NEWS AND COMMENT ON RECENT DEVELOPMENTS FROM AROUND THE WORLD1

NEWS AND COMMENT ON RECENT DEVELOPMENTS FROM AROUND THE WORLD1

CLSR Briefing CLSR BRIEFING NEWS AND COMMENT ON RECENT DEVELOPMENTS FROM AROUND THE WORLD Compiled by Stephen Saxby, Editor UNITED KINGDOM Data Prot...

260KB Sizes 2 Downloads 44 Views

CLSR Briefing

CLSR BRIEFING NEWS AND COMMENT ON RECENT DEVELOPMENTS FROM AROUND THE WORLD Compiled by Stephen Saxby, Editor

UNITED KINGDOM Data Protection Act 1998 comes into force The long-awaited implementation of the 1998 Data Protection Act took place on 1 March 2000.The new Act works in two ways, giving individuals rights about the way their information is used and ensuring those who use it have corresponding obligations. It also gives the Commissioner — who is in fact the former Data Protection Registrar Elizabeth France — a key role in promoting good practice.The 1998 Act replaces the 1984 Data Protection Act. Its scope is much broader than that of the earlier Act.The definition of processing shows this clearly.Almost any activity involving personal data is covered by its provisions. It also extends to some paper records requirements that previously applied only to information held on computer. Commenting, Elizabeth France, the Data Protection Commissioner, said: “I am pleased to welcome the implementation of the 1998 Data Protection Act. Some of the statutory instruments necessary to make it work are complex, and the Home Office was right to allow time for detailed discussion of their proposals. We look forward now to promoting widespread understanding of the provisions.Although the Act has been brought into effect 18 months later than expected, data controllers must understand that there will be no corresponding slippage in the date when transitional relief will cease.They will still have to comply fully with the 1998 Act from October 2001 for most of their processing.They should use this time to review the way they handle personal data so that they are ready to meet their new obligations.”

202

Further information from the Office of the Data Protection Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; Tel: +44 (0) 1625 545 700, Fax: +44 (0) 1625 524 510, Email: mail@dataprotection. gov.uk, Web site: .

New Act signals other data protection announcements The Data Protection Commissioner, Elizabeth France, used the implementation of the new Data Protection Act to make a number of other announcements.The first was the publication of a report on the Availability and Use of Personal Information in Public Registers.The report sets out the extent to which information about individuals is made widely available through public registers. It is intended to inform the debate on how far access to and use of such details should be restricted. Public registers include the electoral role, but the report looks more widely, in particular at financial and business registers such as the Register of Members (Shareholder Register). The Data Protection Commissioner has also issued a draft code of practice on closed circuit television (CCTV), designed to offer practical advice in helping users to meet their legal obligations.The paper, which is currently out to consultation, is aimed at users of CCTV who monitor and record images from those areas to which the public have largely unrestricted access, such at town and city centres and the public parts of shops and shopping centres. It is intended that the code should apply to schemes that are used for the general purpose of crime prevention and detection, and public safety. The Data Protection Commissioner has also introduced notification online

Computer Law & Security Report Vol. 16 no. 3 2000 ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved

from 1 March 2000. From this date, data controllers (those who record and use personal information) have a choice in the way in which they can notify details of their processing to the Commissioner, by telephone or by Internet. The option of completing the form online means that the data controller can notify at a time of their choice. As soon as the Data Protection Commissioner receives a correctly completed notification form, the data controller will be deemed notified and will be able to start processing personal data immediately.

Half UK bosses unaware of Data Protection Act’s implications Over half of Britain’s directors (55%) are unaware of the impact of the 1998 Data Protection Act on their business. In addition, 52% are unaware that the Act came into force on 1 March 2000. The findings emerged from research carried out by The Stationery Office (TSO) — the distributor of official publications. The research also established UK company directors’ awareness of Information Security Compliance (iSC) Standard and the Continuous Compliance Programme (CCP). The independent iSC Standard is marketed exclusively via the Stationery Office and its channel partners and covers UK laws on software copyright, data protection, computer misuse and the Companies Act. The programme enables all UK organizations to manage their IT in a legal and secure manner, and has its own dedicated Web site , which was established in the Autumn of 1999. The Continuous Compliance Programme, encompasses the iSC Standard and is intended for legal IT

CLSR Briefing

management. It provides a set of legal risk management procedures — health check, financial and business risk assessment, project plan, compliance resolution and independent certification. TSO’s research revealed that 45% of companies questioned had not nominated a data protection officer, while 27% also had no-one specifically dealing with IT legal compliance issues.The latter is one of the key aspects of the 1998 Data Protection Act, and only 3% planned to have someone in the near future.When the iSC Standard and CCP were explained to them, 79% of the sample said they believe both will be important to their business. Some 64% also said they were likely to plan a consultation about the CCP in the next 12 months. More than one third of directors polled admitted not auditing their company’s IT in relation to the law, blaming lack of guidance from governing bodies, constant changes in legislation and the rapid pace in development in IT. Computer viruses were of major concern to three quarters of directors. Over half are also concerned about data loss and one third about data protection, in terms of both potential, legal and financial hazards for any business. Ninety-six percent of those polled had access to E-mail or the Internet, but 19% had no clear policy for using either of these essential business tools. Seventy percent of directors said they had carried out IT audits, but 78% believed their staff were operating within the law, indicating that 8% made their claim having had no relevant IT audit. Eighteen percent of those interviewed admitted not auditing their company’s legal position on IT, due to constant changes in legislation. Forty eight percent of the directors surveyed did not have a policy in place that complied with the Companies Act, despite being personally liable for the consequences of legal breaches and the importance of corporate governance. One in three companies had no internal policy regarding the Computer Misuse Act. The iSC Standard was created with the help of law firm Baker & McKenzie. It will be continually updated to comply with latest legislation, addressing one of the main reasons given by directors for non-compliance. Further information from The Stationery Office, IT Compliance, 51, Nine Elms Lane, London, SW8 5DR;

Tel: +44 (0)207 873 8800, Fax: +44 (0)207 873 8284.

No shortage of information on Data Protection Act 1998 Apart from available information from the Data Protection Commissioner’s Web site (), you can also get information on the new Act from several other sources. For example, the information solutions provider — Experian — offers a booklet entitled ‘A Simplified Guide to the Data Protection Act 1998’. It is available, free of charge, from Experian Customer Services on Tel: +44 (0)115 992 2555 or E-mail: [email protected]. Compliance awareness specialist — Easy i — is offering a computer-based training programme — Handle with Care — designed to ensure that all levels of staff within an organization are aware of their new responsibilities under the 1998 Act.A key feature of the programme is an integrated learning management system designed to allow trainers and administrators to monitor staff progress and measure understanding of course content. Further informa tion from Easy I; Tel: +44 (0)1926 854 111 or Fax: +44 (0)1926 854 222; Email: [email protected]. City law firm Paisner & Co, has launched a one-stop package designed to enable all companies trading online to comply in a simple and straightforward manner with the strict data protection rules set out in the new Act.The firm says that Web-based Complytoday is specifically designed for E-businesses and can be purchased directly from Paisner & Co over the Internet. Complytoday is a modular advisory service split into five modules, each of which can be bought separately via the Internet. Further information at Tel: +44 (0)20 7427 1237, Internet: .

Damages case against BML (Office Computers) Ltd dismissed In a case which extends the analysis of the role of experts in litigation in line with the new Civil Procedure Rules and

which defines for the first time a duty of co-operation between the parties to be implied into contracts for the supply of standard packaged software, the High Court has dismissed a case against BML, a subsidiary of Electronic Data Processing Plc (EDP Plc), brought by distributors of timber and carved mouldings Winther Browne & Co Ltd (WB). WB’s claim against BML, originally for approximately £l.2 million in damages, was said to have resulted from alleged defects in BML’s standard packaged software, CHARISMA. The Judgement rejected WB’s claim against BML as misconceived and without merit. BML established that its proprietary software, CHARISMA, worked soundly and performed as BML claimed it would. WB, on the other hand, was found unjustifiably to have withdrawn co-operation with BML in trying to find solutions to trivial and minor difficulties raised by WB. In the trial BML argued that the legal action was precipitated by Financial Management Consultants Limited (FMC). FMC’s joint Chairman, Keith Salmon, self-styled as the “‘leading computer dispute’ expert witness in the UK” acted as technical expert for WB in the litigation. Richard Martin, also from FMC, acted as WB’s quantum expert. Amina Somers, Partner responsible for Technology and Construction Services at the London office of national law firm Irwin Mitchell, who represented BML in the litigation, said that she expected the Judgement would receive much attention from legal advisers and software suppliers alike. “This is an important and significant Judgement. His Honour Judge Toulmin has developed and extended the established analysis of the role of expert witnesses to bring it up to date and in line with the new Civil Procedure Rules. He also found that the effect of experts not acting in accordance with their duties and obligations frustrates attempts to resolve disputes at an early stage,inflates the costs of resolving disputes and is ultimately of little benefit to the client. The case highlights how, far from assisting the Court, inappropriate conduct by experts can fuel litigation rather than assisting the Court and the parties achieving the overriding objective of fair and economic resolution of disputes. The Judgement also clarifies the duties and obligations of supplier and

203

CLSR Briefing

purchaser of standard packaged software on and after purchase. For example, the Judgement held that there is a duty upon a purchaser to communicate clearly any special needs it has to its supplier and to take reasonable steps to ensure that the supplier understands those needs. Further, should problems arise following implementation there is a duty on both parties to co-operate actively in their resolution. This part of the Judgement warrants close examination by the legal profession and developers and suppliers of standard packaged software. It may well prove to have wider ramifications affecting other IT products and other industries, in particular construction.” Having brought this claim to trial WB now faces a legal costs liability in excess of £1.2 million. The system supplied by BML cost approximately £67 000, of which the standard packaged software cost approximately £20 000. Richard Jowitt, Group Chief Executive of EDP PLC, welcomed the Judgement and said: “In my opinion,Winther Browne have been poorly advised by its experts resulting in huge costs liabilities over software costing some £20 000. Peter Susman QC and Terry Bergin, Counsel for BML, exposed the failure of Keith Salmon and Richard Martin to conduct themselves as independent expert witnesses.The Judge found that both Keith Salmon and Richard Martin failed to conduct themselves as independent expert witnesses or in a manner acceptable to the Court.” FMC has been criticized in the computer press for its involvement in litigation against software suppliers. FMC went into creditors’ voluntary liquidation on 11 February 2000. The joint Chairmen of FMC, Keith Salmon and David Wilkins, have each set up new companies, Resolution Consultants Limited (Keith Salmon is a director) and Pro Business Consulting Limited (David Wilkins is a director).

Telecoms reform to be included in forthcoming Communications White Paper Measures to change the regulatory framework on the telecoms industry will now be dealt with in a forthcoming White Paper on reforming

204

communications legislation, according to E-commerce minister Patricia Hewitt. The minister stressed the Government’s continuing commitment to securing a fair deal for consumers, and developing a regime that encourages innovation and choice while minimizing the burden of regulatory change. It was also announced that the regulatory telecoms provisions are to be taken from the Utilities Bill, currently before Parliament, and will now fall within the scope of the White Paper which will look at reforming the regulation of the telecoms and broadcasting industries. Ms Hewitt commented:“We have listened to concerns and we believe there is a strong case for tackling all the legislative changes to the industry at the same time. Therefore the telecoms measures currently in the Utilities Bill will now fall within the scope of the White Paper, which is due to be published later this year. But our principles for telecoms reform remain the same; we want to see a more transparent, light-touch regulatory framework, a firm focus on protecting the interests of consumers, and an independent voice for consumers.”

Investigation by Oftel and the ITC into complaint about bundling of telephony and television by some cable operators The Independent Television Commission (ITC) and the Office for Telecommunications (OFTEL) have investigated a complaint made by BSkyB to the ITC about some aspects of the way in which cable operators bundle retail telephony and television services. After consideration of the responses to a consultation document issued in April 1999 and a paper by Europe Economics, the ITC and OFTEL have provisionally concluded that the complaint should not be upheld.They are publishing the findings from the investigation and invited comments by Tuesday 29 February before taking a final decision. The case arose from a complaint made by BSkyB to the ITC about the way in which cable operators bundle retail telephony and television services. The specific complaints were: that

Computer Law & Security Report Vol. 16 no. 3 2000 ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved

cable operators are unduly pressing consumers to take a bundled package of both telephony and television and are either refusing to provide separate services at less than the cost of the bundled package, or are putting obstacles in the path of the single service options; and that the prices of mixed bundles are lower than can be justified on the basis of cable operators’ costs. The ITC and OFTEL have provisionally concluded that at this time there is no basis on which to take action against the cable operators in relation to the practices or pricing of bundled telephony and television services.They intend,however, to keep the situation under review and will revisit the issue should market conditions change materially. Heather Rowe, Report Cor respondent, Lovells

Oftel announces a key new stage towards unbundling the local loop On Friday 10 March 2000 OFTEL launched a statutory consultation on a proposed new condition of BT’s licence to require BT to open up its local access lines. Subject to the results of the consultation process, OFTEL plans to have the new licence condition in place by June 2000 with 1 July 2001 as the absolute deadline for the full launch of local loop unbundling. The proposed condition sets out the requirement on BT to provide unbundled loops to other network operators, permit the co-location of equipment at its local exchanges and to provide any necessary services. The condition will also enable the Director General of OFTEL to set the price for these services and resolve any disputes between BT and other operators over these services.The condition will come into effect on a date to be determined by the Director General of Telecommunications. The purpose of the proposed modification is to require BT to allow operators to lease its local access lines, a process known as local loop unbundling. Operators would then be able to use their own DSL technology to provide broadband services to customers, including services like high-speed always-on Internet access and video-on-demand.

CLSR Briefing

Heather Rowe, Correspondent, Lovells

Report

Responses to consultative document on the future of analogue and CT2 cordless telephony in the UK The Government has confirmed proposals to phase-out the use of analogue and CT2 cordless telephony in order to make under-utilized spectrum available for new and innovative applications. Confirmation was detailed on the following issues: CT2 — Radiocommunications Agency (RA) will phase out the frequency band 864.1–868.1 MHz for the use of CT2. There will be a five-year notice period starting from 1 April 2000.As from 1 April 2005 it will not be permitted to bring new CT2 equipment into service and sales of such equipment should cease. RA will phase in new services operating in the 864.1–868.1 MHz band currently used by CT2. No date is proposed from which the use of CT2 equipment already in service should cease. CT0 — RA will phase out the frequency band 1.7 and 47 MHz for the use of CT0. There will be a five-year notice period starting from 1 April 2000.As from 1 April 2005 it will not be permitted to bring new CT0 equipment into service and sales of such equipment should cease. RA will phase in new services operating in the 1.7 and 47 MHz frequency bands currently used by CT0. Eventually the use of these bands by CT0 will cease, although no end date is yet specified. At present RA has no intention of withdrawing the 31 and 39 MHz frequency bands for the use of CT0. CT0 (extended) — RA will phase out the frequency bands 47 and 77 MHz for the use of CT0 (extended). There will be a five-year notice period starting from 1 April 2000. As from 1 April 2005 it will not be permitted to bring new CT0 (extended) equipment into service and sales of such equipment should cease. RA will phase in new services operating in the 47 and 77 MHz frequency bands currently used by CT0 (extended). Eventually the use of these bands

by CT0 (extended) will cease, although no end date is yet specified. Lorna Montgomerie, Solicitor, Lovells

Government wants UK to stay ahead in digital revolution Small Business and E-commerce Minister Patricia Hewitt has announced plans which are designed to keep the UK as a world leader in the digital revolution. In publishing the Digital Content Sector Action Plan for Growth, the minister said:“On the Internet, content is king. The UK’s digital content industry is among the most creative in the world, but we can and must do more to maintain our lead. This action plan for the digital content sector will build upon our traditional strengths in broadcasting and publishing.” Key recommendations of the plan include: • establishing a new industry body — the Digital Content Forum — to work with government, higher education bodies and other organizations and the industry, e.g. on education and training needs, financing, marketing information, exports and promotions; • creating an industry-owned Internet portal ‘contentUK.org’ which is to be linked to the small business service gateway and with links to other sites; • promoting and marketing the UK digital content sector and new media industries at home and abroad; • promoting career opportunities in digital media; • supporting entrepreneurs and helping them find investment sources; • creating a database of UK digital/interactive/convergent media companies. The action plan is available on the DTI Web site: . It is also available in hard-copy from the DTI publications hotline, Tel: +44 0870 150 2500, or by E-mail: [email protected]. Editor’s Note: The action plan has been produced in partnership with the digital content industry. The industry produce interactive media, mostly for

the Internet and products like CDROMs and DVDs.The industry includes Internet publishers such as newspapers, books and magazines; films and TV producers; computer software suppliers; leisure and education software publishers; and digital and interactive media organizations.

Radiocommunications Agency announces new asset tracking mobile data licensee The Radiocommunications Agency (RA) is to award a Wireless Telegraphy Act licence to QNL (UK) Ltd to provide an asset tracking mobile data network in the UK. This follows the consultation paper in May 1999: ‘Spectrum for Asset Tracking Mobile Data Networks’. The responses to this paper showed: • that any licence awarded should be in the 866–868 MHz range, and • that RA will need to continue to investigate whether other spread spectrum CDMA systems can be accommodated within the same band. If this proves to be feasible, RA will publish a further consultation document on this issue. Asset tracking is an application that enables businesses to trace the actual location of its assets such as cars or lorries, but could also be used to trace other high value assets, such as IT equipment. Copies of the non-confidential responses and a summary of the main points raised in the responses are on the Agency’s Web site at: . Further information from RA on Tel: +44 (0)171 211 0211. Editor’s Note:.Asset tracking using spread spectrum techniques may result in lower costs to the consumer and thereby significantly expand the market. Spread spectrum systems can also share spectrum with existing services. As well as providing efficient, low cost solutions for both private vehicle and fleet operations, these systems also lend themselves to such applications as home security, telemetry/telecommand, and tracking industrial plant and equipment.

205

CLSR Briefing

The consultation document ‘Spectrum for Asset Tracking Mobile Data Networks’ sought views on allocating radiospectrum in the 863–870 range to allow the asset tracking market to expand. This market, which currently allows private vehicle and fleet car companies to keep track of their vehicles, has seen increased interest from industry that would like to provide new services using spread spectrum techniques.

The Radio Equipment and Telecommunications Terminal Equipment (R&TTE) Directive 99/5/EC The introduction of the R&TTE Directive on 8 April 2000 will bring a sea change in the way manufacturers of radio equipment and telecommunications terminal equipment (TTE) can gain access to the European marketplace for their products. The Directive aims to provide the European radio and TTE industry with a more deregulated environment than at present. The involvement of third parties in conformity assessment is not necessary in most cases. The person who places equipment on the market will, in general, be regarded as taking full responsibility for its conformity to essential requirements, and for properly informing users of its intended use. Only in the case of radio equipment for which harmonized standards are not available, or are not used, is it mandatory to consult a third party notified body. The Directive replaces the national approval regimes for radio equipment and TTE and the requirements of the consolidated Telecommunications Terminal Equipment Directive (98/13/EC).The Directive also contains requirements on Health & Safety and Electromagnetic Compatibility (EMC) based on those in the Low Voltage Directive (LVD) (73/23/EEC) and the EMC Directive (89/336/EEC), disapplying those Directives for equipment within its scope.This means that manufacturers will only have to declare conformity to one directive to enable them to place their products on the market anywhere in the European Union.

206

Heather Rowe, Correspondent, Lovells

Report

The UK commences Third Generation mobile auction The Third Generation (3G) licence auction commenced on 6 March with 13 companies applying for one of the five UK 3G licences.The auction began on 6 March and the mobile phones to be manufactured will allow users to surf the Internet, rapidly download E-mails, music and other high-quality pictures, and hold video conferences on the move.The companies bidding are named as: • Vodaphone Ltd (owned by Vodaphone AirTouch plc) • BT (3G) Limited (owned by BT Cellnet plc) • Orange 3G Ltd (owned by Mannesman) • One2One Personal Communications Ltd (owned by Deutsche Telekom) • SpectrumCo Ltd. SpectrumCo Limited was formed by the Virgin group and its partners (which include Nextel, Sonera, EMI,Tesco and a number of private equity funds) • Global Crossing Crescent Wireless Ltd (the company has USA parentage). Crescent Wireless Limited is a recently organized company whose shareholders have significant interest in Global Crossing. The shareholders of Crescent Wireless have granted an option to Global Crossing to purchase up to 100% of Crescent Wireless. • TIW UMTS (UK) Ltd.TIW UMTS (UK) Limited is a subsidiary of TIW,the telecoms company listed in Montreal and Atlanta, which also owns the UK TETRA operator Dolphin. • MCI WorldCom Wireless (UK) ltd. WorldCom Wireless (UK) Limited is wholly owned by MCI Worldcom, the global telecoms company based in the USA. • Telefonica UK Ltd. Telefonica UK Limited is a wholly owned subsidiary of TelefonicaSA, one of the leading telecoms companies in Spain and Latin America. • Eircom 3G (UK) Ltd. 3G (UK) Limited is an Eircom company. Eircom is one of Ireland’s leading providers of local, long distance and international telecommuniciations services.

Computer Law & Security Report Vol. 16 no. 3 2000 ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved

• One.Tel Global Wireless Ltd. One.Tel Global Wireless Limited is a subsidiary of One.Tel, a global telecoms company based in Australia. • NTL Mobile Ltd. NTL Mobile Limited is jointly owed by NTL, a leading alternative telecommunications provider and cable company, and France Telecom. • Nomura Epsilon Tele.com plc. Epsilon Tele.Com plc is a wholly owned subsidiary of the Japanese finance house Nomura. On 14 February, the E-commerce minister announced that all 13 applicants had qualified to participate. The four existing operators will not be permitted to bid for the licence with the greatest amount of spectrum, which is reserved for a new market entrant. The reserved prices for the five licences total £500 million. It is anticipated the auction will take place over a number of rounds, which may last several weeks. Further information is available from the DTI’s auction Web site on: . After each round, the status of the bidding in that round will appear on that Web site. Heather Rowe, Partner, Lovells, London

PricewaterhouseCoopers joins Safe Internet Foundation The Safe Internet Foundation (SIF) has announced that PricewaterhouseCoopers has become a founding member of its global initiative to make the Internet reliable, safe and secure for all users. As a founding member, PricewaterhouseCoopers will play an important role in the foundation’s development internationally — both at a board level and as a member of the independent commission that will oversee the development of the Safe Internet Suite of products and services. The Safe Internet Foundation aims to create an international platform of Internet suppliers and E-business specialists all focused on promoting the development and maintenance of a safe Internet. PricewaterhouseCoopers is one of the world’s leading professional services organizations and the company’s Global Risk Management Solutions operation has joined the Safe Internet

CLSR Briefing

Foundation as part of an ongoing programme of activities to position PricewaterhouseCoopers as a major provider of trust in the E-business and risk management arena. It will also support the Cyber Safety Network,a new global initiative that the Safe Internet Foundation has developed with the Safe America Foundation,aimed at making the Internet reliable, safe and secure for all users. The Safe Internet Foundation is planning a significant expansion during 2000, and is targeting the recruitment of 100 International members by the end of the year.As part of its activities, the Safe Internet Foundation will launch a SIF Suite of approved products and solutions that will combine to help Internet users protect themselves better against unwanted information, abuse of personal data, viruses and fraudulent payments. The SIF Suite of products will be available from the Foundation’s Web site at: . Editor’s Note: PricewaterhouseCooper () helps its clients to solve complex business problems and measurably enhance their ability to build value, manage risk and improve performance. Global Risk Management Solutions has over 5000 professionals worldwide who offer a comprehensive enterprisewide risk management service. The company helps its clients to develop risk management solutions that minimize hazard, resolve uncertainty and maximize opportunities. The original idea for the Safe Internet Foundation initiative came from Jan Baan who was keen to encourage the business world to develop safe Internet solutions. Working with the Internet Society Netherlands, the Foundation will promote solutions that actively contribute to the realization of a safe Internet.The foundation is also working with the Safe America Foundation to develop the Cyber Safety Network,a new global initiative aimed at making the Internet reliable, safe and secure for all users. For more information see the Safe Internet Foundation Web site at: .

Product news in brief * BT wins its biggest ever govern ment contract to set up police digital radio service. BT has announced that it

has been awarded a major £2.5 billion Government contract to provide a national digital radio service for Britain’s police forces. The Public Safety Radio Communications Project (PSRCP), awarded to BT, aims to provide all police forces in England, Wales and Scotland with fully digital, state-of-theart secure mobile radio communication services. It is BT’s biggest ever contract with the Government. The service will offer users ready access to the police national computer and other computerized databases. It will permit the transmission of photographs and graphics and provide greatly improved voice communications with key safety features for officers. Individual police forces will have access to a very high level of coverage designed to meet their individual needs. Sir lain Vallance, chairman of BT, said:“This project will deliver the most modern communications service anywhere in the world for emergency services and the wider public safety community. Together with the Home Office, the Police Information Technology Organization (PITO), and representatives of the emergency services, BT and its partners in Quadrant have worked extremely hard to make the vision of a national digital radio service a reality.This initiative will deliver improved efficiency and greater cooperation between the nation’s emergency service teams and the wider public safety community, brought about by a modern, efficient communications service.” * Web address at our fingertips. Everything you need to know about registering a .uk Web address can now be found in a free Guide to Registering a Domain Name. Available from Nominet UK, the national Registry for all Internet domain names ending .uk, the guide is written in easy-to-understand language. It contains a step-by-step guide through the Web address maze, including a brief introduction to Nominet UK and an explanation of the Domain Name System (DNS). Advice follows on how to choose and register a domain name through an Internet Service Provider (ISP), as well as information about what to do if a

domain name is already in use, or it needs to be renewed or cancelled. Businesses wanting a free copy of the guide should phone Nominet UK on +44 (0)865 332 233 or download a copy from: . (Acrobat Exchange will be required for downloading). * Butterworths to offer free training on online and CD products as part of Epublishing strategy. Butterworths Tolley, the leading publisher of legal and tax information, has announced that it is now offering free professional training on scheduled courses for subscribers to its online and CD products. The training is available for all of Butterworths’ electronic and online products, including core products Halsbury’s Laws,All England Direct and the Lexis-Nexis database. “We have decided to offer free training to our customers as part of our ongoing E-publishing education strategy”, said Ivan Darby, Executive Director at Butterworths Tolley. “We want to ensure that the transition from using books to using electronic services is as smooth and efficient as possible.” The CPD- and ClOT-approved training courses are designed to show subscribers how to make the most of Butterworths’ extensive range of online and CD products. Guidance is given on how to navigate, search and cross-reference the databases, and tutorials are supported with User Guides, Quick Reference Guides and Step-by-Step Search handouts. Help is also given on some of the more advanced features of the product range, such as the Additional Information facility, which shows amendments and updates to current law. “Within a very few years we will see the majority of reference works in electronic format. Legal information is ideally suited to E-publishing because it changes regularly, is heavily cross-referenced and answers need to be fast. Our services dramatically reduce the time spent searching for information — and it’s all available on the desktop”, added Darby. Courses will take place at Butterworths’ Head Office in Central London and a number of other locations throughout the UK.

207

CLSR Briefing

For more information, see the Butterworths’ Web site: or call the Training Hotline on Tel: +44 (0) 1932 334 836 or E-mail: [email protected]. * Companies urged not to waste information benefits of millennium investment. The independent management consultancy Insite Consulting has emphasized the need for businesses to recognize the ‘wealth of information’ they have acquired as a result of the Year 2000 continuity planning. In addition to limiting the potential risk to IT and related systems, Insite partner Ian Glover believes that “one of the most important — though less publicized — benefits accruing from this estimated US$450 billion investment, has been the increase in awareness and understanding of IT as a strategic boardroom issue”. Among the ways in which organizations can transfer what has been learnt to future projects are the following: • senior managers now have a better understanding of the processes which are core to the organization and of the broader importance of business continuity management; • structures and processes put in place to involve senior management in the effective invocation of business continuity plans should be maintained to ensure the effective running of the business in the event of a major disruption; • companies should have complete and accurate inventories of all equipment systems applications and properties prioritized in order of importance to the business. If still in place, duplicate, redundant or non-critical equipment can now be removed; • the inventory of individual buildings and associated activities of multi-site organizations may help to identify suitable locations that can now be used for in-house recovery facilities; • the business impact and risk analyses will have highlighted vulnerabilities in technology, infrastructure service and business processes that must be addressed; • revised workarounds identified for key business activities in the event of Y2K-related incidents — including resource requirements —

208

should be built into existing continuity plans whenever they remain applicable; • the clarification of inter-departmental and third party relationships and responsibilities will enable better supply chain management, and provide the opportunity for rationalization, partnership and outsourcing; and • improved communication with clients, suppliers and stakeholders should improve confidence in and perceived value of the company. Further information from Insite Consulting, Tel: +44 (0)1932 241 000, E-mail: [email protected]. Editor’s Note: Insite Consulting is an independent management and technical consultancy specializing in the management of business and technical risks in industry, commerce and government. * Concentric warns of new hacking threat to business. Concentric Software, distributor of the new antihacking programme, CyberSight, has warned of an entirely new and very powerful hacking utility that is just starting to appear. The new tool is an anti-firewall device, freely available from the Internet, based on HTTP bi-directional tunnelling which exploits port 80 access, the only port that a firewall defence system cannot shut off if the company requires Internet access. Port 80 has been the biggest threat to business integrity for some time, but the new hacking tool opens the window of opportunity further by enabling twoway service provision through the firewall, making this defence to all intents and purposes, wholly redundant. “Companies which have an IT policy to prevent downloading of pornography, MP3 files, freeware, screensavers and office circulars, and which use firewalls and encryption, could probably consider themselves 40% protected against potential violations under normal circumstances — which still, of course, makes them 60% vulnerable, and that’s if they could enforce their policies”, according to Mike Keep of Concentric. “Most couldn’t and were probably closer to 20% protected or, if you like, 80% at risk. But this new threat makes the business risk even more terrifying since not even the most stringent IT policy prevents legitimate

Computer Law & Security Report Vol. 16 no. 3 2000 ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved

Internet access, and that is all this hacking tool requires.” “Any hacking utility entering through port 80 is capable of blanking a Bios (Cmos) chip, causing physical damage which is costly to repair, or giving a user remote access to an entire business IT system, or recording confidential information through a personal laptop and then sending the voice file anywhere in the world.And that is just the tip of the iceberg.” For further information, including a demonstration of the product, contact Concentric at Tel: +44 (0)1604 679 393 or visit the Web site at: . * Recovery software for system crashes available. Centerprise International Ltd, the Hampshire-based provider, is offering, for the first time in the UK, a product called GoBack, designed to help companies recover from system crashes or from virus damage following a breakdown of their operations. GoBack retrieves deleted or modified files and undoes software installs by tracking hard drive activity and continuously monitoring changes saved to the hard disk. Unlike traditional back-up packages which often use large portions of the hard disk, the company claims that this product, developed in the United States, uses just 10% and does not impact on system performance. A new version for Windows NT/2000 is currently under development in addition to the versions created for Windows 95 and 98. GoBack can intervene to take the computer back in time to a moment five minutes, five hours or even five days before the crash, so returning the computer to the ‘safe state’ that existed before the error occurred. Further information from Centerprise International Ltd, Tel: +44 (0)1256 378 060; E-mail: GOBACK@ centerprise.co.uk; Web site: . * IT distributor chooses E-mail security solution. Northamber plc, the independent UK owned distributor of computer products had announced that it has selected TenFour’s TFS Secure Messaging Serve as its preferred E-mail security product. TFS Secure Messaging Server will be distributed through Northamber’s network of UK resellers. The product is designed to

CLSR Briefing

offer privacy and integrity for an organization’s E-mail and Web messaging. It provides a single point of control for managing an organization’s messaging security and helps to guard against the threat of E-mail security breaches which can lead to significant productivity and business losses. Commenting, Northamber software specialist Kulwant Mehli said: “E-mail security is not a luxury but a necessity to E-commerce solutions. Our resellers are looking for a complete turnkey E-mail solution.After assessing all the comparative products on the market,TenFour’s product stood out as offering the best total solution at a highly competitive price.” Further information from TenFour UK Ltd, Tel: +44 (0) 8707 330 104; Email: [email protected]; Web site: .

UNITED STATES Injunction granted to prevent circumvention of copyright Universal City Studios, Inc. et al., v Reimerdes, No.00 Civ. 0277 ((S.D.N.Y), 2 February, 2000) The District Court for the Southern District of New York has granted a preliminary injunction to prevent defendant Shawn Reimerdes and others from distributing, via the Internet, a computer program that enabled users to break the copy protection system installed on the plaintiffs’ digital versatile disks (DVDs).The plaintiffs in this case were eight major motion picture studios engaged in the distribution of motion pictures in DVD format. DVD’s hold full-length motion pictures and represent the latest technology for use in private homes. To prevent unauthorized reproduction and distribution of the DVD content, the plaintiffs introduced a content scramble system (CSS), which is an encryption-based security and authentication system requiring the use of appropriately configured hardware such as a DVD player or a computer DVD drive to encrypt, unscramble and play back, but not copy, motion pictures on DVDs. More than 4000 motion

pictures have now been released in this format with more than 40 titles a month being issued on DVDs. More than five million DVD players have been sold and DVD disk sales now exceed one million units per week. In October 1999, individuals, believed to be in Europe, managed to ‘hack’ CSS and began offering, via the Internet, a software utility called DeCSS enabling users to break the CSS copy protection system and, hence, make and distribute digital copies of DVD movies. On 29 December 1999, the licensor of CSS, DVD CCA, commenced a state court action in California for the misappropriation of its trade secrets as embodied in the DeCSS software.On the same day,the state court judge, without explanation, denied the plaintiffs’ motion for a temporary restraining order. Members of the hacking community then stepped up their efforts to distribute DeCSS to the widest possible audience in what seemed to be an attempt to preclude effective judicial relief. The present action was brought against defendants associated with Web sites distributing DeCSS at the time the plaintiffs moved for injunctive relief. None of the defendants submitted any evidence in opposition to the motion and the court in all the circumstances had therefore to conclude that the defendants had been personally involved in providing and distributing DeCSS over the Internet via the Web sites in question.

Irreparable harm The first requirement for injunctive relief was evidence of irreparable harm.The argument was that the defendants, by offering technologies that circumvented their copyright protection system, facilitated infringement. The court concluded that, just as in the case of direct copyright infringement, the extension of the harm the plaintiffs would suffer as a result of the defendants alleged activities could not be readily measured, suggesting that the injury truly would be irreparable.

Likelihood of success The second requirement was that the plaintiff should show either (1) a likelihood of success on the merits, or (2) sufficiently serious questions going to

the merits to make them fair grounds for litigation, and a balance of hardships tipping decidedly in its favour. The plaintiffs’ sole claim was for violation of the anti-circumvention provisions of the Digital Millennium Copyright Act (17 USC s1201 et sec) (DMCA). Plaintiffs argued that the posting of DeCSS violated Section 1201(a)(2) of the statute which prohibits unauthorized offering of products that circumvent technological measures that effectively control access to copyrighted works. On behalf of the defendants it was contended that the plaintiffs’ claim against all three defendants must be dismissed because the latter were not the owners of the Web sites containing the offending material, and therefore were not the ‘real parties in interest’. For this, they relied on Federal Rule 17, which states that every action should be prosecuted in the name of the real party in interest. Since the defendants had failed to submit affidavits or other materials indicating that they had nothing to do with the offending Web sites, the court must infer from the evidence before it that they were responsible for the content of the sites. The court then went on to consider the meaning of Section 1201(a)(2),which prohibited distribution of technology designed for the purpose of circumventing a technological measure that controlled access to a copyrighted work. It was perfectly clear in this case that CSS was a technological measure within its provisions and that DeCSS defeated the former and decrypted the copyrighted works without the authority of the owners.The court found the argument unpersuasive that DeCSS was not designed primarily to circumvent CSS. In consequence, it concluded that the plaintiffs had an extremely high likelihood of prevailing on the merits, unless the defendants’ activities came within one of the exceptions to the DMCA or, alternatively, unless there was a constitutional impediment to this conclusion. The defendants contended that their activities came within several exceptions contained in the DMCA and, therefore, constituted fair use under the Copyright Act.

Service provider exception A court rejected the claim of one defendant that his conduct fell under Section

209

CLSR Briefing

512(c) of the Copyright Act, which provides limited protection from liability for copyright infringement by certain service providers for information resident on a system or network owned or controlled by them. The defendant in question had offered no proof that he was a service provider within the meaning of the Act. Secondly, the relevant section provided protection only from liability for copyright infringement. This case concerned violation of Section 1201(a)(2), which applied only to circumvention products and technologies.

Reverse engineering exception The defendants claimed also to fall under Section 1201(f), which in effect provided that a person who had lawfully obtained the right to use the program circumvented the technical protection measures in order to analyse the elements of that program in order to achieve interoperability of an independently created program with other programs. This would be lawful under the so-called reverse engineering exception. Defendants contended that DeCSS was necessary to achieve interoperability between computers running on the Linux System and DVDs, and this exception, therefore, was satisfied. The court rejected this on the grounds, first, that the plaintiffs offered no evidence to support this assertion and, second, that, even assuming that DeCSS ran under Linux, it also runs under Windows — a far more widely used operating system — as well. It could not, therefore, reasonably be said that DeCSS was developed ‘for the sole purpose’ of achieving interoperability between Linux and DVDs. Moreover, the exception contained in Section 1201(f) permitted reverse engineering of copyright in computer programs and did not authorize circumvention of technological systems that control access to other copyrighted works, such as movies.

Encryption research Reference was next made to Section 1201(g), which provides an exception for good faith encryption research. In this instance, there had been a complete failure of proof by the defendants of the relevant factors under that

210

exception. It appeared to the court that DeCSS was being distributed in a manner specifically intended to facilitate copyright infringement. There was no evidence that the defendants had made any effort to provide the results of the DeCSS development to the copyright owners, and there was no suggestion that any of them made a good faith effort to obtain authorization from the copyright owners prior to their activities as required by the Act.

Security testing Defendants also contended that their actions should be considered exempt security testing under Section 102(j) of the statute. This exception was limited to the “assessing a computer, computer system or computer network solely for the purpose of good faith testing, investigating or correcting of a security flaw or vulnerability with the authorization of the owner or operator of such network system or computer network”. The court found that the record showed no evidence that DeCSS had anything to do with the testing of computers etc. and, therefore, this exception had no bearing on the present case.

Fair use In their memorandum, the defendants claimed, finally, that they were engaged in a fair use under Section 107 of the Copyright Act 1976.The court rejected this on the grounds that Section 107 provided, in critical part, that certain uses of copyrighted works that otherwise would be wrongful were “not infringements of copyright”. In this case, however, the defendants were not sued for copyright infringement but for offering to the public technology primarily designed to circumvent technological measures.

Constitutionality of DMCA Defendants then contended that the DeCSS computer program was protected speech and that the DMCA, at least in so far as it purported to prohibit the dissemination of DeCSS to the public, violated the First Amendment.As a preliminary matter, it was far from clear that DeCSS was speech protected by the First Amendment. Courts had con-

Computer Law & Security Report Vol. 16 no. 3 2000 ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved

sidered the question whether program code was constitutionally protected expression and had divided on the point. However, for the purposes of this motion, it would proceed on the basis that the executable code was sufficiently expressive to merit some constitutional protection. The court first of all concluded that there was no tension between free speech and protection of copyright.The court had found it to be accommodated fully by traditional fair use doctrine, with expression prohibited by the Copyright Act and not within the fair use exception considered unprotected by the First Amendment. However, the DMCA swept more broadly by prohibiting production and dissemination of technology that could circumvent measures taken to protect copyright, not merely by infringement of copyright itself.The court noted that the constitution granted Congress the power to do that which was necessary and proper to prevent others from publishing protected writing for the duration of the copyright. (See US Constitution, Article 1, Section 1 — Progress of Science and the Useful Arts). In enacting the DMCA, Congress found that the restriction of technologies for the circumvention of technological means of protecting copyrighted works “facilitates the robust development and worldwide expansion of electronic commerce, communications, research, development and education by making digital networks safe places to disseminate and exploit copyrighted materials”. In the court’s view, this could not be dismissed as an unreasonable objective. Section 1201(a)(2) of the DMCA, therefore, was a proper exercise of Congress’ power under the necessary and proper clause of the Constitution. The court then went on to consider the approach traditionally taken by the courts which have sought to balance the public interest in the restriction against the public interest in the kind of speech at issue. Basically, the issue was how much protection the speech at issue merits. The underlying rationale for the challenged regulation should be examined to assess how best to accommodate the relative weights of the interests in free speech and the regulation. In the present case, the plaintiffs were eight motion picture studios which together were largely

CLSR Briefing

responsible for the development of the American film industry. Their products reached hundreds of millions of viewers internationally, and doubtless were responsible for a substantial proportion of the revenue in the international film industry each year.To doubt the contribution of the plaintiffs in the progress of the Arts, said the court, would be absurd. DVDs were the newest way to distribute motion pictures to the home market and their popularity was growing rapidly.The security of DVD technology was central to the continued distribution of motion pictures in this format. Accordingly, “the dissemination and use of circumvention technologies such as DeCSS would permit anyone to make flawless copies of DVDs at little expense. Without effective limits on these technologies, copyright protection in the context of DVDs would become meaningless and the continued marketing of DVDs impractical. This obviously would discourage artistic progress and undermine the goals of copyright”. The court went on to reject allegations that the application of the DMCA to prohibit production and dissemination of DeCSS violated the First Amendment. In addition, there was no evidence that the DMCA was “vague on its face and as applied” as suggested in the defendants’ memorandum. The court also rejected any suggestion that the ‘prior restraint’ doctrine — that any system of prior restraints of expression should come to the court bearing a heavy presumption against its constitutional validity — required denial of the preliminary injunction in this case. Accordingly the plaintiffs’ motion would be granted.

Appeal Court holds intermediate copying to be fair use Sony Computer Entertainment v Connectix Corporation, No.9915852 (9th Cir., 10 February 2000) The Ninth Circuit Court of Appeals has reversed a district court decision (see: [1999] 15 CLSR 352) and dissolved an injunction against defendant Connectix Corporation who copied plaintiff Sony’s copyright BIOS software while

developing a Virtual Game Station (VGS) that ‘emulated’ the functioning of the Sony PlayStation console. The case arose when the defendant was found to have repeatedly copied Sony’s basis input output software (BIOS) during a process of ‘reverse engineering’ that the defendant conducted in order to find out how the Sony PlayStation worked. Sony claimed infringement and sought a preliminary injunction. The district court concluded that Sony was likely to succeed on its infringement claim because Connectix’s “intermediate copying was not a protected ‘fair use’ under 17 USC Section 107 of the Copyright Act 1976”.The district court enjoined Connectix from selling the Virtual Game Station or from copying or using the Sony BIOS code in the development of other virtual game station products. Connectix began developing VGS for Macintosh in July 1998. In order to develop a PlayStation emulator, it needed to emulate both the PlayStation hardware and the firmware (the Sony BIOS). A PlayStation console was purchased and the BIOS extracted from the chip inside the console. Connectix engineers then copied the BIOS into the random access memory (RAM) of their computers and observed the functioning of the BIOS in conjunction with the VGS hardware emulation software. This was done through the use of a debugging program that permitted the engineers to observe the signals sent between the BIOS and the hardware emulation software. Additional copies of the Sony BIOS were made every time they booted up their computer and the BIOS was loaded into RAM. Once the hardware emulation software was developed, the engineers also used the BIOS to ‘debug’ the emulation software. In doing so, they again repeatedly copied and disassembled discreet portions of the Sony BIOS. Similar activities took place in commencing development of the VGS for Windows. Action commenced in January 1999 when Sony filed a complaint alleging copyright infringement and other courses of action against Connectix. The district court was persuaded by Sony’s claims and impounded all Connectix’s copies of the Sony BIOS and all copies of works based upon or incorporating the BIOS. It is against this order that Connectix appealed.

Fair use analysis is set out in the US Copyright Act of 1976 (17 USC s107.5) in Sega Enterprises Ltd v Accolade Inc. (977 F.2d 1510 (9th Cir., 1993)). The court ruled that:“where disassembly is the only way to gain access to the ideas and functional elements embodied in a copyrighted computer program, and where there is a legitimate reason for seeking such access, disassembly is a fair use of the copyrighted work, as a matter of law.” Based on the Sega decision, the court then went on to consider the statutory fair use factors as informed by that case.

Nature of the copyrighted work On the first issue, the court noted that some works were closer to the core of intended copyright protection than others. It concluded that Sony’s BIOS lay at a distance from the core because it contained unprotected aspects that could not be examined without copying. Sony admitted that little technical information about the functionality of the BIOS was publicly available. It was an internal operating system that did not produce a screen display to reflect its functioning. Consequently, if Connectix was to gain access to the functional elements of the BIOS, it had to be through a form of reverse engineering that required copying of the Sony BIOS into a computer.The issue then became whether the methods by which Connectix reverse engineered the Sony BIOS were necessary to gain access to the unprotected functional elements within the program.The court concluded that they were. Connectix had employed several methods of reverse engineering (observation and observation with partial disassembly), each of which required Connectix to make intermediate copies of copyrighted material. Neither of these methods rendered fair use protection inapplicable. In the appeal court’s view, the district court had not focused on whether Connectix’s copying of the BIOS was necessary for access to functional elements. Instead it found that the defendant’s copying and use of the BIOS to develop its own software exceeded the scope of the decision in Sega. It was true that Sega referred to “studying or examining the unprotected aspects of a copyrighted computer program” (977 F.2 at 1520), but, in Sega, Accolade’s copying, observation and disassembly

211

CLSR Briefing

of the Sega game cartridges was held to be fair use, even though Accolade “loaded and disassembled code back into a computer, and experimented to discover the interface specifications for the Genesis console by modifying the programs and studying the results”.The distinction between ‘studying’ and ‘use’ was unsupported in Sega. Reverse engineering was technically complex, frequently iterative process and there should be no semantic distinction between ‘studying’ and ‘use’. The court also rejected Sony’s argument that Connectix infringed the Sony copyright by repeatedly observing the Sony BIOS in an emulated environment, thereby making repeated copies of the Sony BIOS. Instead, the defendant’s engineers could have disassembled the entire Sony BIOS first, then written their own Connectix BIOS and used the Connectix BIOS to develop the VGS hardware emulation software.The court recognized this argument but declared it did not aid Sony. It was not inclined to supervise the engineering solutions of software companies in minute detail, and it did not want a software engineer faced with two engineering solutions that each required intermediate copying of protected and unprotected material to follow the least efficient solution.

Amount and substantiality of the portion used On this point, Connectix had disassembled parts of the Sony BIOS and copied the entire BIOS multiple times.This factor weighed against Connectix, but the court noted, as in the Sega decision, that this factor carried “very little weight” in a case of intermediate infringement when the final product did not itself include such infringing material. (Sega at 977 F.2d at 1526-27).

Purpose and character of the use The nature of this enquiry was to ascertain whether Connectix’s VGS “merely supercedes the objects of the original creation, or instead adds something new, with a further purpose or different character, altering the first with new expression, meaning, or message; it asks, in other words, whether and to what extent the new work is ‘transformative’”. The appeal court found that VGS was modestly transformative. It

212

created a new platform, the personal computer, on which consumers could play games designed for the Sony PlayStation. This innovation afforded opportunities for game play in new environments, specifically anywhere a Sony PlayStation console and television were not available but a computer with a CD-ROM drive was. Moreover, the VGS itself was a wholly new product, notwithstanding the similarity of uses and functions between the PlayStation and VGS. The expressive element of software lay as much in the organization and structure of the object code that ran the computer as it did in the visual expression of that code that appeared on the computer screen. Since Sony did not claim that the VGS itself contained object code that infringed Sony’s copyright, the court was at a loss to see how Connectix’s drafting of entirely new object code for its VGS program could not be transformative, despite the similarities in function and screen output. The court also had to weigh the extent of any transformation in Connectix’s VGS against the significance of other factors including commercialism that militated against fair use. (See Acuff-Rose, 510 US at 579). Connectix’s commercial use of the copyrighted material was an intermediate one, and thus was only “indirect or derivative”. (SSega, 977 F.2d at 1522). Moreover, Connectix had reverse engineered the Sony BIOS to produce a product that would be compatible with games designed for the Sony PlayStation.The district court had ruled that VGS was not transformative on the rationale that a computer screen and a television screen are interchangeable and the Connectix product therefore merely “supplants” the Sony PlayStation console. In the appeal court’s view, this was a clear error. VGS was transformative and did not merely supplant the PlayStation console. The district court had failed to consider the expressive element of the VGS software itself.

Effect of the use upon the potential market The court also found that the fourth factor — the effect of the use upon the potential market — favoured Connectix. Under this factor, the court considers “not only the extent of mar-

Computer Law & Security Report Vol. 16 no. 3 2000 ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved

ket harm caused by the particular actions of the alleged infringer, but also ‘whether unrestricted and widespread conduct of the sort engaged in by the defendant…would result in a substantially adverse impact on the potential Acuff-Rose, market’ for the original”. (A 510 US at 590). The court found that, whereas a work that merely supplants or supercedes another is likely to cause a substantially adverse impact on the potential market of the original, a transformative work is less likely to do so. It had instead become a legitimate competitor in the market for PlayStations on which Sony and Sony licensed games could be played. Some economic loss by Sony, as a result of this competition, did not compel a finding of no fair use. Sony understandably sought control over the market for devices that play games Sony produces or licenses. However, copyright law did not confer such a monopoly.An attempt to monopolize the market by making it impossible for others to compete ran counter to the statutory purpose of promoting creative expression and could not constitute a strong equitable basis for resisting the invocation of the fair use doctrine (SSega at 1523-24). This factor favoured Connectix. Looking at the statutory fair use factors, three favoured Connectix and one favoured Sony, although the latter was of little weight. Accordingly, the court concluded that Connectix intermediate copying of the Sony BIOS during the course of its reverse engineering of that product was a fair use under 17 USC Section 107 as a matter of law. Sony has not established a likelihood of success on the merits or that a balance of hardship tipped in its favour. The court also reversed the district court’s finding that Connectix’s VGS had tarnished the Sony PlayStation mark.

Anti-cybersquatting Consumer Protection Act applied for the first time The US Court of Appeal for the Second Circuit has, for the first time, applied the new Anti-cybersquatting Consumer Protection Act in a domain name dispute that was originally heard under the Trade Mark Dilution Act.Congress had between the first instance hearing and the appeal

CLSR Briefing

passed the new law.In Sporty’s Farm Llc v Sportman’s Market Inc. (No.98-7452 (2d Cir., 2 February 2000)), the court found that a mail order company selling scientific process measuring equipment, by the name of Omega, that had registered the domain name Sportys.com had acted with bad faith with intent to profit from the domain name contrary to the rights of Sportsman’s Market Inc.— a mail order catalogue company selling products to pilots and aviation enthusiasts that had used the logo ‘Sporty’ since the 1960s. The court ordered Omega to release their interest in Sportys.com and to transfer the name to Sportsman, and not to obstruct Sportman’s efforts to obtain the domain name.That relief, originally granted under the Trade Mark Dilution Act, remained appropriate under the new legislation.

EPIC files FTC complaint against double click alleging ‘deceptive and unfair trade practices’ in online data collection The Electronic Privacy Information Center (EPIC) has filed a complaint with the Federal Trade Commission concerning the information collection practices of DoubleClick Inc., a leading Internet advertising firm, and its business partners. The complaint alleges that DoubleClick unlawfully tracked the online activities of Internet users and combined surfing records with detailed personal profiles contained in a national marketing database. EPIC is asking the FTC to investigate the practices of the company, to destroy all records wrongfully obtained, to invoke civil penalties, and to enjoin the firm from violating the Federal Trade Commission Act. The EPIC complaint follows the merger of Doubleclick and Abacus Direct, the country’s largest catalogue database firm. Doubleclick had announced its intention to combine anonymous Internet profiles in the Doubleclick database with the personal information contained in the Abacus database. EPIC’s complaint alleges that the DoubleClick merger of the two databases violates the company’s assurances that the information it collects on Internet users would remain anony-

mous, and that the data collection was therefore unfair and deceptive. EPIC also charges that the company has failed to follow its revised privacy policy and that this is also unfair. Marc Rotenberg, Executive Director of EPIC, said: “This complaint against Doubleclick is a critical test of the current state of privacy protection in the United States. We are looking to the Federal Trade Commission to see whether companies that break their promises and collect personal information in an unfair and deceptive manner will be held accountable.” David Sobel, EPIC’s General Counsel, said that “today’s complaint raises fundamental issues involving electronic commerce.” He noted that “much of the information collection that occurs on the Internet is invisible to the consumer, which raises serious questions of fairness and informed consent”. The Electronic Privacy Information Center is a public interest research organization in Washington, DC. EPIC’s activities include the review of governmental and private sector policies and practices to determine their possible impacts on individual privacy interests. The text of EPIC’s complaint against DoubleClick is available online at:

Report on unlawful conduct and the use of the Internet published A report entitled The Electronic Frontier: the Challenge of Unlawful Conduct Involving the Use of the Internet has been published by the President’s Working Group on Unlawful Conduct on the Internet. See: .The aim of this document is to provide an initial analysis of legal and policy issues surrounding the use of the Internet for illegal purposes. Specifically, the working group considered: “(1) the extent to which existing federal laws are sufficient to address unlawful conduct involving the use of the Internet; (2) the extent to which new tools, capabilities or legal authorities may be needed for effective investigation and prosecution of such conduct; and (3) the potential for using education and empowerment tools to

minimize the risks from such conduct.” The working group recommends a three-part strategy for addressing the issue. First, it suggests that such conduct should be treated similarly to the way in which offline conduct is treated; second, that law enforcement needs should be recognized as significant with provision of new investigative tools and capabilities — this to include co-ordination with and among federal, state and local law enforcement agencies, and with and among international agencies; and, third, that there should be continued support for industry selfregulation and the development of methods designed to educate and empower Internet users to minimize the risk of unlawful activity. The American Civil Liberties Union has written to the Attorney General to raise a number of civil liberties concerns that it has with the report. These include issues such as anonymity on the Internet; distinctions between protections afforded electronic communications as opposed to voice communications; and possible expansion of government powers to intercept surreptitiously more and more personal electronic communications. ACLU also expresses concern that the report finds fault with current laws that protect First-Amendment protected activities and the virtual absence of statistics on the extent of computer-related crime or whether such activity poses a truly significant threat to the United States. It also notes that the report finds few specifics as to how current systems could be better protected through the use of various promising technologies (including encryption)). A copy of the letter can be found at: .

EUROPEAN UNION European Commission investigation into mobile roaming ‘Mobile roaming’ takes place when customers use their mobile telephone handsets on different mobile networks other than the one to which they subscribe. Contractually, mobile roaming is based on bilateral roaming agreements

213

CLSR Briefing

between different mobile operators and service providers. However, although mobile operators can enter into roaming agreements with a number of different mobile operators in most European countries, the European Commission has indicated that competitive wholesale and retail roaming does not appear to be emerging as it should. In July 1999, the Commission decided to open a sector enquiry across the European Union covering three areas in telecommunications, leased lines, mobile roaming and the provision of access to and use of the residential local loop. Parallel enquiries were also taking place in the EFTA countries as well. The European Commission has now (February 2000) sent out formal information requests as part of its investigation under the Competition Rules to the cost and terms of national and international mobile roaming. These requests have been sent out right across the EU to over 200 operators, competition authorities and telecommunications regulators — with a two-month deadline to reply. The basis for these information requests is Article 12 of the procedural regulation that implements Articles 81 and 82 of the European Treaty (which enables the Commission to initiate enquiries into sectors of the economy where it believes competition may be restricted or distorted). Once a formal investigation has started, the Commission has power to request necessary information from Member States, Governments and relevant authorities, as well as from companies, and may fine companies or associations of undertakings if they supply incorrect information or refuse to reply, or fail to meet any deadline stipulated. Heather Rowe, Partner, Lovells, London

EC to examine impact of Windows 2000 on competition The Competition Directorate General of the European Commission has made a formal request to Microsoft for information about the technical features governing Windows 2000. This follows allegations from small and mediumsized enterprises active in the IT sector,

214

being competitors of Microsoft, that Microsoft had designed its Windows 2000 product in a way that would ensure its continued dominance in the market for PC operating systems. The complaints suggests that Microsoft has bundled its PC operating system with its own server software and other Microsoft software products in such a manner that only Microsoft’s own brand products are fully interoperable. This concerns, in particular, ‘middleware’ which provides the functionality necessary to enhance the capability of client/server operating systems such as back-office or security tasks.The allegations from Microsoft’s competitors are that, because of these developments, they are put at a competitive disadvantage which ultimately will permit Microsoft to extend its dominance in the PC operating system market and extend this to the linked markets for server operating system software and ‘middleware’. The suggestion is made that customers would be obliged to purchase Windows 2000 for servers so that they can be sure that all the functionalities embedded in Windows 2000 are fully useable. The present position is that the Competition Directorate has formally requested information from Microsoft under EC competition rules. The European Commission will then decide whether there is prima facie case to be answered.

Access to environmental information: Commission takes Belgium and France to court The European Commission has decided to bring Belgium and France before the European Court of Justice for failing properly to transpose the Access to Environmental Information Directive into their national legislation. The case against Belgium concerns a clause in the Belgian legislation that allows the authorities to reject requests for environmental information without giving reasons.This is contradictory to the Directive. The French legislation also falls short of the Directive’s provision on this issue,as well as on several other issues. EU environmental policy recognizes that citizens’ information and

Computer Law & Security Report Vol. 16 no. 3 2000 ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved

participation are crucial to raising environmental awareness and to promoting best environmental practice. EU rules on access to environmental information (Council Directive 90/313/EEC) reflect this by creating a general right of access to environmental information held by public authorities. The decision concerning Belgium results from the investigation of a complaint that the Belgian legislation allowed for an implicit refusal of an information request, whereas the directive requires that the reasons for refusal should be stated. The decision concerning France stems from an investigation made by the Commission on its own initiative and which led to the identification of several problems: French legislation does not cover as much information as the directive; allows the refusal of access to information in cases not foreseen by the directive; has not transposed the directive setting out conditions for refusing access in certain cases; and allows for an implicit refusal of an information request. Environment Commissioner Margot Wallström declared:“It is important that citizens can have free access to environmental information, as this liberty tends more and more to become a fundamental right.”

Common position agreed on proposal for E-commerce directive On 29 February a common position was reached on the proposal for a directive to harmonize aspects of law relating to the development of E-commerce. The proposed directive is designed to enhance the ability of businesses and citizens to supply and receive ‘Information Society services’ throughout the European Union, irrespective of frontiers. The rules will include a definition of where operators are established, transparency in information requirements for operators and for commercial communications, the treatment of electronic contracts, liability of intermediary service providers, out-of-court dispute settlement, court actions and the role of and co-operation between national authorities. The directive will also build on

CLSR Briefing

existing Community instruments dealing with consumer protection. In the main the directive establishes that Information Society services will remain subject to national law where the provider is established, and that other Member States, where such services can be received, must not restrict the freedom of businesses or citizens to provide these services.The most significant changes agreed to by the Commission concern the complete deletion of comitology in all relevant areas and the treatment of electronic contracts where the clarification of the moment of contract formation has been deleted. A copy of the common position (SEC (2000) 386 final) is available at:

Proposals to modernize postal services imminent A directive to open postal services to competition in the internal market will be proposed before the end of June, according to Commissioner Frits Bolkestein.The proposal will set a clear course and timetable for further market access. Restructuring of postal services, including the separation of regulator and operator, is well under way in many Member States, but the Commissioner believes that some government and universal service providers have sought to increase their reliance on exclusive rights. According to the Commissioner, such an approach carries the risk of further distorting and destabilizing the internal market. The proposal will address issues such as the definition of reserved areas (where an operator has exclusive rights), with maximum weight and minimum price limit; whether or not to include direct mail and cross-border mail in the reserved area; and how postal monopolies are allowed to remain in existence.

E-SIGN workshop chair appointed Hans Nilsson, professional services team leader at PKI solutions developer iD2 Technologies, has been elected chairman of E-SIGN, a standardization workshop designed to aid the introduction of electronic signatures in accor-

dance with the newly adopted European Directive on Electronic Signatures. Established by the European standards body CEN/ISSS, E-SIGN aims to build functional standards for signature creation and verification products as well as quality standards for Certification Authorities (CAs), providing a common level of security on an international level. The E-SIGN workshop will be responsible for supporting the European Directive’s requirements for trustworthy systems and products used by CAs; secure signature creation devices such as smart cards; guidelines for signature creation and verification; and the assessment of signature products and services, providing a common level of security on an international level. Hans Nilsson commented: “Although several standardization projects have been launched in the past, on both national and international levels, results have always lacked the necessary consistency for cross-border recognition. E-SIGN has an important role to play in ensuring that, as far as possible, a legal framework can be built upon standards and voluntary agreements. The ultimate goal of all members is to establish legally recognized electronic signatures not just in Europe but internationally.” E-SIGN comprises over 80 experts representing service providers,accreditation and national standards bodies,manufacturers, legal experts and academia. The E-SIGN workshop intends to finish its standardization work well before the end of 2000, in order to enable vendors to develop compliant products before the Electronic Signature directive’s implementation in mid 2001. Editor’s Note: iD2 Technologies develops and sells tools and software to enable secure transactions and identification on the Internet. The company, owned by Cisco, Ericsson, Reuters, SAP and Schroder Ventures, has clients in banking, telecommunications, government and postal services throughout Europe and Asia. The company has offices in Stockholm, London and Munich. More information on iD2 can be found at . For more information on the EESSI framework and the CEN Workshop can be found at .

OTHER NEWS IN BRIEF ITU to re-engineer for the future A 27-member reform advisory panel, comprised of ministers and other senior government officials,industry CEOs,regulators and operators have met in Geneva to agree on the key principles that should guide the reform of the International Telecommunication Union. The group was set up by the ITU Secretary-General Yoshio Utsumi to advise him on how to chart the future of the ITU. In a radical departure from traditional approaches, the group sought the views of top-level representatives from a cross-section of converging industries — the Internet, entertainment and media, telecoms and information technology. Discussion focused on topics ranging from the nature of the organization, its mission, it stewardship of scarce resources,to policy development and co-ordination and the role of the ITU as a neutral third party. Commenting,the Chief Executive Officer of Sony Corporation said:“We are moving to a world where bandwidth will be plenty, accessible to all, and where data and voice together with wireless technology and E-commerce platforms will all combine in an all-pervasive communications system.” ITU’s role in these developments is the cornerstone of the reform agenda. While it was recognized that the Internet had evolved without formal structure or government regulation,the question as to whether it could continue the same way in the future was raised. As the Internet itself is branching into telecoms, whether in voice telephony, mobile communications or digital broadcasting, there was clearly a role for the ITU, said the panel. The proposals go forward to the next meeting of the ITU working group.

Director-General calls for closer parliamentary involvement in WTO matters The World Trade Organization Director-General, Mike Moore, has told the European Parliament that he welcomes closer involvement and scrutiny by parliaments in the activities,

215

CLSR Briefing

discussions and other work of the World Trade Organization. Addressing the Committee on Development and Co-operation in Brussels, Mr Moore said that closer involvement by parliaments and congresses was necessary, not only because these legislatures must ratify WTO agreements, but also because they are the best representatives of civil society. Commenting, he said: “Our agreements must be agreed by governments and ratified by Parliaments. We all need to be more accountable. Parliaments and congresses sustain governments. Public opinion sustains governments. Elected representatives are the main expression of civil society. Their support is measured, they are accountable, they need to be more involved.This is a real way in which we can counter some of the anxieties about globalization and public alienation. Elected representatives have a responsibility to become more involved, hold hearings, scrutinize where the tax payer’s money is going and ensure that the great international institutions created to manage global affairs have the moral authority that comes from the ownership and participation of member governments.” Editor’s Note: The WTO Web site can be found at: .













OECD publishes Information Technology Outlook 2000 The Organization for Economic Cooperation and Development has published its outlook for supply and demand for information technology goods and services for the year 2000. The report focuses on their role in the expanding Internet economy and looks at emerging uses of IT.This reflects the spread and diversity of a technology that is underpinning economic and social transformation.The report makes use of new official national sources of data, which are becoming available as statistical mapping of the information economy improves. Specifically, the report addresses the following: • The importance of information and communication technologies (ICT)

216





in national economies, their drivers and impacts (Chapter 1). The development of information technology markets, market structure and market dynamics, and the drivers of market expansion (Chapter 2). Links between the use of information technologies (notably PCs) and developments in network infrastructure and the potential uptake of electronic commerce and other applications which use enhanced computing and network capabilities (Chapter 3). The increasing ubiquity of electronic payments and the issues surrounding trust with respect to various payment methods (Chapter 4). OECD countries’ policies for testing new electronic financial transaction technologies and increasing their rate of diffusion to complement private sector technology development (Chapter 5). India, as an example of the strategies of non-OECD countries for developing a viable software industry (Chapter 6). Characteristics, uses and development of intelligent agent technologies as tools to exploit the enormous amount of commercial and non-commercial information available on the Internet (Chapter 7). The development and growth of global navigation systems that make possible increasingly precise geographical location and their incorporation in the global information infrastructure (Chapter 8). The development and likely pattern of uptake of the less cumbersome and more portable flat panel display technologies that underpin broadbased applications requiring digital display and interactive access (Chapter 9). Statistical profiles of the development of the information economy in 12 OECD countries, along with a summary of national policies underpinning the development of the information economy. The highlights, table of contents and sample graphs are available on the Web site, along with IT policy profiles for most OECD countries, at:

Computer Law & Security Report Vol. 16 no. 3 2000 ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved

.

DIARY * Understanding E-commerce — the Opportunities, Benefits and Pitfalls: 17 May 2000; London; Hawksmere; Tel: +44 (0)207 881 1817 or Fax: +44 (0)207 730 4293; E-mail: leon@hawksmere. co.uk. * Combating Financial Fraud on the Internet — How to Create a Safe Infrastructure to do E-business: 18 May 2000; London; International Conference Group;Tel: +44 (0)20 8743 8787 or Fax: +44 (0)20 8740 1717; Email: [email protected]. * Internet Law and Liability — Legal Internet Forum 2000: 22–23 May 2000; Geneva; Vision in Business Ltd;Tel: +44 (0)207 839 8391 or Fax: +44 (0)207 839 3777; E-mail: bookings@ visibis1.demon.co.uk. 21st century * Combating Commercial Fraud Inaugural ICC Lecture, Stationers Hall, London, 16 May 2000;Tel: +44 (0)20 8591 3000; Email: CCS @ icc-ccs.org. * 7th Annual Conference — Business Technology Outsourcing : 5–6 June 2000; Claridge’s, London; IBC Global Conference Ltd; Tel: +44 (0)171 453 5492 or Fax: +44 (0)171 636 6858; Email: [email protected]. * 1999 Review — The Practical Implications for European Telecoms Regulation: 7–8 June 2000; Brussels; Vision in Business Ltd;Tel:+44 (0)207 839 8391 or Fax:+44 (0)207 839 3777;E-mail: [email protected]. * Negotiating Telecoms Contracts — A Practical, Highly Interactive, Two-day Course: 12–13 June 2000; London; IBC Global Conference Ltd; Tel: +44 (0)171 453 5492 or Fax: +44 (0)171 636 6858; Email: [email protected]. * Privacy Laws & Business 13th Annual International Conference Cambridge, 3-5 July;Tel +44 (0) 20 423 1300; E-mail: info@privacy laws.co.uk; . * Negotiating IT Contracts 2000: 5–6 July; London; IBC Global Conferences Ltd; Tel: +44 (0)20 7453 5492 or Fax: +44 (0)20 7636 6858; E-mail: [email protected].