC 34. Online contracts can take a variety of forms: - electronic data exchange; contracts concluded through email; or, contracts concluded through an interactive website. Contract law has developed well-established rules for contract formation governing offer and acceptance, consideration and intention to create legal relations; however the controversial issue is how the two acceptance rules (postal rule and instantaneous communication rule) should apply to e-contracts. Application of acceptance rules to the Internet The question is therefore, how do the traditional acceptance rules fit into contemporary communication methods? Two main arguments have been put forward. Firstly, that all Internet communication is instantaneous and thus subject to the acceptance rule advocated in Entores and Brinkibon. (For instance, John Dickie) Secondly, that email communication is not instantaneous, because there are no direct links between the two people communicating by email, as all communication goes through a server (perhaps similar to a post box?). Furthermore, once you have pressed the send button on your email, there is nothing that you can do to retrieve the email (perhaps similar to putting a letter into a post box?). (For instance, Clive Gringras, Andrew Murray). A third way? Cases such as: Butler Machine Tool v Ex-Cello Corp[1979] 1 All ER 965 Gibson v Manchester City Council [1979] 1 All ER 972 Holwell Securities Ltd v Hughes [1974] 1 All ER 161 suggest a move away from traditional contractual formation rules and a move towards a more subjective intention of the parties involved. Is this practical? What problems/advantages would this have? (See Rogers in The Law Teacher). The European Unions E-Commerce Directive The EU E-Commerce directive, (2000/31) implemented in the UK by the Electronic Commerce (EC Directive) Regulations 2002 SI 2002 No. 2013, makes provision for principles to be applied by Member States to ensure that consumers who place on-line orders (namely make on-line acceptances) are protected. Under the directive, an offer and/or an invitation to treat could additionally be treated as commercial communications where the transaction is one, which involves the provision of information society services. All depends on whether the offer and/or invitation to treat can be properly construed as: any form of communication designed to promote, directly or indirectly, the goods, services or image of a company, organisation or person pursuing a commercial, industrial or craft activity or exercising a regulated profession. (Article 2(f)).
59
Cyber Law
School of Law
The key terms in relation to consumer contracts are found in Section 3, and specifically Articles 9-11. They stipulate (abridged): Section 3: Contracts concluded by electronic means Article 9 - Treatment of contracts 1. Member States shall ensure that their legal system allows contracts to be concluded by electronic means. Member States shall in particular ensure that the legal requirements applicable to the contractual process neither create obstacles for the use of electronic contracts nor result in such contracts being deprived of legal effectiveness and validity on account of their having been made by electronic means. Article 10 - Information to be provided 1. In addition to other information requirements established by Community law, Member States shall ensure, except when otherwise agreed by parties who are not consumers, that at least the following information is given by the service provider clearly, comprehensibly and unambiguously and prior to the order being placed by the recipient of the service: (a) the different technical steps to follow to conclude the contract; (b) whether or not the concluded contract will be filed by the service provider and whether it will be accessible; (c) the technical means for identifying and correcting input errors prior to the placing of the order; (d) the languages offered for the conclusion of the contract. 2. Member States shall ensure that, except when otherwise agreed by parties who are not consumers, the service provider indicates any relevant codes of conduct to which he subscribes and information on how those codes can be consulted electronically. Article 11 - Placing of the order 1. Member States shall ensure, except when otherwise agreed by parties who are not consumers, that in cases where the recipient of the service places his order through technological means, the following principles apply: - the service provider has to acknowledge the receipt of the recipient's order without undue delay and by electronic means, - the order and the acknowledgement of receipt are deemed to be received when the parties to whom they are addressed are able to access them. 2. Member States shall ensure that, except when otherwise agreed by parties who are not consumers, the service provider makes available to the recipient of the service appropriate, effective and accessible technical means allowing him to identify and correct input errors, prior to the placing of the order. 3. Paragraph 1, first indent, and paragraph 2 shall not apply to contracts concluded exclusively by exchange of electronic mail or by equivalent individual communications. The provisions of Article 9 added nothing new to the online formation of contracts within the United Kingdom. That contracts should be able to be concluded online was laid out by the (now annulled) Electronic Communications Act 2000, and indeed the UNCITRAL Model Law, 1996 also had an equivalent provision. Recitals 37 and 38 also lay out that Member States should remove barriers to online contracting. However, this requirement does not extend to areas of taxation, data protection, cartel law, public authority, defence, gambling, real estate, family law and succession (Article 1(5)).
60
Cyber Law
School of Law
Article 10 of the Directive regards consumer contracts concluded over the Internet. The service provider needs to specify clearly, comprehensibly and unambiguously and prior to the order being placed by the recipient of the service a series of information such as the different technical steps to follow to conclude the contract, whether or not the concluded contract will be filed by the service provider and whether it will be accessible. It is also incumbent on the trader to ensure that the terms displayed on-line can be downloaded and saved for reproduction by the customer (article 10(3)). It should be noted that these provisions do not apply where the contract is made exclusively by the exchange of emails or equivalent individual communications. They only apply to contracts made over the Internet (usually by a click-wrap method). Furthermore, this has the potential of being unfair on the consumer as this Directive provides for minimum harmonisation and therefore, there is the possibility of there being different laws in different Member States. This Directive also fails to assist in providing an exact point of acceptance in a contract. Emails are to be treated differently because they are not real-time communications in that they are not instantaneous. It would appear that the postal rule will apply to email acceptances but not click-wrap acceptances.
61
Cyber Law
School of Law
LECTURE FOURTEEN - INCORPORATION OF TERMS (The MEHTA case study) Required Reading: Andrew Murray Chapter 16, from section 16.3 You must come to class with a copy of (and having read) the following case: J Pereira Fernandes SA v Metha (2006) 1 WLR 1543. st Freedman, C & Hardy, J J Pereira Fernandes SA v Mehta: a 21 century email meets th a 17 Century statute (2007) Computer Law and Security Report, volume 23,Issue 1, pages 77-81. Christensen, S, Mason, S & OShea, K The international judicial recognition of electronic signatures has your agreement been signed? (2006) Communications Law, Volume 11, Issue 5, pages 150-160. th Rogers, K Signing your e-life away (2006) New Law Journal (19 May), volume 156, number 7225, page 833. Bainbridge and Lloyd as per session five.
The terms of a contract are vital in determining the rights and liabilities of the parties should a dispute arise. Therefore, one of the most important issues for an e-trader is to ensure that its standard terms and conditions are properly incorporated into contracts with its customers. If the terms and conditions are not incorporated the e-trader will not be able to rely on them. Traditional methods of Incorporation There are three methods of incorporation recognised by the law: - by signature, by notice, by course of dealing. Incorporation by signature
Generally an individual is bound by the contents of a document they sign even if they did not read it or understand it LEstrange v Graucob [1934] 2 KB 394: When a document containing contractual terms is signedthe party signing is bound and it is wholly immaterial whether he has read the document or not. (Scrutton LJ) There are some limited exceptions to this if the signature is obtained by misrepresentation Curtis v Chemical Cleaning [1951] 1KB 805 or by fraud or if the plea of non est factum (it is not his deed) is available. Also the person signing the document has to reasonably expect that the document contains contractual terms Grogan v Robin Meredith Plant Hire (1996). In the context of a web-based click-wrap contract can clicking on a button, confirming that the e-traders standard terms have been read and agreed to, be regarded as the equivalent of a signature for the purpose of this rule? Earlier in 2006, the Chancery Division of the High Court heard the case of J Pereira Fernandes SA v Metha (2006) 1 WLR 1543. This is one of the first cases to reach the courts on contract formation on the Internet. The facts were that Mr Metha was a director of Bedcare (UK) Ltd, which was supplied bedding products by J Pereira Fernandes. However, after Bedcare failed to pay debts of 24,709.53, Fernandes sought to have Bedcare wound up. When the winding up order was received by Bedcare, Mr Metha asked one of his secretaries to send an email to the solicitors of Fernandes saying: I would be grateful if you could kindly consider the following. If the hearing of the petition can be adjourned for a period of seven days subject to the following:
62
Cyber Law
School of Law
a) A personal guarantee to be given in the amount of 25,000 in favour of your client together with a list of my personal assets provided by you to my solicitor. b) A repayment schedule to be redrawn over a period of six months with a payment of 5000.00 drawn from my personal funds to be made before the adjourned hearing. I am also prepared to give a company undertaking not to sell, market or dispose of any company assets without prior consent from your client pending the signing of the personal guarantee. This email was not signed by Mr Metha or his secretary who sent the email, although the header of the email said that the email was sent from nelmetha@aol.com. The solicitors of Fernandes telephoned to accept this offer and forwarded the paperwork to formalise the agreement. However this was never returned. Subsequently, Bedcare were wound up and Fernandes tried to enforce the personal guarantee. However, the court held that although an email was adequate for a document to be in writing the fact that Mr Metha had not signed or initialled the bottom of the email meant that the document had not been signed and therefore the personal guarantee could not be enforced. Incorporation by notice
Terms can be incorporated by reasonable notice. Essentially three factors have to be satisfied:i) ii) timing - Olley v Marlborough Court [1949] 1 KB 532 the notice has to be in a contractual document, contrast Chapelton v Barry UDC [1940] 1 KB 532 with Parker v South Eastern Railway (1877) 2 CPD 416. reasonable steps have to be taken to bring the contractual terms to the notice of the other party Thompson v LMS Railway [1930] 1 KB 41.
iii)
What amounts to reasonable notice can be affected by the nature of the clause or term in question. The more unusual or onerous it is the more notice will be required Thornton v Shoe Lane Parking [1971] 2 QB 163, Spurling v Bradshaw [1956] 1 WLR 461 HL, Interfoto Picture Library v Stiletto [1989] QB 433, CA. Incorporation by course of dealing
A term can be incorporated, even if not expressly referred to in a particular transaction, if there has previously been a long, regular and consistent course of dealing between the parties on the basis of that term McCutcheon v David MacBrayne Ltd [1964] 1 WLR 125, HL. In Hollier v Rambler Motors [1972] 2 QB 71 three or four contracts over a period of about five years was held not to be a course of dealing for this purpose. Application of rules of incorporation to electronic contracts Click-wrap contracts
E-traders presently use a number of methods. There is a balance between legal certainty and commercial attractiveness of the web-site. Reference to a source off-line may not be sufficient. Display of the standard terms at the bottom of the page or in a dialogue box, which the user has to scroll through, are much more legally certain methods. (Although Chissick and Kelman suggest that simply clicking on an I agree button is not sufficient for incorporation). A compromise favoured by many e-traders is a reference statement with a hyperlink. The position of the US courts is still uncertain see Ticketmaster V. Tickets.com (2000) and Specht v. Netscape (2002). E-mail contracts
63
Cyber Law
School of Law
Standard terms will probably have to be included. References or attachments are likely to be insufficient unless there is a previous course of dealing. Use of Mandatory terms in e-contracts
E-traders need to be aware of mandatory terms which cannot be excluded or where exemption is restricted: Implied terms in Sale of Goods Act and Supply of Goods and Services Act On the distinction between goods and services in the context of software see St Albans City and District Council v ICL [1996] 4 All ER 481, CA. Unfair Contract Terms Act and Unfair Terms in Consumer Contracts Regulations Most of these problems can be circumvented by clear terms and conditions which make it evident when a contract will come into existence and the terms included. The courts have even supported exclusion clauses that have been placed prominently on websites as disclaimers of responsibility (providing they do not breach statutory protection). See the case of Patchett (2009)
64
Cyber Law
School of Law
LECTURE FIFTEEN Distance Selling Regulations Required Reading: Murray, A Information Technology Law: The Law and Society Oxford University Press, 2010, page 424. th Bainbridge, D Introduction to Information Technology Law (6 Edition) Pearson Longman, 2007, pages 374-382. th Lloyd, I Information Technology Law (5 Edition) Oxford University Press, 2008, pages 475-477. Hedley, S The Law of Electronic Commerce and the Internet in the UK and Ireland, Cavendish publishing 2006, pages 261-268. Hall, L Cancellation rights in distance-selling contract for services: exemptions and consumer protection (September 2007) Journal of Business Law, pages 683-700. The Consumer Protection (Distance Selling) Regulations 2000 SI No. 2334, http://www.hmso.gov.uk/si/si20002334.htm (It is essential that you obtain a copy of these Regulations. Youngerwood A and Mann S, Extra Armoury for Consumers: The New Distance Selling Regulations, (2000) Journal of Information, Law and Technology (JILT). Available at: http://elj.warwick.ac.uk/jilt/00-3/youngerwood.html Walker, C ECJ: Online car rentals exempt from cancellation rights (April 2005) Ecommerce Law and Policy, pages 3-4. Twigg-Flesner, C & Metcalfe, D The proposed Consumer Rights Directive less haste, more thought? (2009) European Review of Contract Law, volume 6, issue 3. Available at SSRN: http://ssrn.com/abstract=1345783.
The European Unions Directive on the protection of consumers in respect of distance contracts imposes requirements on consumer contracts concluded without the parties meeting. It purports to reinforce consumer protection and seeks to harmonise laws within the European Union (see Article 1). The Directive was implemented in the United Kingdom via the st Consumer Protection (Distance Selling) Regulations 2000 that came into force on 31 October 2000. Scope of the Regulations Distance contracts are defined in Regulation 3 as: any contract concerning goods or services concluded between a supplier and a consumer under an organised distance sales or service provision scheme run by the supplier who, for the purpose of the contract, makes exclusive use of one or more means of distance communication up to and including the moment at which the contract is concluded. The Regulations do not apply at all to contracts. Some contracts are excluded. Regulation 5 lists the excepted contracts, which are: Contracts for the sale of land; Construction of a building; Financial services; (See Schedule 2 a non-exhaustive list of financial services) Automated vending machine; Telecommunications operator through a public payphone; and Auctions.
Also, some Regulations only partly apply. For example, Regulations 7 to 20 shall not apply to a contract, which is for the supply of food, accommodation, transport, catering or leisure services (Regulation 6). It was in this area that the European Court of Justice made its first ruling on the legislation:
65
Cyber Law
School of Law
Case C-336/03 EasyCar (UK) Ltd v Office of Fair Trading Case 336/03 (2005) All ER (EC) 834. This case concerned the partial exception under Regulation 6(2)(b), which relates to contracts for the provision of transport services. EasyCar operate an Internet-only car hire service on a book-early pay-less model. The OFT argued that EasyCar should give customers the opportunity to cancel the goods (Regulation 10) as the car hire is a vehicle to travel in and not a transport service. However, the European Court of Justice held that consumers should be able to rely on the cancellation right. Regulation 7 Information required prior to the conclusion of the contract (Article 4) Prior to the conclusion of the contract, the seller has to provide certain information to the buyer; specifically: The identity of the supplier and his address (if payment is required in advance) A description of the goods/services The Price (including taxes) Delivery Costs if applicable The arrangement for payment, delivery and performance The existence of a right to cancel The cost of using the distance communication The period for which the price remains valid The minimum duration of the contract (if applicable)
This information must be provided in a clear and comprehensible manner and with due regard to the principles of good faith (Regulation 7(2)). Furthermore, it must be provided in writing, or in another durable medium (Regulation 8/Article 4). Regulation 8 Further to the information in Regulation 7, before the delivery of the good or during the performance of the service, the supplier has to provide the following information: Information about exercising the right to cancel; The geographical address of the place of business; Information after after-sales services; The conditions for exercising the right to cancel.
Failure to include this information will lead to the period of time for which cancellation can be effected lengthening (to a maximum of 3 months and 7 days). See below and Regulations 11 and 12). Regulation 10 (also Regulations 11-18) The right to cancel (Article 6) This provision is arguable the lynchpin of the Regulations, as it allows consumers to cancel a distance contract for no reason whatsoever within 7 days from the conclusion of the contract. The only conditions are that the cancellation is: - in writing or other durable medium; - it expresses a clear intention to cancel; - it is done within the cancellation period; Once cancelled the contract shall be treated as if it had not been made. Notice should be served on the supplier or such other person as the supplier has nominated. Alternatively, notice is deemed to have been served if it is left/faxed/posted/emailed to the last known
66
Cyber Law
School of Law
address of the supplier (Reg. 10(4)). Once cancelled, the parties must be put back into the same situation they were in before the contract. See Regulations 14 and 15. The goods obtained through the cancelled contract must be returned. Prior to the return of the goods taking place, the consumer is expected to take reasonable care of the goods. The professional has the obligation to refund the money paid by the consumer. The cancellation periods are slightly difference between goods and services see Regulations 11 and 12. The issue of compensation for loss of value was considered in a preliminary reference made to the European Court of Justice by a German Court in the case of Pia Messner v Firma rd Stefan Krger (2009) Case C-489/07, unreported 3 September. In this case, the applicant (a consumer) purchased a second-hand laptop computer from the defendant, who ran an online mail order company. This purchase was made in early December 2005. The terms and conditions of the sale gave a fourteen day cancellation window for the consumer and in the event of cancellation the consumer was required to return the goods to the supplier. There was an additional clause in the terms, which stated the consumer was obliged to pay compensation for any depreciation in the value of the goods from the point of sale to their return. In August 2006, the computer became defective and the consumer notified the supplier of this and requested it to be repaired, which the supplier agreed to do, but at a cost to the consumer. Dissatisfied with this response, in November 2006, the consumer advised the supplier that he would be cancelling the contract and wanted a full refund of the purchase price. Under the Distance Selling Directive, consumers have seven days within which they can cancel the contract. If the prior information is not provided, the cancellation window can be extended under Article 6 by a further three months. However, under German law the cancellation right does not expire until notice of the right to cancel is given by the supplier to the consumer. In the current case, as this notice had not been given, the option to cancel was still available to the consumer almost a year later. The question referred to the European Court of Justice was whether a seller may claim compensation from the consumer for the consumers use of a good if they later legitimately cancelled the agreement. The court considered the cancellation provisions in Article 6, which forbids a penalty or charge to be levied against a consumer unless it is a cost directly associated with the return of the goods. The Directive does not include definitions of either a penalty or a charge, but the European Court of Justice adopted a narrow definition saying that charges may not be levied against a consumer apart from the direct cost in returning the good to the supplier. Accordingly, in this case compensation was not available to the supplier even though the consumer obtained considerable usage from the laptop. Exceptions to the Cancellation rule (Regulation 13) Cancellation is not available unless the parties have agreed otherwise: - the supplier of a service has complied with reg. 8 and the service has commenced, with the consumers agreement - the goods or services are subject to fluctuations of the financial market - goods are to the personal specifications of the buyer - audio, video or software materials - newspapers magazines - lottery or betting services Unsolicited Goods (inertia selling) Regulation 24 of prohibits the supply of unsolicited goods and services to consumers. Under Reg. 24(2) a recipient may treat the goods as an unconditional gift. Contracting out Regulation 25 outlines that in a business to consumer contract, contractual terms, which are inconsistent with these Regulations are void.
67
Cyber Law
School of Law
Changes to the Consumer Protection (Distance Selling) Regulations 2000 In January 2004, the Department of Trade and Industry published a consultation document on proposed changes to the Consumer Protection (Distance Selling) Regulations 2000 entitled Consumer and Competition Policy Consultation on proposed changes to the Consumer Protection (Distance Selling) Regulations 2000. The consultation aims at finding solutions to making the regulations clearer, more workable and less costly for suppliers and consumers. The consultation closed 23 April 2004. The changes were announced by the DTI on 22 October 2004 after consideration of 43 different written responses received from businesses, trade associations, consumer organisations, regulatory and enforcement agencies, law firms and professional bodies. The DTI consulted on three distinct areas of the Regulations. First, to explicitly require the information provided to the consumer prior to the contract covers either the existence or absence of a right to cancel, and in the case of services whose performance is to start within seven days, information that the right to cancel will expire once performance begins (Regulation 7). Secondly, to require consumers to be given, during the performance of a service, information (in writing or another durable form) about the loss of cancellation rights once performance begins. At present this information must be provided prior to contract (Regulations 8 and 12). Finally, whether to allow consumers to cancel contracts by use of telephone (Regulation 10). Some of the above were adopted and included in the Consumer Protection (Distance Selling) (Amendment) Regulations 2005 (Statutory Instrument 2005/689). Based on the report by the DTI, the government decided only to implement the second change. European Reforms In 2007, the European Commission published The Proposed Directive on Consumer Rights, which seeks to update, simplify and complete the legislation surrounding business to consumer transactions The initial proposal took a different legislative approach to the previous legislation in that it was horizontal in nature and was one of full harmonisation, as opposed to minimum harmonisation. This meant that all European Member States were be obliged to adopt the provisions of the Directive and ensure that their own laws were not in conflict by offering either less or greater protection. This was one of the more controversial aspects of the plan as it could be seen as an intrusive mode of operating, which fails to respect well-established legal traditions within individual member states.This complexity meant that in March 2010, Viviane Reding (the European Unions Commissioner with responsibility for consumer law), announced that the maximum harmonisation element of the legislation was being withdrawn and the proposals would be one of selective harmonisation. The proposed Directive also aims to enhance consumer confidence, increase cross-border trade, introduce tighter regulation in the sector, provide consumers with more information about the rights that are available to them and explanations on how these rights are to be exercised and to increase legal certainty. Article 1 outlines the scope of the proposed Directive and it states that it seeks to ensure the proper functioning of the internal market and provide a high level of consumer protection. Article 2 provides the key definitions. A consumer is defined as a natural person who is acting outside his trade, business, craft or profession. A trader is defined as someone acting for purposes relating to his trade, business, craft or profession or anyone acting in the name of or on behalf of a trader. The definition of a distance contract is defined in Article 2(6) and covers contracts for good or services where the trader makes exclusive use of one or more means of distance communication.
nd
68
Cyber Law
School of Law
A Distance communication is where a contract is concluded without the simultaneous physical presence of the trader and the consumer. The immediate point to note with this definition is the removal of the need for it to be an 'organised distance sale' as required under the Distance Selling Directive. This is to be welcomed as providing broader protection for the consumer as there is no longer the requirement that a distance sale is an organised distance sale and so one-off sales are now covered. The definition of an auction is also of note and refers to a competitive bidding procedure, where the highest bidder is bound to purchase the goods or services. The definition also refers to a fixed price offer, which is not an auction, even if the consumer has the option of concluding the purchase of the item through the same procedure. The draft Directive therefore proposes a difference between traditional online auctions and online auction sites that operate a buy it now procedure where consumers can opt to purchase a good at a stated price. Article 5 maintains the requirement for the trader to provide information to the consumer prior to the conclusion of the contract. This information includes the main characteristics of the product, the address and identity of the trader, the price (including taxes), the arrangements for payment and delivery, the existence of a right to withdraw (where applicable), the existence of any after-sales services and guarantees, the duration of the contract, the obligations of the consumer and whether any deposit is required. The list repeats the requirements under the Distance Selling Directive with a couple of additions. The business is required to provide this information to the consumer if it is not already apparent from the context. This phrase is concerning and seems a little vague and is potentially the cause of litigation if a consumer claims not to have been advised of this information, while the trader believes that the consumer should have obtained all the information from their negotiations. The pre-contract information must also be provided in a way appropriate to the means of distance communication used. If the contract is being concluded by a means which allows for limited space or time to display the information (for example SMS), then the trader needs to provide the main characteristics of the product and the total price. The remainder of the information should follow in an appropriate manner. It is not clear however how the information is to be arranged, either on the receiving machine with limited space or when it follows at a later date. The right to withdraw is outlined in Articles 12-20. The exceptions to the right to withdraw are found in Articles 19 and 20. Article 19 states that the right to withdraw does not extend to contacts for services where performance has begun (with the consumers express consent) before the end of the fourteen day period, contracts where the price fluctuates, goods that are made to the consumers specifications, the supply of wine (where the price was agreed at the conclusion of the contract), the supply of sealed audio or visual recordings or computer software, the supply of newspapers, periodicals and magazines, gaming and lottery services and contracts concluded at an auction. Article 20 lists the partial exceptions, in that Articles 819 do not apply to contracts for the sale of immovable property, contracts concluded by an automated vending machine, contracts through a telecommunications operator by public payphone, contracts for foodstuffs or beverages brought by a trader on frequent and regular rounds in the neighbourhood. There is also a partial exception to the withdrawal right for distance contracts for accommodation, transport, car rental services, catering and leisure services, with a specific time and date. The proposed Directive as it stands it a little disappointing as it (in many ways) is simply a copy and paste of the old distance selling regime and retains a large body of exceptions to the standard protection in areas (such as travel, accommodation, food and drink), where consumers are very active online. Also, the draft directive does not assist with the moment a contract is formed. This is not adequately addressed in other legislation either and it seems a little odd to have a range of criteria for forming a distance contract and rights that exist afterwards, without outlining the moment a contract is formed. Indeed, the full harmonisation approach could in some areas reduce the available protection to consumers. It does not matter how effective the consumer protection regime is because cross-border trade will not increase until issues relating to language, culture, physical distance and technical
69
Cyber Law
School of Law
specifications are addressed. The draft Directive needs to consider some of these fundamental issues before achievement of this aim will be fully realised. Current estimations suggest that this draft Directive will not be implemented until 2013 at the earliest. While discussion at national and European level continues changes will inevitably be made to the proposal as it stands, however it is clear that in the not so distant future the consumer protection landscape for online sales will alter exactly by how much remains to be seen.
70
Cyber Law
School of Law
LECTURE 16 E-MONEY - PAYMENTS AND SYSTEMS Required Reading Murray, A Information Technology Law: The Law and Society (2010) Oxford University Press, pages 436-452. Kierkegaard, S. Payments in the internal market and the new legal framework EU law: harmonising the regulatory regime for cross-border payment services (2007) Computer Law and Security Report, volume 23, issue 2, pages 177-187. Mansour, Y The E-Money Directive and MNOs: Why it All Went Wrong (2007) Paper presented at the 2007 BILETA Conference, University of Hertfordshire. Available at: http://www.bileta.ac.uk/Document%20Library/1/The%20EMoney%20Directive%20and%20MNOs%20%20Why%20it%20All%20Went%20Wrong.pdf Rees, P. & Hodgkinson, D. E-Money regulation: all change? (2007) Computer and Telecommunications Law Review, volume 13, issue 1, pages 1-3.
The nature of payment is evolving. Banks no longer have the monopoly on payment transactions as cheques and cash continue to reduce in usage. The Internet has overseen a shift in culture from traditional payment methods to evolution of a cash-less society, where credit and debit cards, e-money and other payment systems (including pre-paid cards and specialist payment transfer providers) are being used to a greater degree. In April 2010, the Payments Council published a wide-ranging report entitled The Way We Pay: The UKs Payment Revolution. It reported that during the first decade of the twenty-first century the methods people used to make payment changed dramatically. Internet banking increased along with the use of payment cards, particularly debit cards. E-commerce by its very nature demands effective and robust mechanisms for ensuring that payment is successful made. Online payments need to be safe, secure and immediate to ensure that they are no delays in the transfer or delivery of the goods. There are also issues relating to a need for trust in the system and accessibility to ensure that a critical mass of consumers use any one given system. A payment system, which has incidences of security breaches, is not going to be accepted by a financially conservative and risk-averse general public. The vast majority of online contracts demand that a form of financial payment is made, although no single system for making online payments currently exists. Instead there are a range of systems both modern and the more traditional employed by businesses and consumers to allow payment to be made. Traditional payment methods Payment by cash is seen as absolute and has many advantages. Cash is accepted anywhere and although different currencies exist many companies are happy to accept other major currencies and so the Euro, the Australian and American Dollar and the British Pound are readily available and transferrable. A credit card or the debit card is the most widely used and popular method of payment for online transactions. Credit cards can be issue by credit card companies as well as by banks. This differs somewhat to debit cards, which are issued by the cardholders bank and when used takes the money directly from the account of the buyer into the account of the seller. The use of credit cards in the United Kingdom is wide-spread. They are very widely accepted and trusted and consumers are protected under the terms of section 75 of the Consumer Credit Act 1974. The principle of section 75 is that if a consumer purchases goods or services by credit card and there is a subsequent breach of contract, or it became apparent that the sale was induced by a misrepresentation, then the consumer will have a claim against not only the supplier, but also against the credit card company. Since February 2006, all credit cards within the United Kingdom are required to be chip and pin enabled. This means that when purchasing a good in a shop, instead of signing to pay for
71
Cyber Law
School of Law
the goods and your signature being checked against the signature on the back of the card, a customer will have to enter their four digit pin number. This has seen a noticeable drop in credit card fraud in a shop context, although a rise in cardholder not present credit card fraud has been noticed. Once payment is made, by a credit card, it is deemed to be absolute. In other words, a seller cannot pursue the buyer for payment. This was one issue discussed in the case of Re Charge Card Services Ltd (1987) Ch 150. Credit card use online There are a number of disadvantages to credit card use online. Their very nature means that they cannot be owned and used by anyone under the age of 18. Children and teenagers, who are an important consumer base for many businesses, are unable to use credit cards, thus preventing them from engaging in online commerce with this medium. Furthermore, while credit cards are generally free for the consumer to use, a charge is levied against the business receiving the payment (this is usually a small percentage of the total payment). Some companies may pass this on to the consumer, but regardless of whether the charge is passed on or not, the very nature of the charge means that credit cards are an uneconomic means of making small or micropayments. Although businesses can circumvent the micropayment difficulty by requesting consumers pay a subscription fee, which can be topped-up when it has diminished, this is not an ideal solution as it requires consumers to provide money to a company for services which they may (or may not) take advantage of in the future. Other payment methods Other payment systems have be piloted over the past couple of decades. These include digital or e-money, Internet Cash, Cyber Cash and Net Cheque. A specific example of the digital or e-money is that of Digicash, which was established in the early 1990s. This had the potential of being a pure online payment system, as users would obtain software that placed an electronic wallet on the hard drive of their computer. This would be kept secure by use of encryption. Users could then electronically purchase Digicash, which would then be sent (in encrypted form) to the electronic wallet. After purchasing a good or service, the user could then transfer electronically its value to the supplier. There were many advantages to this system. The money was divisible and anonymous meaning that it had very similar qualities to traditional cash, and there was also no fee for transferring the money. Further, in the event of forgery the encrypted files containing values of money could be deactivated to prevent theft. Yet the use of these and other systems has dwindled. One of the main difficulties faced by Digicash was that it was not very portable and the electronic wallet was linked to the hard drive of a computer meaning that users could only access it from one machine and, like Mondex (considered above), it never really took off leading to Digicash filing for bankruptcy in 1998. In general though, there are two main reasons for the failure of these newer online payment methods. First of all they did not achieve universal recognition and secondly, because this universal recognition had not been achieved these systems could not realise full acceptability. Businesses are reticent to invest in software and machinery to operate a payment system that only has limited uptake by consumers. Equally, consumers were unwilling to engage with new payment systems that were new due to security risks and lack of universal recognition. Yet, some newer payment systems have been able to jump these hurdles into both acceptability and universality. One such example is that of Paypal, which even though a private company has established itself as a leader in its field. Paypal is an online payment system that allows people to make payment over the Internet. Starting in 1999 the system was initially used for consumer to consumer payments, although business to consumer payments followed shortly behind. The turning point in Paypals history came in October 2002, when the online auction site eBay purchased Paypal for $1.5Bn dollars. Paypal had
72
Cyber Law
School of Law
become the payment system of choice for over 50% of eBay users and this payment system found itself in competition with eBays then payment system of Billpoint. The purchase of Paypal by eBay altered online payment and today Paypal is eBays payment system of choice and at the time of writing there are over 185 million accounts and payment can be accepted in nineteen currencies in over 100 countries. The reach of Paypal is continuing to grow and in 2009, they became the only payment system for the purchase of Blackberry Applications. Setting up a Paypal account is very straightforward. A user needs to set up an account by entering a few personal details and then verifying their identity. Payment into the Paypal account is made directly from the users bank account or credit card and then to make payment, the user needs to fill in a standard online form and send the payment. The advantages of this system are plentiful. A user is able to send money through an email and no specific software is required. The payments clear instantly, it is very easy to use and a consumer can pay a business using Paypal even if that business does not have an account. Further advantages that Paypal holds over credit cards are that it is able to cope to small or micropayments and there is also no age restriction placed upon users. Paypal has not been without its share of controversy as it has in the past frozen customers accounts for long periods of time without sufficient warning or reasoning and has also had to alter its dispute resolution schemes following complaints and occasional litigation. The E-Money Directives 2000/46/EC and 2009/110/EC As attempted online payment systems increased, the European Commission was keen to th establish a context within which e-money providers could operate. On 18 September 2000, Directive 2000/46/EC on the taking up, pursuit of and prudential supervision of the business of electronic money institutions was passed. The aim behind this Directive was to harmonise the regulatory supervision of and, to increase public confidence in, e-money issuers by providing strict standards that e-money institutions needed to follow. An electronic money institution was defined in Article 1(3)(a) as an undertaking or other legal person, other than a credit institution, which issues means of payment in the form of electronic money. This definition was closely linked to the requirements for an e-money institution contained within Article 1(5), which restricted the activities of their business to a number of very discrete areas. First, to administer and issue e-money. Second, to the provision of closely related financial and non-financial services such as the administering of electronic money by the performance of operational and other ancillary functions related to its issuance, and the issuing and administering of other means of payment but excluding the granting of any form of credit. Finally, to store data on electronic devices on behalf of other undertakings or public institutions. The effect of these restrictions was emphasised in the final sentence of Article 1(5), which stated that e-money institutions were not allowed to have a holding in any other undertaking except where they formed an organisational or ancillary function to the e-money that had been issued. The effect of this was to bar companies (with the exception of credit institutions, such as banks) from operating as an e-money institution as well as operating in different areas of the economy. This meant that in order to be an e-money institution you either had to be a bank (or other credit issuing company) or a bespoke e-money institution. The rationale behind this was to protect large banks, while also allowing small e-money institutions to develop and innovate in this area. However, the reality was somewhat different. Although restricting the ability of companies to become e-money institutions had good intentions, the requirements placed on e-money institutions were extremely onerous, meaning that very few new e-money institutions were encouraged into the market. Article 4 outlined these requirements, which included the need for e-money institutions to have a minimum capital requirement of 1m and to retain a higher level of operating funds, equivalent to 2% of the higher of the current amount or the average of the preceding six months' total amount of their financial liabilities related to outstanding electronic money. Criticisms of the legislation regime, included that the e-money market had developed more slowly than anticipated and no one, clear, e-money system had been realised. There also
73
Cyber Law
School of Law
seemed to be confusion about the business advantages for engaging in the e-money market as the stringent requirements placed upon e-money institutions did not act as an incentive. It was also noted that different implementations methods of the Directive within member states did not assist in achieving harmonisation in this area. However, one of the more interesting conclusions from the report was that the Directive was no longer in line with the technological direction that electronic payment systems had taken. The European Commission published its report in July 2006 into the earlier review on the EMoney Directive. Further consultation and review occurred until October 2009, when the new E-Money Directive was issued. Recital 2 of Directive 2009/110/EC was forthright in suggesting that the old E-Money Directive 2000/46/EC was responsible for hindering the emergence of a true single market for e-money services, while recital 4 stated that the rules for e-money institutions needed to be reviewed to ensure a level playing field for all payment services providers. The result was a directive that provided much more flexibility and openness for companies to engage in providing e-money. A key difference within the new Directive is that the definition of an e-money institution has been widened and is defined as a legal person who has been authorised to issue e-money. This definition needs to be read in conjunction with Article 6(1), which provides a lengthy list of other activities that e-money institutions may get involved in, including the provision of payment services, granting credit, offering organizational or ancillary services relating to the provision of e-money, and finally (and most crucially), any other legitimate business activity. Immediately, the restrictiveness of the new Directives predecessor, which required e-money institutions to stay exclusively to this pursuit, has been removed. This in turn has the advantage of making the entire industry much more competitive and opens the market to many more companies who may wish to get involved, who are now able to offer mixed services. This is not the only rule which has been watered down, as the requirements relating to the liquidity of the e-money institution are significantly less stringent, although Article 5 does provide a fairly complex list of requirements concerning the financing of the e-money institution. The issue relating to its applicability to m-commerce has been addressed by the Directive and recital 6 states that the Directive does not apply to the purchase of digital goods or services, where, by virtue of the nature of the good or service, the operator adds intrinsic value to it, e.g. in the form of access, search or distribution facilities, provided that the good or service in question can be used only through a digital device, such as a mobile phone or a computer, and provided that the telecommunication, digital or information technology operator does not act only as an intermediary between the payment service user and the supplier of the goods and services. This is a situation where a mobile phone or other digital network subscriber pays the network operator directly and there is neither a direct payment relationship nor a direct debtor-creditor relationship between the network subscriber and any third-party supplier of goods or services delivered as part of the transaction. This recital means that purchases, such as an application for a mobile phone or a digital download are outside of the remit of the legislation.
74
Cyber Law
School of Law
LECTURE SEVENTEEN - COMPUTER FRAUD: THE EARLY PROBLEMS Required Reading: Bainbridge, D Introduction to Information Technology Law (6 Edition) Pearson Longman, 2007, pages 422-424. Wilson, S Collaring the Crime and the Criminal?: Jury Psychology and Some Criminological Perspectives on Fraud and the Criminal Law (2006) Journal of Criminal Law, Volume 70, Issue 1, pages 1-26. House of Lords Select Committee on Science and Technologys report into Personal Internet Security. Available at: http://www.parliament.uk/parliamentary_committees/ lords_s_t_select/internet.cfm Wright, T & Hodgkinson, D House of Lords Science and Technology Committee Report on personal Internet security Computer and Telecommunications Law Review (2008), volume 14, issue 1, pages 13-16. Moitra, S. D. Developing Policies for Cybercrime (2005) European Journal of Crime, Criminal Law and Criminal Justice, Volume 13, Issue 3, pages 435-464 Flanagan, A The Law and computer crime: Reading the Script of Reform (2005) International Journal of Law and Information Technology, volume 13 (March edition), pages 98-117. Saxby, S (Editor) Microsoft and the open source community agree more must be done to make reporting cyber-crime easier (2007) Computer Law and Security Report, Volume 23, Issue 3, pages 211-226, paragraph 1.12.
th
Introduction It has been stated that computer fraud is a real problem in the information society. Moreover, Bainbridge suggests that the number of fraud cases which are detected and then prosecuted are just the tip of the iceberg For Example, the vast sums which are transferred within, without and between all of the major financial institutions around the world are a prime target for e-criminals. Defining Computer Fraud It has been suggested that distinctions can be drawn depending upon the nature of the role played by the computer (Parker: Crime by Computer (1976), Scribner). The computer could be seen as playing any one (or more) of the following three roles in computer fraud: Providing the means by which the crime is committed. Providing the environment within which the crime is committed. As a means to conceal the fraudulent activities.
The Audit Commissions definition of the term computer fraud has also been adopted by the Law Commission. This broad definition includes:any fraudulent behaviour connected with computerisation by which someone intends to gain financial advantage. The Council of Europe have defined the term (@ page 28 of its Report on Computer-related Crime) in the following way: the input, alteration, erasure or suppression of computer data or computer programmes, or other interference with the course of data processing, that influences the result of data processing thereby causing economic or possessory loss of property of another person with the intent of procuring an unlawful economic gain for himself or another person. A good, workable definition is provided by Bainbridge: stealing money or property by means of a computer: that is, using a computer to obtain dishonestly, property (including money and cheques) or credit or services or to evade dishonestly some debt or liability. (Bainbridge: th Introduction to Computer Law (5 Edition), page 366).
75
Cyber Law
School of Law
Forms of computer fraud The Audit Commission has identified three forms of computer fraud: Input fraud the unauthorised alteration or falsification of data prior to, or at the moment of, its entry into a computer. Output Fraud the fraudulent manipulation of data at the point it is outputted from a computer. Program Fraud The creation or alteration of a program for fraudulent ends (this type of fraud involves a greater level of sophistication and danger).
It is much harder to detect program fraud and, consequently, there are few reported examples. Program fraud may take any of a number of forms. Perhaps the most well-known form of it is Salami Fraud. so-called because it involves the perpetrator taking thin slices of money from a number accounts and transferring them into a host account which s/he has set up. Moreover, the following form of fraud must be added to this list: Fraud over the Internet Credit card fraud over the Internet involves the use of anothers credit card details during Internet transactions. These details, of course, have to be stolen first. There are several ways that e-criminals may seek to achieve this: Interception of a transmission over the telecommunications network (although, contrary to popular belief, this is a very rare occurrence). Obtaining victims credit card details by hacking into a retailers computer system. Impersonation a representative of a persons bank or credit card company on the telephone (or via email) to gain confirmation of the victims credit card details. Creation of an e-commerce spoof website to attract customers who provide their credit card details in the genuine belief that they will receive good or services in return for payment.
It must also be noted that, rather than stealing someones credit card details, e-criminals can create genuine credit card numbers if they have the programs to do so (these programs mimic the algorithms which are used by credit card companies see Lloyd: Information Technology Law (4th Edition), page 273). In a report entitled Project Trawler which was published in 1999, the National Criminal Investigation Service (NCIS) suggested that, in the majority of cases, traditional methods of fraud: have been given a new lease of life on the Internet (http://www.ncis.co.uk/contact.html). What is the size of the problem? Some surveys, significant firstly because of the number of respondents involved (over 10,000 consumers), have unearthed some worrying statistics. In 1999, it was estimated that the total losses in the UK to Internet fraud might range from 400 million to 5 billion (Fraud Advisory Panel, established by the Institute of Chartered Accountants for England and Wales). In the US, the Internet Fraud Watch reported in February 2000 that: Consumers lost over $3.2 million to Internet fraud last year in incident reports to the National Consumer Leagues Internet Fraud Watch. A 38 percent increase in Internet fraud complaints in 1999 coupled with an average consumer loss of as much as $580 (http://www.fraud.org/internet/intstat.htm). Again in the US, in 2002, the Internet Fraud Complaint Center (IFCC) Report (prepared b y the National White Collar Crime Center and the FBI) revealed more than 48,000 cases of Internet Fraud in which victims lost a total of $54 million see http://www.fraud.org/internet/instat.htm. In the latest survey by the Audit Commission in the
76
Cyber Law
School of Law
UK (yourbusiness@risk: An Update on IT Abuse, 2001), fraud was the forth most common activity reported to the Commission. These figures should be read in the light of the so-called dark figure of e-crime; the criminal activity that is either not detected or, though discovered, not reported (a company may be loath to reveal itself as a victim of e-crime for fear of damage to its reputation and any concomitant losses (e.g. of customers or trading partners)). Again, contrary to popular belief, it can be seen that Identity Theft does not feature heavily in the overall figures. The National High Tech Crime Units 2004 survey reveals that whilst computer fraud may not be the most prevalent form of e-criminal activity, in terms of its financial impact it can top the tables see National Hi-Tech Crime Unit Survey: High-Tech Crime 2004 the impact on UK business see http://www.nhtcu.org/NOPSurvey.pdf . Therein, financial services companies reported themselves to be regular victims of fraud, as did telecommunications companies. This comes as little surprise, given that information technology is crucial to the financial sector. As Professor Ian Lloyd points out, 85% of all money transactions in the UK are handled by some form of Electronic Fund Transfer (EFT) th (see Lloyd, I., Information Technology Law (4 Ed., OUP), page 275). In the US, the 2004 E-Crime Watch Survey (see http://www.cert.org/about/ecrime.html) and the Computer Security Institute (CSI) and the U.S. Federal Bureau of Investigation (FBI) 2004 Survey (see http://www.gocsi.com) have reported some similar trends in computer fraud. Much emphasis is placed upon the need to have measures and policies which are targeted at the prevention of such e-criminal activities. How the law seeks to combat computer fraud There are a range of difficulties in successfully detecting and prosecuting computer fraud. There are obvious evidential problems. Gathering electronic evidence is problematic as it can be deleted, destroyed or modified with relative ease - computers can hold vast amounts of information and accordingly can take ages to search. Generally speaking, criminal courts are generally unfamiliar with the subject of computer evidence and there is often an underestimation of the technical complexity of cases that involve computer evidence. Furthermore, procedurally the mishandling of computer evidence quite frequently leads to prosecutions having to be abandoned. There are obvious problems concerning jurisdiction as the alleged perpetrator and victim may be in different jurisdictions. But The Criminal (International Co-operation) Act does facilitate international co-operation. However, different countries have different views on what is a crime. For instance, glorifying Nazism is a crime in France, but not in the USA. However, even if a similar viewpoint is held by two connected countries, the trail of the crime may go through various different technologies, e.g ISPs, telephone lines, wireless and satellite networks, local and national telephone companies etc and all of these trails could go between different countries. The technology involved can add to the difficulties. Criminals can hide behind technology and police technology may not be up to the same standard. The more sophisticated a criminal is, the harder they are to trace (for instance, a persons location can be traced from their mobile phone, but a technology-savvy individual could send misleading signals). There are also legislative difficulties specifically ensuring that traditional offences can be stretched to ensure that they cover new acts. A problem in this area is noted by the use of the word deception in much of the older fraud legislation (found within sections 15-20 of the Theft Act 1968 and sections 1-2 of the Theft Act 1978), for instance: S1(1) Theft Act 1978 A person who by any deception dishonestly obtains services from another shall be guilty of an offence.
77
Cyber Law
School of Law
Theft Act 1968 - S15(1) A person who by any deception dishonestly obtains property belonging to another, with the intention of permanently depriving the other of it shall on conviction on indictment be liable to imprisonment for a term not exceeding ten years. See also: s2 evading liability by deception (e.g. giving false information) Sec. 2(1): A person who by any deception (a) dishonestly secures the remission of the whole or part of any existing liability to make a payment, whether his own liability or anothers; or (b) with intent to make permanent default in whole or part on any existing liability to make payment, or with intent to let another do so, dishonestly induces the creditor or any person claiming payment on behalf of the creditor to wait for payment (whether or not the due date for payment is deferred) or to forgo payment; or (c) dishonestly obtains any exemption from or abatement of liability to make payment he shall be guilty of an offence. Theft (Amendment) Act 1996 S15A A person is guilty of any offence if by deception he dishonestly obtains a money transfer for himself or another. The problem with deception in the context of computer crime is that deception must be on a human mind, and not a computer. A machine cannot be deceived. This is a clear principle of law and was noted in the following cases: DPP v Ray [1974] For deception to take place there must be some person or persons who will have been deceived. Lord Morris. Re London and Global finance Corp Ltd [1903] To deceive is to induce a man to believe that a thing is true which is false, and which the person practising the deceit knows or believes to be false. The DPP v Ray principle will present a potential obstacle to successful prosecution here. Neither of these offences (secs.1 or 2 Theft Act 1978) will be made out where the deception is played upon a computer, rather than a person; the wording of these sections strongly suggests that the deception must operate on the human mind; a machine cannot be deceived. The problem of Preddy [1996] Another problem with prosecuting in this area was seen in the case of Preddy (1996). In this case, Preddy made several mortgage applications to Building Societies. He knowingly deceived the building societies by providing false information and was convicted under the following section: S15(1) Theft Act 1968: A person who by any deception dishonestly obtains property belonging to another, with the intention of permanently depriving the other of it, shall on conviction on indictment be liable to imprisonment for a term not exceeding 10 years. However, the House of Lords decided that that there had not breached the section, as they has not obtained property belonging to another. They stated: An amount in a bank account is a chose in action, thus a person has a right to sue the bank for the amount of money in their account. The transfer from the lenders bank to Preddys bank did not lead to a situation where property belonging to another was obtainedthe chose in action had just altered. In other words, Preddy had a chose in action to the amount of money that he had deceptively transferred across, but he did not own the property rights in it. Therefore, he had not obtained property belonging to another.
78
Cyber Law
School of Law
THE PROBLEM WITH THIS DECISION: If anyone engineered a fraudulent electronic money transfer they could escape conviction, first for theft and secondly for not obtaining property belonging to another. Where there is an electronic transfer from one account to another. The first amount is extinguished and then a NEW amount is sent to the new account. There is therefore new property and property BELONGING TO ANOTHER. To close this loophole, the following amendment was made: Therefore, Theft (Amendment) Act 1996 added s15A: A person is guilty of an offence if by any deception he dishonestly obtains a money transfer for himself or another although note the fact that the deception problem still remains. Indeed, in Holmes v Governor of Brixton Prison Parliament have amended the Theft Act, but the need for deception of a human is still needed. The Common Law offence of conspiracy to defraud Here, it seems, there is no requirement that a person be deceived. This is evidenced by the comments of Viscount Dilhourne in Scott v Metropolitan Police Commissioner [1975] AC 819: to defraud ordinarily meansto deprive a person dishonestly of something which is his or of something to which he is or would or might but for the perpetration of the fraud be entitled. This offence stands alone, but it may often be the case that one of the fraud offences under the Theft Act may also have been committed. It must also be remembered that statutory conspiracy to commit other offences (under section 1 Criminal Law Act 1977) may be an available charge. Section 12 of the Criminal Justice Act 1987 (in essence) states that the common law and statutory offences of conspiracy are no longer deemed to be mutually exclusive. Necessarily, the offence cannot be committed by one person alone, as the key element of the offence is the agreement (between two or more persons). It was a useful charge before the advent of the Computer Misuse Act 1990, and remains so because of its inherent flexibility. R v Bakker [2001] EWCA Crim 2354 - conspiracy to sell counterfeit computer software. This charge can also now be used to target those who plan acts or events outside of the UK. This has been achieved by the insertion of a section into the Criminal Law Act 1977 (see section 1A) by section 5 of the Criminal Justice (Terrorism and Conspiracy) Act 1998. The provisions can be summarized as follows: A charge of statutory conspiracy can be brought where: The agreed course of conduct would, at some stage, involve an act by one or more of the parties, or the happening of an event, intended to take place in a country or territory outside the UK sec. 1A(2). That act or event would be an offence under the law in that other country or territory sec. 1A(3). That a party to the agreement (or his agent) did any one of the following (sec. 1A(3)): 1. did anything in England and Wales in relation to the agreement before its formation.
79
Cyber Law
School of Law
2. became a party to the agreement in England and Wales. 3. did or omitted anything in England and Wales in pursuance of the agreement. Attempts under section 1 of the Criminal Attempts Act 1981 Sec. 1(1): If, with intent to commit an offence to which this section applies, a person does an act which is more than merely preparatory to the commission of the offence, he is guilty of attempting to commit that offence.
Note, firstly, that you cannot attempt to conspire section 1(4)(a). Also, you cannot attempt to aid, abet counsel or procure the commission of an offence section 1(4)(b). A person may be convicted of attempting to commit an offence even though the facts are such that the commission of the offence is impossible section 1(2). Note also that you cannot be found guilty of attempting a summary offence. Putting it another way, you can only be found guilty of attempting an offence which is triable on indictment or triable either way section 1(4). An incomplete computer fraud can be seen as an attempt to steal money. The key question is whether the accuseds actions are more than merely preparatory. How have the courts interpreted this key statutory phrase? Osborn (1919) 84 JP 63 Robinson [1915] 2 KB 342 Gullefer [1987] Crim LR 195 Jones [1990] 1 WLR 1057 Campbell [1991] Crim LR 268 Geddes [1996] Crim LR 894 Tosti [1997] Crim LR 746 The potential difficulty in applying the offence of Attempt to computer fraud scenarios was one of the reasons that the legislature brought in section 2 of the Computer Misuse Act 1990; under that section, a person can attract liability for committing the basic hacking offence with an intention to commit a further, more serious offence. We will consider this offence, inter alia, in the next lecture. Computer fraud as Theft under section 1(1) Theft Act 1968 Sec. 1(1): A person is guilty of theft if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it.
Maximum term of imprisonment is seven years section 7. What happens where, in the absence of cogent evidence to support a charge of conspiracy or attempt, a person deceives a computer for fraudulent purposes? It seems, as stated above, that a charge of obtaining property by deception would not meet with success. However, the facts will usually support a charge of theft, an offence which will not be hindered by the computerised nature of the criminal activity.
80
Cyber Law
School of Law
The key elements of the offence are not usually difficult to apply (and possibly establish) in such cases: Appropriation - see R v Gomez [1992] 3 WLR 1067 Property Belonging to another Dishonestly - see R v Ghosh [1982] QB 1053 Intention to permanently deprive
Remember that sections 1, 2 or 3 of the Computer Misuse Act may also provide an opportunity for prosecution of the alleged offender in cases of computer fraud.
81
Cyber Law
School of Law
LECTURE EIGHTEEN - The Fraud Act 2006 & Governmental Policy Required Reading: Andrew Murray Chapter 15, section 15.1 The Fraud Act 2006 and explanatory notes. th Bainbridge, D I Introduction to Information Technology Law Pearson Longman 6 Edition (2008), pages 419-437. Johnson, M & Rogers, K M The Fraud Act 2006: The E-Crime Prosecutors champion or the creator of a new inchoate offence? International Review of Law, Computers and Technology (2007), volume 21, issue 3, pages 295-304. Ormerod, D The Fraud Act 2006 Criminalising Lying (March 2007) Criminal Law Review, pages 193-219. Bainbridge, D Criminal law tackles computer fraud and misuse (2007) Computer Law and Security Report, Volume 23, Issue 3, pages 276-281. The Law Commission Fraud (Report No. 276), July 2002. The Report is available at: rd http://www.lawcom.gov.uk/lc_reports.htm#2002 [Accessed 23 May 2007].
th
After a considerable gestation period, the Fraud Act 2006 came into force on 15 January 2007. It introduced a general fraud offence (section 1), which can be committed in one or three ways: Section 2 by false representation, Section 3 by failure to disclose information Section 4 by an abuse of position The introduction of general offences is intended to provide a substantial scope for ensure that technologically focused crime can be targeted by this provision. This covers newer offences such as phishing and spoofing and provides sentences for up to ten years (section 1(3)(b)). There are further new offences included in the Act, such as possessing articles for the use in frauds (section 6), making and supplying articles for the use in frauds (section 7) and obtaining services dishonestly (section 11) The background to the Act Arguably, the key reason for the introduction of the Fraud Act was the history of complexity and uncertainty concerning offences involving deception. Ormerod is clear in his criticism as he states: The deception offences were notoriously technical. Although overlapping, they were overparticularised, creating a hazardous terrain for prosecutors who, in charging, could be tripped up by something as subtle as the fraudsters method of payment. The interpretive difficulties were substantial. (page 194) The problems centred on the case law that has determined that the implication within the statutory words which describe the offence is that the deception must be played upon a human mind. Coupled with the interpretive difficulties seen in the application of the deception offences the judiciary were also critical of the state of the law. Edmund-Davies LJ in the case of Brian Royal (1971) 56 Cr.App.R 131 stated: Despite the aim of the still-youthful Theft Act to simplify the law, we feel that the time has already come to declare that so obscure is section 16 that it has already created a judicial nightmare. It has even puzzled some academic lawyers (page 136) The Law Commission in 2002 published a report entitled Fraud (Report No. 276), July 2002 (available at: http://www.lawcom.gov.uk/lc_reports.htm#2002) and commented that due to number of potential statutory provisions, which could be used in fraud trials, a number of
82
Cyber Law
School of Law
wider problems could arise. The judicial minefield it caused most notably with technical arguments led to occasional swift responses to plug loopholes. The decision in R v Preddy is a good example of this (with the focus of the decision being based upon whether the mortgage loans were strictly property belonging to another as required under section 15 of the Theft Act). The decision in this case led to the addition of section 15A of the Theft Act. However, the problem with plugging loopholes when they appear is that the law is continually playing catch-up with criminality. The Law Commission refer to the words of Lord Hardwicke in 1759, who stated: Fraud is infinite, and were a court once todefine strictly the species of evidences of it, the jurisdiction would be cramped, and perpetually eluded by new schemes which the fertility of mans invention would contrive (paragraph 3.14). Academic and judicial criticism aside, there are wider reasons for the introduction of new legislation. It is without doubt that in recent years, technology-based crimes have been on the increase. The government-backed Ger Safe Online Report published in October 2006 (available at: http://www.getsafeonline.org/media/GSO_Cyber_Report_2006.pdf) suggested that around one in ten people (about 3.5 million) in the UK had been the victim of an online fraud in 2006, which cost on average 875 per person. Losses related to phishing were estimated to have cost 23.2 million in 2005, while identity theft continues to increase. Although, it is fair to say that figures relating to fraudulent activity are invariably changeable. In March 2007, the BBC reported that UK fraud cost more than 20bn per year, while at the same time credit card fraud is on the decrease. Meanwhile, a survey by Infosecurity Europe advises that around one-third of companies do not even report their information security crimes and breaches. Thus, any attempt to provide specific statistics on the relative increase (or decrease) in technology-based fraud is fraught with difficultly and almost impossible to achieve. What can be stated with some certainty is that the opportunity to engage in crime over the Internet or by alternative electronic methods is growing, while the ingenuity of perpetrators continues to stretch boundaries. The Fraud Act is an attempt to provide flexibility within the legislation by providing a broad net where a number of fraud offences can be caught. Repeals and principles The deception offences in sections 15, 15A, 16 and 20(2) of the Theft Act 1968 (respectively: obtaining property by deception, obtaining a money transfer by deception, obtaining a pecuniary advantage by deception and procuring the execution of a valuable security by deception) and sections 1 and 2 of the Theft Act 1978 (respectively: obtaining services by deception and evasion of liability by deception) are repealed. (The full list of repeals and amendments is found within schedule 1). The advantage of this is that there is a shift in focus away from deception problems (notably that deception of a machine or computer is not legally possible as in DPP v Ray [1974] AC 370 it moves towards the concept of dishonesty, as defined in R v Ghosh (1982) QB 1053. The two-stage test was outlined by Lord Lane, who stated: In determining whether the prosecution has proved that the defendant was acting dishonestly, a jury must first of all decide whether according to the ordinary standards of reasonable and honest people what was done was dishonest. If it was not dishonest by those standards, that is the end of the matter and the prosecution fails. If it was dishonest by those standards, then the jury must consider whether the defendant himself must have realised that what he was doing by those standards dishonest. The reliance on dishonesty is a major alteration to the law in this area. The second is that fraud is now a conduct as opposed to a result crime. Under the sections of the Theft Acts (which are now repealed) there had to be the obtaining of a money transfer, or property, or a service, as a result of a dishonest deception the defendant had to gain, or the victim had to lose - control or ownership of property. Without the gain or loss, a possible charge of an
83
Cyber Law
School of Law
attempted crime could result, as long as the defendant had gone beyond a more than merely preparatory act towards the commission of the full offence (Criminal Attempts Act 1981 section 1(1)), and subject to the mens rea of intention to commit the particular actus reus. The Fraud Act 2006 removes the need for gain or loss, or even that a property right be endangered, by focussing solely on the conduct of the defendant. Gain and loss are widely defined in section 5. Gain includes a gain by keeping what one has, as well as a fain by getting what one does not have (section 5(3)), while loss includes a loss by not getting what one might get, as well as a loss by parting with what was has (section 5(4)). For section 2 likely to be the most widely used section, particularly in respect of on-line criminal behaviour this means that a defendant has to dishonestly make a representation which he knows or suspects may be untrue or misleading with the intention to cause a loss to another or a gain to himself (or another). It can be seen that this modus operendii does away with the need for a victim altogether, indeed nobody need even believe the false representation made. It is important to consider wider factors in the fight against fraud. Consider issues, such as the likelihood of increased convictions for online fraud and whether victims are more likely to report such crime. Governmental Policy In June 2009, the United Kingdom Government published two important documents on the 3 future of the Internet. The first, and more substantial, was the Digital Britain Report. This 230-page report arose from a joint project between the Department for Business, Innovation and Skills and the Department for Culture, Media and Sport and was chaired by Lord Stephen Carter. The second report was the Cyber Security Strategy of the United Kingdom. This was a significantly smaller report, at just over twenty pages, but set out the strategy the United Kingdom government would be taking to ensure that the internet can be used safely. Again, this report set out the importance of cyberspace, while emphasising that while our reliance on the Internet grows it is essential that the security of cyberspace is maintained. The report set out plans for a coherent approach to ensuring the safety of Internet users and systems and called for a joined-up approach with government, public bodies, cross-sectoral organisations, international partners and the general public working together to safeguard the Internet for its users. The report stated that this vision would be realised through a number of strategic objectives. First of all, it is necessary to reduce the security risks apparent through the use of the Internet. This includes reducing the level of security threat and also the impact if there was an attack, but also the United Kingdoms vulnerability to such an attack. Secondly, by exploiting the opportunities that are provided by cyber space, and thirdly by improving knowledge, capabilities and decision-making abilities. The report then set out how these objectives were to be achieved. The key proposal was for the establishment of an Office of Cyber Security (OSC). This was established in September 2009 and came into effect in March 2010. This body aims to provide leadership, within the Cabinet Office, to ensure the objectives of the cyber security strategy are achieved. To assist in this aim, a Cyber Security Operations Centre (CSOC) was established and this organisation assists the OSC by monitoring the health of cyber security within the United Kingdom and providing businesses with advice on the risks and opportunities afforded by the Internet. The objectives were also to be achieved by establishing cross-government agreement for the priorities and liaising with all relevant stakeholders. The report does not go into fine detail about how the Government will achieve
3 4
Department for Business, Innovation and Skills Digital Britain: Final Report (June 2009). Available at: http://www.culture.gov.uk/what_we_do/broadcasting/6216.aspx 4 The Cabinet Office Cyber Security Strategy of the United Kingdom: Safety, Security and Resilience in Cyber Space (June 2009). Available at: http://www.cabinetoffice.gov.uk/reports/cyber_security.aspx.
84
Cyber Law
School of Law
its objectives, citing security reasons. However, the report did highlight that the OCS would work to ensure that there are safe, secure and resilient systems in place; consideration of policy, doctrine, legal and regulatory issues would be a key responsibility along with trying to achieve a culture change in terms of cyber security awareness through skills and education. The OSC would also work on researching and developing technical capabilities and would consider how the United Kingdom could fully exploit the benefits of cyber space. Finally, the OSC would be required to work on a national and international level ensuring that the government are aware of their roles and responsibilities, while working and liaising with international partners and other stakeholders.
85
Cyber Law
School of Law
LECTURE NINETEEN HACKING Required Reading Andrew Murray Chapter 13, section 13.1 Bainbridge, D Introduction to Information Technology Law (6 Edition) Pearson Longman, 2007, pages 438-453. th Lloyd, I Information Technology Law (5 Edition) Oxford University Press, 2008, pages 221-239. Worthy, J & Fanning, M Computer Misuse Act: new tools to tackle DoS attacks (2007) E-Commerce Law and Policy, volume 9, issue 1 (pages 5-7). Stein, K Unauthorised Access and the UK Computer Misuse Act 1990: The House of Lords Leaves No Room for Ambiguity Computer and Telecommunications Law Review (2000), volume 6, issue 3, pages 63-66. Fafinski, S Cyber crime (2007) New Law Journal, 157(7258), 159. Fafinski, S Access denied: computer misuse in an era of technological change (2006) Journal of Criminal Law, volume 70, issue 5, pages 424-442. MacEwan, N The Computer Misuse Act 1990: Lessons from its past and predictions for its future(2008) Crim L.R. 955
th
Introduction In response to the legal concerns which were highlighted by the case of R v Gold, and the problems unearthed by the English and Scottish Law commissions in the 1980s, the Computer Misuse Act 1990 was created. The Computer Misuse Act 1990 created three new offences: Section 1 The act of obtaining unauthorised access to programs or data computer. held on
Section 2 Securing unauthorised access with a view to facilitating the commission of a further serious offence. Section 3 - Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer etc
Section 1 The basic Hacking offence Previously, an act concerned with seeking to obtain unauthorised access to data held on a computer did not, in the absence of further conduct, attract criminal liability. Section 1 of the Act now ensured that it would: 1(1) A person is guilty of an offence if (a) (b) (c) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured; the access he intends to secure or enable to be secured is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case.
This act has been amended by S35 PJA 2006 above is the amended wording of the section. Thus, the offence can be broken down into its constituent parts: Causing a computer to perform a function Section 17 contains definitions and other aids to interpreting the legislation. It should be noted, however, that there is no definition of computer, program or data. Causing a computer to perform a function with intent secure (unauthorised) access is given a wide definition. It includes causing a computer to operate in any manner by:
86
Cyber Law
School of Law
Altering or erasing the program or data copying or moving it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held; using it or having it output from the computer in which it was held
Note that it is not a requirement that the unauthorised user directs their attention to any particular computer system or any specific programs or data held in the system Section 1(2). Does one computer have to be used to seek access to another? This question was put to the Court of Appeal in A-Gs Ref (no.1 of 1991) [1992] 3 WLR 432: Back came the resounding answer that there are no grounds whatsoever for implying or importing the word other between any and computer, or excepting the computer which is actually used by the offender from the phrase any computer. The CoA referred to the Law Commissions following comments on the matter:: . hackers are quintessentially thought of as outsiders it is in our view important to ensure when settling the terms of an offence that it is directed at unauthorised users of a system or part of a system, whether outsiders or insiders, that one does not concentrate exclusively on outside hackers The Audit Commission surveys had shown that most instances of computer misuse are perpetrated by insiders. Indeed, in 1994, an Audit Commission Report (Opportunity Makes a Thief:An Analysis of Computer Abuse, HMSO, 1994) stated that no less than 85% of the reported incidents of computer misuse were carried out by employees. With intent to to secure unauthorised access When is access unauthorised? Access is held to be unauthorised when the user: Section 17(5): (a) is not himself entitled to control access of the kind in question to the program or data; and (b) he does not have the consent to access of the kind in question to the program or data from any person who is so entitled. The issue of who is entitled to control access may be more complex where a computer system serves as a host, providing storage space and access facilities for programs or data controlled by other parties. Knowledge that access is unauthorised The offence is made out if the hacker simply intends to secure access, regardless of whether he succeeds, but he must know, at the time, that the access he is seeking to gain is unauthorised. Thus, Intent and Knowledge together constitute the mens rea of the offence. The offence requires both of the following: That the access intended by D is, in fact, unauthorised; and That D knows that his access is unauthorised.
What about where someone has limited access rights? The Law Commission provided some assistance in this regard when it distinguished between conduct which constitutes a deliberate act of disobedience, and indeed defiance of the law, and conduct which amounts to mere(ly) carelessness, stupidity or inattention (Law Com no.186, para 3.36). The Commission recommended that only the former type of conduct should attract liability under the Act.
87
Cyber Law
School of Law
What about unauthorised use by authorised users? DPP v Bignell [1998] 1 Cr App Rep 1 ..the primary purpose of the Computer Misuse Act was to protect the integrity of computer systems rather than the integrity of information stored on the computers.a person who causes a computer to perform a function to secure access to information held at a level to which the person was entitled to gain access does not commit an offence under section 1, even if he intends to secure access for an unauthorised purpose, because it is only where the level of unauthorised access has been knowingly and intentionally exceeded that an offence is committed, provided the person knows of that unauthorised level of access. R v Bow Street Magistrate and Allison ex parte Govt. of USA [1999] 4 All ER 1 Section 1 refers to the intent to secure unauthorised access to any program or data. These plain words leave no room for any suggestion that the relevant person may say: Yes, I know that I was not authorised to access that data but I was authorised to access other data of the same kind. per Lord Hobhouse. Thus, it was held that the Computer Misuse Act looked at a persons entitlement/authority to access specific programs and data, not simply their entitlement/authority to access to kinds of data. Lloyd states that this decision undoubtedly closes a significant loophole in the Computer Misuse Act 1990. It is clear that the statute is much more than an anti-hacking measure and that misuse of facilities by authorized users will expose them to the risk of criminal prosecution (Lloyd: Information Technology Law (4th Edition), page 299). The decision in Allison seems to support the convictions (in earlier, unreported cases) of individuals who had accessed the material themselves. For example, in Bonnett rd (Unreported, Newcastle under Lyme Magistrates Court, 3 November 1995) a police officer had accessed information from the Police National Computer to discover who owned a particular car. He did this because he wanted to make an offer to buy the registration number of the car (which was BON1T). However, the conviction of Farquharson (Unreported, th Croydon Magistrates Court, 9 December 1993) and the like, who asked another to access the data in question, must be questioned in the light of their Lordships reasoning in Allison. The PJA 2006 has made S1 a triable-either-way offence with up to a two year term of imprisonment for conviction on indictment, or a fine, or both. Section 2 - The Ulterior Intent Offence The Act describes this offence as unauthorised access with intent to commit or facilitate the commission of further offences see marginal note by section 2. It can be looked at either as a preliminary offence or an aggravated form of the basic hacking offence. It is an offence which is triable either way and it carries a maximum sentence of 5 years imprisonment and/or a fine sec.3(7). 2(1) A person is guilty of an offence under this section if he commits an offence under section 1 above (the unauthorised access offence) with intenta) to commit an offence to which this section applies; or b) to facilitate the commission of such an offence (whether by himself or by any other person).
The law of Attempts was seen to present potential problems in the field of computers. One of the constituent elements of a criminal attempt is that the accused has done an act which is more than merely preparatory to the commission of the offence Sec. 1(1) Criminal Attempts Act 1981.
88
Cyber Law
School of Law
The Law Commission gave several examples of where an individuals actions may not have crossed this rubicon, but where it was of the opinion that liability could be justifiably imposed despite this fact see Law Com no.186, paras 3.52-3.53. Section 2 of the Computer Misuse Act was brought in to cover such scenarios and provides an alternative and, perhaps, better route to conviction where other offences are intended by th the hacker (Bainbridge: Introduction to Computer Law (5 Edition), page 388). The further offence which the accused intends to commit (or be committed by someone else) must, under Sec.2(2), be one: for which the sentence is fixed by law (e.g. Murder); or for which for which the maximum sentence is not less than five years imprisonment.
If the further offence is actually committed (i.e. completed) then, of course, the accused will most likely be charged with that offence. What this section 2 offence provides is a means of prosecuting those individuals who fall short of completing such a further offence, and liability may be justified on the grounds that it is their state of mind (an intention to commit the further offence) which is the focus of their culpability. It is worth noting that sec.2(3) states that it is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion. Moreover, sec. 2(4) states that a person may be guilty of an offence under this section even though the facts are such that the commission of the further offence is impossible. Lastly, it must also be noted that a person who is tried on indictment (in the Crown Court) for a section 2 (or section 3 see later) offence can, if found not guilty, be convicted in the alternative by the jury of the section 1 offence (if, of course, the facts support such a finding) section 12. How precise does the charge have to be regarding the offence which the accused is alleged to have ulterior intent to commit? Beldam LJ in Re Levin [1997] QB 65 at 78: In our view, it is not necessary to do more than specify the type of offence which the accused had in mind so as to bring it within the requirements of sec. 2(2). Jurisdiction The simple requirement that a significant link be established in order to claim domestic jurisdiction section 4. Under sec. 5(2)(a) and (b), either of the following will constitute a significant link when a section 1 offence is charged: that the accused was in the home country (England and Wales, Scotland or Northern Ireland, as appropriate), or that any computer containing a program or data to which the accused secured or intended to secure unauthorised access by doing that act was in the home concerned at the time.
Under sec. 5(3)(a) and (b), either of the following will constitute a significant link when a section 3 offence is charged:
89
Cyber Law
School of Law
that the accused was in the home country concerned at the time when he did the act which caused the unauthorised modification, or that the unauthorised modification took place in the home country concerned.
Under secs. 4(4) and 8(1), there is a further requirement when a section 2 offence is charged. If the accused operates from within any of the home countries, intending to commit or facilitate a further offence in a different country, those intended actions must involve the commission of an offence under that other countrys law - this is known as the principle of double criminality. Charging people with conspiracy to commit an offence under the Computer Misuse Act 1990 has recently been made easier where previously jurisdictional issues would have presented an obstacle to successful prosecution.. This has been achieved by the insertion of a section into the Criminal Law Act 1977 (see section 1A) by section 5 of the Criminal Justice (Terrorism and Conspiracy) Act 1998. The provisions can be summarised as follows: A charge of statutory conspiracy can be brought where: The agreed course of conduct would, at some stage, involve an act by one or more of the parties, or the happening of an event, intended to take place in a country or territory outside the UK sec. 1A(2). That act or event would be an offence under the law in that other country or territory sec. 1A(3). That a party to the agreement (or his agent) did any one of the following (sec. 1A(3)): 1. did anything in England and Wales in relation to the agreement before its formation. 2. became a party to the agreement in England and Wales. 3. did or omitted anything in England and Wales in pursuance of the agreement.
Other offences which can be used to target hacking These may be considered where, for example, the alleged hacker was unaware that the access which he sought/gained was unauthorised a key element within the offences in the Computer Misuse Act 1990. Theft Act 1968 Whilst confidential information will not come within the definition of property for the purposes of theft (see Oxford v Moss (1978) 68 Cr App R 183), the Theft Act 1968 does contain, inter alia, the offence of dishonestly abstracting electricity under section 13, as follows: A person who dishonestly uses without due authority, or dishonestly causes to be wasted or diverted, any electricity shall on conviction on indictment be liable to imprisonment for a term not exceeding five years. A small, but definite amount of electricity will be abstracted by hacking (through the process of the host computer retrieving the information sought by the hacker from its store and then transmitting it to the hackers computer terminal). The Ghosh test will be used to determine the presence or absence of dishonesty. Regulation of Investigatory Powers Act 2000 Under section 1, it is an offence to intentionally (and without lawful excuse) intercept any communication in the course of its transmission via a public communications system. The offence takes the form of modifying or interfering with the telecommunications system or its operation, or monitoring transmissions on it.
90
Cyber Law
School of Law
It can be seen as offence which targets the interception of transmissions (for example, the interception of computer data on the BT network). However, since hackers usually initiate transmissions, they will not normally fall within the boundaries of this offence. As Bainbridge puts it: this offence, therefore, applies only to the situation where the hacker is eavesdropping: that is, listening in for interesting communications to intercept (Bainbridge: th Introduction to Computer Law (5 Edition), page 392). Data Protection Act 1998 The act of copying personal data from a computer system may render a hacker liable for the offence of processing personal data without having notified the Commissioner, under section 21(1|) of the Act.Other relevant offences under the Act include obtaining or disclosing personal data or procuring its disclosure to another person, under secs. 55(1) and (3), respectively. Section 127 of the Communications Act 2003 This section criminalises the improper use of a public electronic communications network. It covers five forms of activity. For example, a hacker who threatens to release a computer virus into a system unless he is paid off would fall within section 127(1)(a) of this Act; his blackmailing e-mail would be viewed as a menacing message.
91
Cyber Law
School of Law
LECTURE TWENTY - UNAUTHORISED ACTS OF COMPUTER PROGRAMS OR DATA Required Reading Andrew Murray Chapter 13, sections 13.2 and 13.3 Bainbridge, D Introduction to Information Technology Law (6 Edition) Pearson Longman, 2007, pages 454-467. DPP v David Lennon (2006) EWHC 1201 case note Computer Law and Security Report 22 (2006) 416-417. Please see articles as per Lecture 11.
th
Introduction Information cannot be destroyed in a physical sense. However, the storage of it is key to its availability and use. Consequently, the erasure, alteration or modification of information in its (computerised) stored form could have two main consequences: The owner of the storage facility (computer system), who may also be the author of the information, will have to expend time and money in securing a copy of the original (unmodified) information. If the information had been stored only in this form, and no copy was readily available, a unique item would have been lost.
Lloyd states (supra @ page 241) that anyone possessing a degree of familiarity with computers and their method of operation will be only too well aware how fragile is the hold on its electronic life of any piece of dataTo the risks of accidental damage must be added those of deliberate sabotage. The alteration or deletion of data held on a computer system can take a number of forms and may be done for any one of a number of motives. The motivational drive behind such activities might include: Fraudulent intent Intent to cause disruption to the computer owners activities Intent to uncover and highlight weaknesses in the security of the system
Logic Bombs Lloyd defines a logic bomb as a program which is designed to come into operation at some later date or upon the occurrence of specified conditions (supra @ page 242). R v Thompson [1984] 3 All ER 565. Computer Viruses Bainbridge defines a computer virus as a self-replicating program which spreads throughout a computer system, attaching copies of itself to ordinary programs (Bainbridge: Introduction th to Computer Law (Longman) 4 Edition, 2000, @ page 324). Logic bombs and computer viruses are different conceptually, although they may often have similar or even the same effects. They can be distinguished in the following way: A logic bomb is usually created on and applied to a specific computer system A computer virus will typically be transferred from one system to another (e.g. via disks or e-mail attachments).
What is the scale of the problem? The Audit Commission survey in 1990 (Survey of Computer Fraud and Abuse, HMSO, 1991) found that a total number of 54 incidents were reported to it; this accounted for 30% of all reported computer fraud and abuse.
92
Cyber Law
School of Law
The Audit Commission survey in 1993 (Opportunity Makes a Thief: An Analysis of Computer Abuse, HMSO, 1994) reported a massive increase to 261 incidents. The Audit Commission survey in 1997 (Ghost in the Machine: An Analysis of IT Fraud and Abuse, Audit Commission Publications, 1998) found that 50% of the organisations surveyed reported problems with viruses. The NHTCUs survey of 2004 has now provided us with new data to help assess the current scale of e-criminal activity (see National Hi-Tech Crime Unit Survey: High-Tech Crime 2004 the impact on UK business see http://www.nhtcu.org/NOPSurvey.pdf ) Therein, it was stated that 83% of the 201 respondent companies had experienced at least one of the computer-based crimes that they were asked about. It was stated that predictably, the one type of computer-based crime mentioned by 77% of those interviewed was an attack by a computer virus. All types and sizes of organisation reported this problem. The figures listed below show the percentage rates of computer-related crimes that were experienced by those organisations in 2003: Virus attacks 7% Denial of service attacks 7% Financial fraud 4% Criminal use of Internet 4% Theft of data 2% Corporate website spoofing attacks 2% Unauthorised access to, or penetration of, systems % Sabotage of, or damage to, data or networks % Spam attacks % 3 7 9 1 1 1 1 1 7
Types of Computer Viruses The Cookie Monster The Ping Pong These two viruses do not affect any data or programs and can be described as being relatively innocuous (though, perhaps, annoying). Other viruses can be truly harmful in, for example, their ability to completely corrupt a computers hard disk. The AIDS virus The worm that turned United States v Morris (1991) 928 F 2d 504. The legal response before the 1990 Act Damage to or erasure of computer programs or data had been targeted via the use of the Criminal Damage Act 1971. Section 1 states that: A person who without lawful excuse destroys or damages any property belonging to another intending to destroy or damage any such property..shall be guilty of an offence.
93
Cyber Law
School of Law
One potential obstacle in the way of successful prosecutions under this statute was the definition of property therein (section 10). The property concerned is required to be of a tangible nature, whether real or personal. Cox v Riley (1986) 83 Cr App R 54.
The Law Commission (Law Com no 186, para 2.31) considered the issue of the use of the CDA 1971 to combat such behaviour: That the practical meaning of damage has caused practical as well as theoretical problems following the decision in Cox v Riley is evidenced by the experience of the police and prosecuting authorities who have informed us that, although convictions have been obtained in serious cases of unauthorised access to data or programs, there is recurrent (and understandable) difficulty in explaining to judges, magistrates and juries how the facts fit in with the present law of criminal damage. There was conflicting evidence from two other sources on this issue; one seemed to fully support the Law Commission in its view, the other seemed to conflict with it. They were as follows: The House of Commons Official Report (6 series) col 1134, 9 February 1990:
th
.of 270 cases that have been verified by the Department of Trade and Industry as involving computer misuse over the past five years, only six were brought to court for prosecution and only three of these were successfully prosecuted for fraud. There must be some inadequacy in the law as it stands. The Audit Commissions survey 1984-87, page 22:
From within the DTI figures, they found 118 instances of computer fraud and misuse. Of these, 40 cases were prosecuted, 35 of which successfully. The Law Commission recommended that the CDA 1971 should be amended to make it clear that damage to programs or data would not constitute criminal damage under the Act. It also recommended that a new computer-specific offence should be established. This recommendation was accepted and the result is the offence in section 3(1) of the Computer Misuse Act 1990. Note that section 3(6) of the CMA 1990 seeks to avoid any overlap between itself and the CDA 1971 by stating that: For the purposes of the Criminal Damage Act 1971, a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition. The Mad Hacker This case was heard after the CMA 1990 had come into force, but had to be decided on the previously existing law (i.e. the CDA 1971). The decision fuelled the debate as to whether the CDA 1971 could/would be continued to be used in cases of alleged erasure or deletion of computer programs or data. R v Whiteley (1991) 93 Cr App R 25. LCJ Lane: What the Act requires to be proved is that tangible property has been damaged, not necessarily that the damage itself is tangible. There can be no doubt that the magnetic particles upon the metal discs were a part of the discs and if the appellant was proved to have intentionally and without lawful
94
Cyber Law
School of Law
excuse altered the particles in such a way as to cause an impairment of the value or usefulness of the disc to the owner, there would be damage within the meaning of the section. It must be said that it seems unlikely that a charge would now be brought under the CDA 1971, now that the CMA 1990 (section 3) offence exists, particularly since LCJ Lane stated later on in the Whiteley case that no doubt it (the CMA 1990) will be used as the basis of criminal prosecution in the case of computer misuse. However, it is possible that, in the light of the Whiteley decision, that the CDA 1971 may still be a useful tool in certain scenarios for certain reasons. They are as follows: The penalties which can be imposed under the CDA 1971 are more substantial than those under the CMA 1990. Whilst the accused must have acted intentionally under the CMA offence, recklessness is the minimum mens rea requirement under the CDA 1971. The CMA prohibits unauthorised modification of the contents of a computer.
Unauthorised modification in the Computer Misuse Act 1990 AS AMENDED BY THE POLICE AND JUSTICE ACT 2006 The Police and Justice Act 2006 (which came into force in March last year), s36 replaces s3 CMA with the offence of Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer. This is designed to give effect to the UKs responsibilities under the European Framework Decision on Attacks against Information th Systems adopted by the Council of Ministers on the 24 February 2005 (art 3). This section also increases the maximum penalty for such an offence from 5 years to 10 years and/or an unlimited fine. Section 3(1): a) b) c) A person is guilty of an offence if
he does any unauthorised act in relation to a computer; at the time when he does the act he knows that it is unauthorised; and either subsection (2) or subsection (3) below applies. This section applies if the person intends by doing the act
Subsection (2): a) b) c) d)
to impair the operation of any computer; to prevent or hinder access to any program or data held in any computer; to impair the operation or any such program or the reliability of any such data; or to enable any or the things mentioned in paragraphs (a) to (c) above to be done. This subsection applies if the person is reckless as to whether act will do any of the things mentioned in paragraphs (a) to (d) of subsection (2) above.
Subsection (3)
This is an offence triable either way, carrying with it a maximum sentence on indictment of 10 years (as amended by s36(6)c of the PJA 2006) imprisonment and/or a fine section 3(7). The same jurisdictional provisions apply to this offence as they do to the section 1 offence. The PJA 2006 also inserts S3A into the CMA 1990 setting out the offence of Making, supplying or obtaining articles for use in offences under section 1 or 3 this is intended to target so called hacker tools, but is there an overlap with ethical hacking?
95
Cyber Law
School of Law
S3(5) (a) (b)
in this section a reference to doing an act includes a reference to causing an act to be done; act includes a series of acts
See the case of Re Yarimaka (2002) EWHC 589 concerning inaccurate information. The scope of the intention is wide enough to encompass such problems as Spamming. The requisite knowledge under section 3(4), this is defined as the knowledge that the intended modification is unauthorised. It should be noted that it is immaterial whether the modification or its effects are intended to be permanent or merely temporary section 3(5). Some successful prosecutions under section 3 R v Whitaker (1993) A freelance typesetter tampered with a computer owned by a client, installing a security package which could only be disarmed via the use of a password. He withheld the password from the client, which denied the client access to the computer for several days with resultant losses to the client which were estimated at some 36,000. He claimed that the reason why he had done this was because the client owed him 2,000 in fees. Whitaker was convicted under section 3, his sentence being comprised of a two-year conditional discharge and a fine of 1,650. see Battcock Prosecutions Under the Computer Misuse Act (1996) 6 Computers and Law 22 An IT manager added a program to his employers system which had the effect of encrypting incoming data. The data would automatically be decrypted when it was subsequently accessed. The manager left his employment following a disagreement and some time later the decryption function ceased to operate. This rendered the computer unusable. Despite his claims that the encryption function was intended as a security device and that the failure of the decryption facility was an unforeseen error, the accused was convicted under section 3. see Battcock Prosecutions Under the Computer Misuse Act (1996) 6 Computers and Law 22 A customer was late in making payment for some software which he had been supplied with. The supplier, having anticipated possible problems with payment, had inserted a time lock function. Unless removed by the supplier, this function would stop the software working from a specified date. The supplier was convicted under section 3. Viruses and the unauthorised modification offence Lloyd states that taking the concept of an unauthorised modification as a whole, it would seem clear that the offence might be committed by a person who creates a computer virus and sends it out into the world with the intention that it will infect other computers (supra @ page 251). This is because the Act itself provides, in section 3(3), that: The intent need not be directed at
96
Cyber Law
School of Law
(a) any particular computer; (b) any particular program or data or a program of any particular kind; or (c) any particular modification or a modification of any particular kind. R v Pile (1995) see Computing, 1 June 1995, page1. Using the pseudonym Black Baron, the accused created a number of viruses, concealed them in seemingly innocuous programs, and then published the programs on the Internet. The viruses infected any computer onto which they were downloaded. When he was arrested he said that he had wanted to create a British virus which would match the worst of those from overseas. He was the first virus writer to be convicted under the Act and was sentenced to 18 months imprisonment. Also see, for example, the case of Simon Vallor (2003) sentenced to two years in jail for releasing 3 worm viruses in what he admitted was a mistake. Denial of service (DoS) or Distributed denial of service DDoS) attacks Can section 3 now be used to successfully prosecute people who launch denial of service attacks (DoS), or distributed denial of service attacks (DDoS)? The difficulty used to be in trying to establish that such modifications were unauthorised, given the open invitations to visit such websites. See, Article 5 of the European Convention on Cybercrime (see http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm). Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data. The new section 3 would seem to easily encompass both forms of attack. See R v Lennon (pre PJA)
97
Cyber Law
School of Law
LECTURES TWENTY-ONE AND TWENTYTWO REVISION LECTURES These lectures will be an overview of the entire module and are intended to be supportive of your revision for examinations. It is strongly recommended that you attend. Questions for the seminars will be posted on StudyNet prior to the session. This will be the last chance to get it wrong without consequences, so make sure you fully prepare. GOOD LUCK WITH THE EXAMS!!
98
Cyber Law
School of Law
SEMINAR ONE INTRODUCTION TO CYBERLAW Questions for consideration
You must bring an article from a magazine or newspaper (or their on-line equivalent) which deals with an aspect of law in cyberspace. Be prepared to give a brief presentation on this in class. Read: George, C & Scerri, J Web 2.0 and User-Generated content: legal challenges in the new frontier (2007) Journal of Information, Law and Technology, volume 2. Available at: http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2007_2/george_scerri. What are the advantages and disadvantages of the Internet (and particularly usergenerated content) according to the authors? One of the crucial issues which has arisen during the debate as to how the Criminal Law should respond to e-Criminal activity is whether technology-specific legislation is required to combat it or whether the application of more general criminal law provisions will be sufficient for this purpose. Which do you think is likely to be the more successful policy and why? A potential problem with the application of law in cyberspace is legal equivalence with the real world. How do you think this might apply to torts such as trespass or defamation? Or crimes such as Harassment or pornography?
Learning Outcomes By the end of this seminar you should be able to: Understand some of the terms/phrases used in e-activity. Appreciate the significance of the debate about how legal issues should be targeted in cyberspace Be aware of the potential scope and scale of legal/technical issues in the UK and globally.
99
Cyber Law
School of Law
SEMINAR TWO INTERNET GOVERNANCE Questions for Consideration 1. Using Chapter One from Murrays book The Regulation of Cyberspace outline some of the key academic approaches and ideas to the regulation of the Internet. 2. Part of the seminar will be taken up by producing a timeline of the key Internet governance incidents over the past decade. Ensure that you come to class able to discuss these incidents and add to the class discussion. 3. Discussions concerning Internet governance are parochial. No-one really cares who runs the Internet as long as it works. To what extent do you agree with this statement? 4. The governance of the Internet has been developed over the last 35 years bottom up and step by step by the technical community and the providers and users of Internet services themselves. There has been no, or only little, governmental involvement. Kleinwachter, W WSIS and Internet governance: the struggle over the core resources of the Internet (2006) Communications Law, Volume 11, number 1, pages 3-12. Critically evaluate the truth of this statement. Your answer must be supported by relevant academic opinion and a demonstration of an awareness of recent Internet governance issues. 5. Can the Internet governance debate be boiled down to a simple discussion on sovereignty?
Learning Outcomes Be aware of the issues surrounding Governance issues in Cyberspace Be able to demonstrate an understanding of the main institutions of Internet governance Be able to utilize that understanding to critically evaluate the legal argument
100
Cyber Law
School of Law
SEMINAR THREE ONLINE PORNOGRAPHY Questions for consideration 1. What are the problems with the definition of obscenity in the context of the internet? Does the definition mean censorship in effect? 2. David enjoys looking at adult sites on the internet. One day he stumbles across a site showing naked young men being beaten by older women. David enjoys the videos and downloads several to his computer. He also comes sees some pictures of a woman apparently being raped by several men. David is horrified by this and deletes the site. Several weeks later he takes the computer for repair and shortly after the police call at his house and arrest him on two counts of being in possession of extreme pornography. One count concerns the videos and the other the picture that David thought he had deleted. What are Davids chances of conviction? 3. Read McGlynn and Rackley, - Criminalising extreme pornography: a lost opportunity (2009) Crim. L. R. 245. What arguments do the writers make against the new legislation? Do you agree with them?
Learning outcomes By the end of this seminar you should be able to: Be aware of the several offences which can possibly be charged in the sphere of computer pornography, and understand their constituent elements. Demonstrate an ability to apply the case and statute law in this area to hypothetical scenarios .
101
Cyber Law
School of Law
SEMINAR FOUR INDECENT IMAGES OF CHILDREN Questions for consideration
1. What are the main offences which can potentially be used in the fight against indecent images of children?
4. Gary, Jonathan and Paul are friends who met via the Internet. They all live in the south of England and are in daily e-contact with each other. The police have been investigating concerns that a paedophile ring has recently been set up via the Internet and Gary, Jonathan and Pauls e-mail addresses have been traced during searches for this alleged e-activity. Consequently, the police raid each of their houses and seize the following: From Garys house Some pornographic drawings of children. Gary says these are artistic and a product of his imagination. He says the removal of them is an interference with his freedom of expression. From Jonathans house Evidence of a small database of what appear to be indecent images of children that are each made up of a collage of images, modified by the use of computer painting packages (none of the elements of which is indecent in itself). From Pauls house Evidence of a large database of pornographic photographs of children which had all been taken with a digital camera. Paul says he is conducting research for a Doctoral thesis. All three of them have been charged under section 1 of the Protection of Children Act 1978. What are the chances of each of them being successfully prosecuted for this offence? 5. What amendments may be made by the Coroners and Justice Act 2009? To what extent will these reforms reduce the problem of indecent images of children? What might be the problems with the Act?
Learning outcomes By the end of this seminar you should be able to: Be aware of the several offences which can possibly be charged in the sphere of computer pornography, and understand their constituent elements. Demonstrate an ability to apply the case and statute law in this area to hypothetical scenarios .
102
Cyber Law
School of Law
SEMINAR FIVE - ONLINE HARASSMENT AND GROOMING Questions for consideration 1. Cyberstalking and online harassment can take any one of several forms. What are they and which of them do you consider to be the more serious forms? Legislation aimed at preventing on-line harassment is simply unjustifiable censorship of free speech? Critically discuss in view of the different approaches taken to this issue by the UK and the USA. Bob has been chatting to Lola on Facebook for some months. She has told him she is fifteen, but in reality she is thirteen. Bob pretends to be eighteen, but really he is twenty one. He has never had a girlfriend. Over the weeks, their chat becomes flirty, then they begin to talk of meeting and going out together. Lola suggests a wine bar at lunchtime and arranges to meet him outside. Bob turns up but instead of Lola, he finds her angry father who has discovered the plan. He calls the police who arrest Bob. When he is being searched back at the station, an officer finds a condom in Bobs pocket. He admits that they discussed sex, but he says he just wanted to meet Lola. Could Bob be charged with an offence? Is it likely he will be found guilty? Two months ago, Doris split up with her boyfriend, Bertland. They had been going out with each other for two years, but Doris had decided that she could not see herself building a future with Bertland, a man with heavy drinking habits and a history of schizophrenia. Bertland took the break up badly and embarked on a campaign to win Doris back. Soon he was phoning her at least five times a day, and numerous text messages in quick succession, each varying in content. In some of them he made unwelcome sexual advances to Doris in sometimes very graphic and profane language. In others he threatened to either harm or kill himself if she did not go out with him again. Bertland has also recently started listening to a new radio talk show whose host Murray holds controversial views. Bertland feels the show is misleading the public and e-mails Murray to complain. Bertlands anger with Murray continued to rise and although he has never met Murray he has decided that he thoroughly dislikes him and e-mails Murray everyday to tell him this. Murray feels the e-mails are growing increasingly menacing. Both Doris and Murray have contacted the police about Bertland and he has now been arrested. Advise Bertland on his chances of being successfully prosecuted for an offence under the Protection from Harassment Act 1997 or any other legislation that may be relevant.
2.
3.
4.
Learning Outcomes By the end of this seminar you should be able to: Be aware of the different forms of cyberstalking and online harassment. Distinguish between the legal approach to such problems in the USA and UK Demonstrate an understanding of the two main offences under the PHA 1997 and be able to apply the law to hypothetical scenarios.
103
Cyber Law
School of Law
SEMINAR SIX PRIVACY AND DATA PROTECTION (1) Questions for consideration
1.
Provide definitions for the following terms: Data; Personal data; Data Subject; Data Controller; Data Processor; Processing; Relevant filing system.
2. 3.
Explain the facts and decision in Durant v Financial Services Authority (2003). To what extent do the decisions in Johnson v Medical Defence Union (MDU) [2005] 1 WLR 750 and Smith v Lloyd TSB Bank Plc [2005] WL 636009 support the decision in Durant? The Data Protection Act 1998 is the essential piece of legislation in maintaining the privacy of an individual in respect to their personal data. This remains to be the case despite concern that recent judicial pronouncement about the meaning of personal data has watered down its effectiveness. With relevant case law and academic opinion critically assess the above statement.
4.
Learning Outcomes By the end of this seminar you should Understand the principles and problems of Privacy and data protection Demonstrate an ability to apply knowledge to a hypothetical situation Evaluate the merits of a particular viewpoint and make and present a reasoned choice between alternative solutions
104
Cyber Law
School of Law
SEMINAR SEVEN PRIVACY AND DATA PROTECTION (2) Questions for consideration: 1. What is Safe Harbour?
2. Explain these key terms from the Data Protection Act 1998: - Eight data protection principles; - Schedule 2 requirement - Sensitive personal data - Schedule 3 requirement
3. What are the exemptions to the Data Protection Act? Read the following scenario and answer all the questions that follow: Reggie Short is a bus driver working for London Buses Limited. Reggie is not happy in his job, as he thinks he does not receive enough pay and so would like to move. He applied for a job with the Greater London Bus Company. He filled in and posted the relevant application form and he obtained an interview, which Reggie thought had gone very well. He was very pleased to hear that he had been offered the job subject to references. A reference was requested from London Buses Limited, but Reggie was stunned to hear that the job offered had been withdrawn following receipt of the reference. Fortunately, Reggies wife Lesley, has a close friend who works in the Personnel Department at the Greater London Bus Company and she revealed that there had been considerable correspondence between the two companies. As a result of this considerable correspondence, London Buses Limited decided to withdraw the job offer. Reggie was understandably very angry and contacted the head of personnel at the Greater London Bus Company and demanded to see a copy of the reference and all other information relating to his application Greater London Bus Company is going through a process of updating its personnel departments processes, which will eventually include keeping all applications and interview notes online. However, at present, all application forms and interview notes are clipped together and placed in a box file for the particular month in which the job vacancy was advertised. Advise Reggie on the process he should go through to obtain the information he requires, Advise Greater London Bus Company whether they are obliged to provide Reggie with the information he requires, Greater London Bus Company is keen to ensure that their data protection practises are kept up to date and would value your advice on rules that they should be following.
105
Cyber Law
School of Law
Learning Outcomes By the end of this seminar you should Demonstrate and in depth knowledge of online privacy and data protection Demonstrate an ability to produce a comprehensive synthesis of relevant policy issues in relation to this topic Demonstrate an ability to act independently to retrieve up to date information
106
Cyber Law
School of Law
SEMINAR EIGHT Web 2.0 Questions for consideration
1. How has the law responded to the dangers of minors using social networking sites? 2. Can an employer monitor the internet and email usage of an employee? 3. Helen is the managing director of a small company advertising lesser-known musical artists on the Internet though a (fictional) website called www.lesserknownartist.com. The business model is simple. Her company obtains income from each musician listed on her website that is visited by a person through a hyperlink on www.lesserknownartist.com. The company also obtain a small percentage of any merchandise that is sold during these visits. By ensuring that her website features prominently on search engine results pages, she can increase her companys income through hits on to the advertised websites. Helen has built the company up to be very successful and each month it makes a very healthy financial profit. She has a very strong work-ethic, which was drummed into her from her youth and Helen believes that all of her staff should have the same approach to work. To this end, Helen believes that the office computers, which are all connected to the Internet, should only be used for work purposes and that her three employees should not use the work computers for personal use. Helen is concerned that her employees are using the computers for personal use and therefore decides to monitor the usage of the work computers. Helen introduces a system that monitors websites that are visited by her employees during working hours. Helen reads the monitoring reports and places them in her employee folders, which contain personal information and bank details. She regularly leaves these folders on her desk, where anyone could access them. Advise Helen on the legality of the monitoring activity.
107
Cyber Law
School of Law
SEMINAR NINE - DEFAMATION QUESTIONS FOR CONSIDERATION 1. Explain the principles decided in the case in Sheffield Wednesday Football Club Limited et al v Neil Hargreaves [2007] EWHC 2375 (QB). 2. Gaynor operates a website, which allows for people who are fans of cookery television programmes to leave messages on a message board about the recipes used and also allows members to offer one another assistance with cookery dilemmas. All members are required to sign up to the site, providing basic details about themselves and have to agree to the terms and conditions of the website, which amongst other things requires users not to post defamatory comments on the site. A number of users however have begun posting comments on the website about the presenters of these television programmes. Three comments in particular, which are all aimed the chefs stated: Chef A couldnt find an egg in a battery farm, Chef B is a lazy, incompetent who clearly slept his way through cookery school, and probably with most of the teachers there and Chef C doesnt know the difference between a hand-whisk and the card game whist. All of these postings were posted by people using a pseudonym and accordingly it is not clear who wrote them. The Chefs, who are referred to in the postings are very upset and are seeking to commence a defamation order against Gaynor and the authors. Consider the available courses of action and any potential remedies. 3. Explain the requirements of a Norwich Pharmacal order. 4. In what circumstances is an Internet Service Provider liable for comments found within their domain? 5. Mark is browsing a booksellers website in the USA when he comes across a review written about a book which he wrote several years ago. The review, written by Clevereader and posted on the booksellers message board is highly derogatory of both the book and Mark, stating that he bought his degree, knew little about his subject, and probably plagerised others work. Mark is horrified and wants to know if he can bring an action for defamation against Clevereader, or the bookseller which hosts the message board. Marks last book sold 50,000 copies in the UK, but was not published in the US. Mark later finds out that Clevereader is his ex-girlfriend who lives in Germany What would your advice be to Mark and to the bookseller? 6. Is the ancient tort of defamation at odds with the modern concept of freedom of expression? Learning Outcomes By the end of this seminar you should Understand the principles and problems of defamation Demonstrate an ability to apply knowledge to a hypothetical situation Evaluate the merits of a particular viewpoint and make and present a reasoned choice between alternative solutions
108
Cyber Law
School of Law
SEMINAR TEN SPAM Questions for consideration 1. You are approached by a friend who tells you that they are receiving a vast quantity of unsolicited bulk email on their home computer. They seek your advice on what anti-spam legislation exists in the United Kingdom and how they can take action to reduce this email. Advise them with regard to The Privacy and Electronic Communications (EC Directive) Regulations 2003. 2. Critically evaluate the terms of The Privacy and Electronic Communications (EC Directive) Regulations 2003. 3. It is contended that as long as legislators only seek to regulate spam and not outlaw it, then it does not matter how many laws are passed or how tight the Regulations are, there will always be a loophole that spammers will try to exploitdomestic legislation is almost useless [in eradicating spam] if other countries do not also strengthen their regulationIt is essential that countries that legislate against spam act in an uniform manner; this is not being seen at present. [Quotation taken from Rogers, K. M. The Privacy Directive and Resultant Regulations The Effect on Spam and Cookies, Part I (October 2004) Business Law Review, Volume 25, Number 10, pages 271-274, at page 274]. In light of the above statement, critically evaluate the United Kingdoms Privacy and Electronic Communication (EC Directive) Regulations 2003 and assess the likelihood of ending the curse of spam from an individuals email inbox. 4. In 2009 Gemma established an online business selling jams and homemade preserves to members of the public. To date, this has been a very successful venture and she has had to expand her business and employ staff. However, due to the economic downturn the company is not making as much profit as before as consumers have been purchasing their jams and preserves from supermarkets, which offer similar products, but at cheaper prices. In order to raise the profile of the company, Gemma decides to embark on an advertising campaign to increase awareness of the company. In short, she decides to send two sets of advertisements out in the form of an email. The first advertisement is sent to all of her companys previous customers. In the email she advertises a new range of locally produced honey and advises that as a previous customer they would be entitled to a 10% discount on all sales over 15.00. The second advertisement is sent to a large number of email addresses, which she purchased from an online company selling email address lists. This email is advertising all products and she includes her correct contact details and valid return address within the body of the email. Amy (a previous customer) received the first advertisement, while Matthew (who has not heard of Gemmas company before) received the second advertisement. Neither Amy nor Matthew are happy with receiving this unsolicited communication and have approached you to find out the relative legality of these emails. Advise Amy and Matthew. Your answer should refer to the provisions in the Privacy and Electronic (EC Directive) Regulations 2003 only.
109
Cyber Law
School of Law
Learning Outcomes By the end of this seminar you should Understand the principles and problems of spam e-mails Demonstrate an ability to apply knowledge to a hypothetical situation Evaluate the merits of a particular viewpoint and make and present a reasoned choice between alternative solutions
110
Cyber Law
School of Law
SEMINAR ELEVEN COOKIES Questions for consideration
1. Explain the function, use and purpose of cookies. 2. A friend who you work with approaches you. They are concerned about the use of cookies as they are concerned that their email address and other details could be passed around the world and they will receive email and advertising that they simply do not want. They understand there is legislation which deals with this issue but do not know anything about it. Advise them. 3. Directive 2002/58 [implemented by the Privacy and Electronic Communication (EC Directive) Regulations 2003] is probably the first statutory legal framework in the world that specifically deals with the use of cookies. In principle, it should be widely applauded because it explicitly recognises that the use of cookies gives rise to privacy and data protection problems and it constitutes an attempt to protect the fundamental privacy while recognising that cookies can be used for legitimate purposes and thus preserving legitimate interests of business. (Debussere, F The EU E-Privacy Directive: A monstrous attempt to starve the cookie monster? (2005) International Journal of Law and Information Technology, Volume 13, Number 1) Critically evaluate the above statement. 4. Directive 2002/58 is to be applauded as being a significant legal framework that specifically deals with the use of cookies. The privacy issues are recognised and a satisfactory approach is taken to protect the fundamental right of privacy, while allowing businesses to pursue their legitimate interests. Undertake a critical evaluation of this view. Does your answer change if the reforms due to be implemented into the United Kingdom by May 2011 are introduced as currently drafted?
Learning Outcomes By the end of this seminar you should Understand the principles and problems of cookies and the relationship with privacy issues Demonstrate an ability to apply knowledge to a hypothetical situation Evaluate the merits of a particular viewpoint and make and present a reasoned choice between alternative solutions.
111
Cyber Law
School of Law
SEMINAR TWELVE - SUMMARY SEMINAR Questions will be posted on StudyNet prior to the seminar.
112
Cyber Law
School of Law
SEMINAR THIRTEEN ONLINE CONTRACTS Questions for consideration: 1. Outline the difference between an offer and acceptance and an offer and invitation to treat. What parallels are formed by academics between traditional contract formation rules and applying them to online contracting? The European Unions Directive on Electronic Commerce 2000/31/EC has ended all uncertainty regarding contract formation and incorporation of contractual terms online. Critically assess the above statement and make reference to decided case law and academic opinion. 4. Justin sends an e-mail to Lucy at 2.50pm offering to buy a million pounds worth of shares in New Enterprises plc. However, a few minutes after sending his e-mail Justin hears a rumour of impending poor profit figures from New Enterprises and sends another e-mail to Lucy at 3.00pm withdrawing his offer. Lucy receives Justins first e-mail at 3.00pm and sends back an e-mail at 3.05pm accepting Justins offer. Lucys acceptance is received by the network at 3.07pm and by Justin at 3.10pm. Meanwhile Lucy receives Justins second e-mail at 3.06pm. The next day the price of shares in New Enterprises plc collapses. Advise Lucy whether Justin is obliged to buy the shares. 5. Bookland are a retailer of books and videos who also trade through a web-site. A recent blockbuster was inadvertently put on sale through the web-site priced at 1.99 when it should have been priced at 10.99. Thousands of pounds worth of orders were taken before the error was discovered. Bookland wished to be advised whether or not they are legally obliged to honour these orders. Bookland are also concerned that they should not be bound to sell an item if they happen to have run out of stock and ask your advice about this. Bookland also take orders from overseas customers through their web-site. They want your advice as to whether they can ensure that the contracts are concluded in the UK in order to avoid the possibility of being sued in other countries by any dissatisfied customers.
2.
3.
Learning Outcomes By the end of this seminar you should Understand the principles of online contracting Demonstrate an ability to apply knowledge to a hypothetical situation Evaluate the merits of a particular viewpoint and make and present a reasoned choice between alternative solutions.
113
Cyber Law
School of Law
SEMINAR FOURTEEN INCORPORATION OF TERMS Questions for consideration 1. What problems are there with incorporating terms into an online contract? 2. Lisa purchases a mobile phone online from the (fictitious) company Phones4Uonline. The website has written in bold at the bottom of each page For our full terms and conditions please click on this hyperlink Underneath this statement there is a hyperlink, which would take Lisa to the terms and conditions of Phones4Uonline. However, Lisas computer is old and slow and therefore she does not access the terms and conditions. Is Lisa bound by them? Discuss. The second part of this lecture will form at case study J Pereira Fernandes SA v Mehta (2006) 1 WLR 1543. It is essential that you bring a copy of the judgment to class and also read academic commentary surrounding the decision. 3. What were the facts of this case? What was the decision of the Judge? 4. To what extent has the decision in J Pereira Fernandes SA v Mehta (2006) 1 WLR 1543 assisted lawyers in trying to ascertain whether terms have been incorporated into a contract? 5. To what extent is academic opinion in support of the decision in Mehta? Based on your reading of the academic opinion, are you are of the view that the decision is correct?
Learning Outcomes By the end of this seminar you should Understand the principles and problems of incorporation of terms in online contracting Demonstrate an ability to apply knowledge to a hypothetical situation Evaluate the merits of a particular viewpoint and make and present a reasoned choice between alternative solutions.
114
Cyber Law
School of Law
SEMINAR FIFTEEN DISTANCE SELLING REGULATIONS Questions for Consideration 1. The consumer protection measures found in The Consumer Protection (Distance Selling) Regulations 2000 are critical in maintaining consumer confidence in the Internet as a transacting medium. Critically evaluate this statement. 2. The definition of consumer: a) John is a freelance computer programmer. He frequently purchases software over the Internet. Sometimes he purchases games software for his son Nigel. Is John a consumer? b) Martin runs a pretzel shop in London. Recently his alarm system let him down and he bought a new system on Currys website. Is he a consumer? Would your answer differ he bought the goods on a B2B exchange? 3. Matthew is the managing director of an online company. He has been in operation for over five years and has built up a successful customer base within the United Kingdom. Last Christmas particularly saw a large increase in their sales. Matthew is eager to ensure that his customers are treated fairly and legally and he goes to considerable length to maintain the goodwill of the business. However, he has had a few unhappy customers speak to him on separate occasions, about the following issues: a) Lisa sent an email on Thursday 10 May to Matthew saying that she would like to th return the goods to Matthew that she purchased on Monday 7 May (3 days earlier) because she did not like them. Matthew operates a non-return policy. b) Colin has written to Matthew complaining about the cost of delivery for a good he ordered. Colin includes a copy of some preliminary information sent to him by Matthew, which includes no reference to delivery costs at all. Colin wants to return the good. He purchased the good just over two weeks ago. c) Matthew sends out calendars to each of his good customers around Christmas. Sally has complained about the invoice that came along with the calendar requesting payment of 15.99 (including taxes and delivery costs) within 28 days. Sally is particularly annoyed as she did not ask for the calendar. d) John telephoned Matthew two days after buying a good wanting to cancel it. Once again Matthew refused. Matthew would also appreciate any assistance you could offer him about any other legal requirements placed upon him by the Consumer Protection (Distance Selling) Regulations 2000 and any relevant provisions since the Regulations were slightly amended. Two weeks later, Matthew speaks to you again and mentions that he is considering going into the online car-hire business. Do you have any additional advice for him? 4. The draft Directive on Consumers Rights introduced by the European Commission in 2009 makes wholesale changes to the protection afforded to the consumer who engages in online purchasing. It is without doubt that the nature of this protection is
th
115
Cyber Law
School of Law
clearly to the advantage of the consumer who will be in a significantly better position than under the current Distance Selling Directive regime. To what extent do you agree with this statement? Learning Outcomes By the end of this seminar you should Understand the principles and problems of distance selling Demonstrate an ability to apply knowledge to a hypothetical situation Evaluate the merits of a particular viewpoint and make and present a reasoned choice between alternative solutions.
116
Cyber Law
School of Law
SEMINAR SIXTEEN E MONEY; PAYMENTS AND SYSTEMS Questions for consideration;
1. What types of issues need to be addressed before an online payment system is fully utilised by businesses and consumers? 2. To what extent are newer forms of electronic finance likely to challenge the dominance of the credit and debit card? 3. The original Directive 2000/46/EC on E-Money aimed to regulate and enhance consumer confidence in the use of e-money. It provided a rigorous regulatory regime on e-money institutions, but did not achieve its desired effect. Indeed it hindered, rather than encouraged, the development of e-money systems. The subsequent review and reforms contained within the new E-Money Directive 2009/110/EC will reverse this direction and will undoubtedly lead to an increase in the uptake of emoney systems within the European Union.
Undertake a critical evaluation of this view.
117
Cyber Law
School of Law
SEMINAR SEVENTEEN - COMPUTER FRAUD Questions for Consideration
1. There were a number of reasons put forward by the Lord Justices of Appeal for allowing the appeal(s) in the case of R v Gold [1988] 1 AC 1063. What were they and to what extent, if any, do you consider them to be a justification for the decision of the Court of Appeal therein? What wider impact did this case have (and upon whom)?At that point in time, do you consider that Schifreen and Gold could instead have been successfully prosecuted for any other offence? 2. It seems to be that if someone commits fraud by using their brain to defeat a computer system it is something to be applauded and not really a serious crime. However, this form of crime causes great anxiety in the commercial world and is considered by the authorities to be very serious. Critically examine the ways in which the Criminal Law has sought to combat the problem of Computer Fraud before the advent of the Fraud Act 2006.
3. In the summer of 2006, Michael decided that he would do anything that he could to raise money to travel the world with his girlfriend the next year. In July 2006, he devised a plan to get the money he needed. He bought twenty cheap handbags at his local market and then photographed his girlfriends Gucci handbag and put the photograph on E-Bay with a description saying genuine Gucci a real bargain! When there was a successful bid for the bag, Michael sent the cheap imitation. Within weeks his account had been suspended, but Michael had enough for his trip. Consider which would have been the most appropriate offence for him to have been charged with, and assess the chances of him being successfully prosecuted for it.
Learning Outcomes By the end of this seminar you should be able to: Be aware of the different forms of computer fraud. Understand some of the offences which can be charged when computer fraud is alleged to have taken place and be able to apply the case and statute law to hypothetical cases. Understand the historical concept of fraud in the UK
118
Cyber Law
School of Law
SEMINAR EIGHTEEN - The Fraud Act 2006 Questions for consideration
1. To what extent does the Fraud Act 2006 make wholesale changes to this area of law and how much effect do you consider these changes will have on e-crime? 2. The Fraud Act provides for a general offence of fraud with three ways of committing it, which are by false representation, by failing to disclose information and by abuse of position. It creates new offences of obtaining services dishonestly and of possessing, making and supplying articles for use in frauds. Explanatory notes to the Fraud Act 2006. Undertake a critical evaluation of how successful the Fraud Act 2006 will be in tackling cyber-crime. 3. Charles was contemplating a get rich quick scheme. He decided to design an authentic looking stocks and shares hot tips website and charge people ten pounds to sign up for advice on what stocks and shares to buy. Charles knows nothing about shares and plans not to give any tips at all. One day a friend, Ade, comes to Charles flat for a coffee and sees Charles working on the design of the website. When Ade enquires, Charles tells him of the intended scam, saying Its ready, but Im not sending it out until next month when I come back from holiday. Think of all the money Ill make just by pressing this button! Ade goes home, but he is uneasy with Charles idea and eventually telephones the local police who go to Charles house and arrest him for fraud. Charles solicitor argues that as Charles hasnt sent his email, he should be charged with attempted fraud only. Advise Charles and consider if the situation would have been different if Charles had been charged in 2005
Learning Outcomes By the end of this seminar you should be able to: Be aware of the different forms of computer fraud. Understand some of the offences which can be charged when computer fraud is alleged to have taken place and be able to apply the case and statute law to hypothetical cases. Understand the concept of fraud in the UK
119
Cyber Law
School of Law
SEMINAR NINETEEN HACKING Questions for consideration 1. In the case of R v Bow Street Magistrate and Allison ex parte Govt. of USA [1999] 4 All ER 1, what was the result of the appeal to the House of Lords, and what were the reasons put forward by their Lordships for their decision (see the leading judgment of Lord Hobhouse)? How significant do you consider this decision to have been? What were the facts of the case of A-Gs Reference (No. 1of 1991) [1992] 3 WLR 432? With which offence under the CMA 1990 had the accused been charged, and for what reason did the prosecution collapse? Tony works as an accountant for FatCats plc in central London. He has devised a scheme whereby he will seek to transfer a small amount of money from the electronic pay-packets of all of the 20,000 blue collar workers at FatCats plc into his own paypacket. After his pay-packet had been electronically sent into his bank account at the end of the month, he would draw out all of the money and fly to Brazil to live the rest of his life in sun-drenched luxury. He hoped that the fact that only a small amount will have been taken from each of the pay-packets would mean that it would be quite a long time before his activities were discovered, and that he would be safely in Brazil by that time. When Tony went to work today, he decided to put his plan into action. He switched on his computer and typed in his password. This gave him access to the companys payroll system. He then typed in an instruction to effect the transfer of 10 from each of the aforementioned 20,000 electronic pay-packets into his own pay-packet. The paypackets will be electronically paid into everyones bank accounts tomorrow. However, Tony does not know that the computer will not obey any instructions which are concerned with changes to the payroll unless they are separately and ultimately authorised by the Managing Director. This is a secret safety measure which has been recently put in place. Tonys activities have now been discovered and he is in police custody. Garth works part-time in a FatCats plc superstore and recently heard a rumour from a fellow employee that the company had been preparing a defence to allegations in the press that child labour was used in its two overseas factories. Garth has decided to try to obtain a confidential report concerning the manufacture of FatCats plcs products from the companys computer system. When Garth went to work today, he decided to put his plan into action. He switched on his computer and typed in the password of a senior colleague (he had memorised the password a week ago when, unnoticed by that colleague, he had stood behind him to watch when he logged on to his computer). He then begins to type in any instructions and/or keywords which could possibly lead him to the alleged confidential report. However, within a couple of minutes he is discovered by his manager and the police are called. He too is now being held in their custody. With which offence would Tony and Garth each be most appropriately charged? Assess the chances of them being successfully prosecuted for the offence(s). 4 How is domestic jurisdiction established under the CMA 1990 (see sections 4-9)?
2.
3.
120
Cyber Law
School of Law
Learning Outcomes By the end of this seminar you should be able to: Understand the elements of the basic offence of hacking and be able to apply the case and statute law to hypothetical scenarios. Be aware of the attitude of the courts to such behaviour, through consideration of the case law in this area. Understand the basic requirements as to claims for jurisdiction in such cases.
121
Cyber Law
School of Law
SEMINAR TWENTY UNAUTHORISED ACTS Questions for consideration; 1. 2. What is a logic bomb? How can it be distinguished from a computer virus. Tommy works for a bank in Paris. In January 2006, he resigns from his post and returns to England. In the month leading up to his resignation, Tommy had identified several dormant accounts. He had also opened several new accounts in his own name at various branches of the bank. Lastly, he had compiled a program which instructed the computer to transfer sums from the dormant accounts to the accounts which he had opened with the bank. This program did not come into effect until after Tommy had resigned and was back in England. When Tommy arrived in England he telephoned the manager of the bank in Paris and instructed him to arrange for the transfer of the balances from Paris to his new English accounts (which he had set up with various English banks on his return to this country). This was done. Unfortunately for Tommy, the program did not erase itself as it was supposed to and his activities have now been discovered. With which offence(s) could he be charged and what are the chances of a successful prosecution? 3. How had the problem of damage to or erasure of computer programs or data been targeted by the law before 1990? Was this itself problematic? How does the PJA 2006 amend the CMA 1990 and what problems might the amendments solve?
4.
5. Does the Criminal Damage Act 1971 still have a role to play in this area of e-activity? 6. In the light of amendments made by the PJA, to what extent does the decision in DPP v Lennon provide assistance in defeating the problem of denial of service attacks?
Learning Outcomes By the end of this seminar you should be able to: Understand the elements of the offence of unauthorised modification of computer programs or data and be able to apply the case and statute law to hypothetical scenarios. Be aware of the similarities of and differences between logic bombs and computer viruses. Demonstrate knowledge of the approach taken by the Law before 1990, and the changes in approach which the 1990 Act brought in. Demonstrate an ability to inter-relate this topic with other areas of e-Crime Law.
122
Cyber Law
School of Law
SEMINARS TWENTY ONE AND TWENTY TWO
REVISION SEMINARS. QUESTIONS WILL BE POSTED ON STUDYNET.
123
Cyber Law

6LAW0087 - Cyber Law 2010-2011 - Module Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

6LAW0087 - Cyber Law 2010-2011 - Module Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Cyber Law

Module Guide Jordan Woodley

CYBERLAW MODULE GUIDE 20010/11 (USE THIS ONE)

Module Code: Title of Module: Full: Short:

Version: Credit Points: Level: Law School

Undergraduate Programme 2010/11

Assessment Details: Coursework : Exam: 40% 60%

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Week 22 18/04/11 Week 23 25/04/11

Lecture 22 Seminar 21 Seminar 22

Revision Session 2 Revision Session 1 Revision Session 2

EXAMINATION PERIOD 03/05/2011 27/05/2011 (Referred/deferred examinations: 20/06/2011 01/07/2011)

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

IF NOT, WHY NOT?

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

LECTURE FOUR - INDECENT IMAGES OF CHILDREN

Undergraduate Programme 2010/11

The legal position of Internet Service Providers (ISPs)

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

LECTURE SIX Privacy and Data Protection (1) Required Reading

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Undergraduate Programme 2010/11

Cost to Internet Service Providers.

Children have access to potentially damaging material.

Productivity of businesses is reduced.

It is often annoying and offensive in nature.