Just to pick up a few points, working from the UK implementation of the EU directive, the Data Protection Act 1998:
The Data Protection legislation covers paper records as well as computer records.
It doesn't extend to anything done other than in the course of a business, so your phone numbers stored in your mobile aren't covered. Incidentally, some of mine are, since they're client's numbers.
The data has to be personal data - data from which a person could be identified, however tangentially.
The data has to relate to a "data subject", a term which is defined in the legislation to mean more or less anything capable of passing as human. (Yes, that is flippant. No, it's not inaccurate.)
Sensitive personal data is a subset of personal data, and it's defined by reference to a list of subject matters: race, religion, political afdfiliation, membership of trade union, mental and physical health and sexual orientation being the ones I can remember without making the thirty-yard trek to the shelf where my copy of the Act is.
Sensitive Personal data cannot be collected without the explicit consent of the subject without committing an offence, subject to some tightly-drawn exceptions.
The restrictions on processing personal and sensitive personal data when you get it are governed by the Data Protection Principles. See Schedule 1 to the Act for details. Interpretation of the Principles is in Part II to Schedule 1 and further supporting material appears in Schedules 2 and onward.
The Data Protection Registrar has already indicated that "opt-outs" for mailing lists do not amount to fair data processing. That's right, spam just became a criminal offence again. Enforcement is another matter, I shouldn't wonder.
This item deliberately left blank.
Data Controllers (the people who actually carry the can for data processing) have to register as such, disclosing publicly on this register what sort of data they collect, from what kind of people and what they do with it.
Part of the registration, which must be renewed annually, is a statement of the security precautions the data controller has taken. They aren't onerous - indeed, I'd regard them as the minimum necessary. However, the actual implementation in practice among my clients - honourable exceptions apart - is woeful at best.
Essentially, the standards may be set higher over this side of the Atlantic, but the actual performance means that the practical difference for the time being is nil.
Anyone in the UK with an expertise in basic computer security has a prime opportunity to make some money selling advice to just about every commercial concern on mainland Britain. And, no doubt, the same goes for the rest of the EU.
AndrewD
Slight disclaimer: don't rely on the above as legal advice for your particular circumstances. I'm only qualified to advise in the UK on English law, and what appears here is only a broad outline statement of that law. In short, relying on comment postings on/. to take business decisions that might cost you money is your own affair and don't come crying to me if it all goes horribly wrong.
Small hint, tip or suggestion: when filling out registration forms, tick the lowest income box on the form to get ignored (peasants make poor marketing targets) and the highest income box to make sure your junk data corrupts the sample.
It is by these methods that I have acquired my fine collection of credit offers in the name of Bhagwan Sree Dennis, and a building materials catalogue offering tools and hardware to the Kzinti War Fleet.
Alternatively, fill in your details as Hugh G. Rection and list the editorial office of your favourite member of the yellow press as a care-of address.
Provided you aren't providing false details in order to obtain anything, you're fine.
I think you're confusing the innocence of the source of the pads - which could be more or less anything, as you correctly point out - with the innocence or otherwise of actually turning that souce material into pads. Sure, the judge's own personal site (and the thought of a judge maintaining a personal site is one that amuses me no end, dealing with judges as I do on a regular basis) might have been turned into a pad, but that doesn't involve him in the scheme.
As I understand the scheme, the creation of pads involves taking the source material, innocent or otherwise, and mashing it up to make something that looks a lot like noise. That, and the act of making the pad available to form the component of other messages, are the acts that go to creating the scheme.
In the case of the judge's page, the only person it actually involves is the person who did the necessary acts to turn that page into a pad (and never mind the fact that the derivative work that is the pad might well infringe the judge's copyright in the page).
No, what the prosecution has to show is that these particular pads - whatever else they might be a part of - are a part of of a piece of content the publication of which is a criminal offence.
Showing what the content is is trivial: the means for turning pads into readable material is freely available and the combination of pads that make up the offending message must have been publicised somewhere. Interesting point: does publishing a list of pads that can be turned into document X amount to publication of Document X? Almost certainly no case-law on that anywhere, but the common-sense answer is that it does.
Back in court, the next step is to show that the defendant, whether alone or jointly with others, published the offending material. Provided you have one or more of the pads that go to make up the offending message on your site, server or what-have-you, freely available for download to the public, you're caught.
Intent is the tricky part. The prosecution has to show that you knew or ought to have known that the mess of noise you maintain on your site was likely to be used to disseminate material the publication of which amounted to a criminal offence.
That, I have to say, is an issue of jury sympathy and I think that it more or less depends on what it was they prosecuted the defendant for publishing. Unkind remarks about politicians, and the prosecution gets laughed out of court. Porn involving the mutilation of small children and kittens, and you're in trouble.
I think the moral of the story is that technology does not and probably never will be much good at solving political problems.
There's a serious product liability issue here, as well.
Speaking from the UK perspective, the UCITRA passing into law would have had me ordering a rifle by mail-order and looking for a handy book depository to perch on.
Those EULA, Shrink-wrap, click "I agree" widgets and so on have always been at best doubtful to incorporate disclaimers and terms between a software company and a business end user and - what with the Unfair Contract Terms Act - totally useless as regards the consumer here in the UK in so far as the manufacturer couldn't persuade a judge that they were fair and reasonable.
Which, frankly, they mostly ain't. There's usually a clause in there that states that the software is supplied "as is" and as such the manufacturer, supplier or what-have-you cannot be liable in any way, shape or form for the product's failure to perform as advertised or, indeed, at all. As it happens, it's more or less completely impossible to rely in a UK court on a term that excludes your liability to actually perform on your contract (which, at the end of the day, is to deliver working software).
Not that it makes a blind bit of difference: most of the customers don't sue anyway.
I have been perennially annoyed by the willingness of clients to simply grin and eat excrement when supplied with lousy software. I have a client now on the brink of taking a supplier to court after eighteen months of misery for their stock-control, accounting and payroll department.
Had I been supplied with the dreck they got for somewere north of four grand - and this is four grand sterling, mind, not your johnny foreigner funny-money - I would have been round the manufacturer's premises frothing at the mouth and calling their MD out to give satisfaction at dawn.
My client, on the other hand, ran its business on spit and string for the last quarter of 1999 and the whole of 2000, after having done without computerised stock control - which they'd paid for! - since March 1998.
Only now do they decide to come to me, having thrown another couple of grand down the u-bend on trying to sort the mess out. And they wouldn't have done that if the supplier's proposed settlement was simply to sell them a different system at a slight discount.
Naturally, I shall be taking that "software supplied as is" clause and ramming it where it'll do some good, but it no longer surprises me that the software-selling community gets unbelievably arrogant with its customers.
The moral? If you behave like a serf, you shouldn't be surprised if you get kicked like one.
AndrewD
Re:Why You Need to Read the Risks Forum
on
Mattel Spyware
·
· Score: 1
I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format.... suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.
If I had a penny for every time someone in my profession made a bone-headed error like this in the use of IT, I'd be posting this from the Cayman Islands. Or rather, I probably wouldn't. I'd be able to pay someone to post it for me...
It's worth pointing out, though, that the reason this happened wasn't the technology as such, but the fact that the lawyer concerned regarded the use of a word-processor as beneath his/her dignity.
You'd be amazed (actually, you probably wouldn't, you probably know the same kind of people as me) at how many people in professional and managerial positions regard the use of IT as something the peons do. It goes like this:
My secretary uses the word-processor. She is socially inferior to me. Ergo, use of a word-processor, or even knowing how to use one, is the mark of an inferior. Ultimate conclusion: I should disavow any knowledge of how these things work in order to establish my status.
Hence the phenomenon of senior management stating, with evident pride, that they don't even know where the power switch is, a matter which my eldest son mastered at the age of two years.
I'm not terribly impressed with this one from the legal point of view, I have to say.
There are two possible attacks, in civil and criminal law respectively.
The civil attack looks, at first glance, trivial to defeat: ensure that your pads are distributed across four or more jurisdictions.
I would recommend splitting them half-and-half between civilian and common-law jurisdictions (jargon: common-law systems are based on English Law, civilian systems are based on the law of the Roman Empire by way of Napoleon) and similarly between UK/US and backwater places.
Because an attempt to get a civil injunction is being funded from the private means of an individual or corporation and because the cost of multi-jurisdictional litigation is what we lawyers like to call "staggering", distribution works quite well.
As I say, "at first glance". I know several people who represented - plucking an example that will do as well as several others - MacDonald's, in the McLibel trial.
I can't go further than saying that - this being the perspective of someone with an office down the corridor, and information you can readily get from the court records - MacDonalds ordered bodies to be thrown at that fight like litigation was on its way out of fashion. Some of those bodies charge three hundred sterling an hour (what precise rate MacDs had negotiated I couldn't say). Moral? Don't libel the clown. He's vindictive and has no sense of proportion. I remain convinced to this day that that was the reason McDs took the case all the way: pour encourager les autres.
I digress. A civil attack on a distributed document system such as this would require multiple injunctions (or local equivalent) in multiple jurisdictions, which militates against anyone being able to afford the remedies required. Until you consider just how big-budget some of the potential oppressors are.
You can discount that First-Amendment protection right now, as well. It doesn't apply anywhere outside the US in that strong a form, and even in the US there are enough judicially-applied exceptions that it's all but a dead letter for anyone but Big Media.
Criminal content is a real problem. You can discount the "destruction of innocent messages" argument straight away. As a defence, that wouldn't hold water at all. Provided the prosecution shows that the offending pad forms part of a scheme for distributing unlawful content/information (pick your offence, there are dozens) the innocent uses of same ceases to matter.
The presumption of innocence does not operate to say that where there is an innocent and a guilty explanation of an action, the innocent one must always be taken. What it does is require that the prosecution knew that the actor knew, ought to have known or at least was reckless that his act had or potentially had bad consequences.
Short but important note: The Presumption Of Innocence is common to a minority by number of legal systems, applies only in criminal matters (so you can forget it if Big Capital comes after you in the civil courts) and even there it ain't absolute protection, as large numbers of defendants have found in the past.
All it takes is one good advocate for the prosecution and a sufficiently gullible jury and the defendant is stuffed the minute he gives an honest answer to the question of why he maintains this thick wad of noise on his ftp site. Answer? To make it hard for law enforcement to trace the author/publisher of the content. That hissing noise was your jury sympathy deflating, as the Four Horsethings of the Infocalypse canter into court.
Certainly anyone using this scheme in the UK would run a small risk (under present law) a moderate risk (under the law as it might easily be modified by the kind of government that would table the present RIP Bill) and an absolute dead certainty (if the RIP Bill passes as presently drawn) of conviction of something, should it turn out one of his pads is a component of the complete spec for the kiddie-porn-powered neutron bomb that's supposed to be sitting on a webpage somewhere for a hacker to download.
I could probably say more, but it's 0200 here. I'm for me bed.
Slashdot Mirror
Just to pick up a few points, working from the UK implementation of the EU directive, the Data Protection Act 1998:
Essentially, the standards may be set higher over this side of the Atlantic, but the actual performance means that the practical difference for the time being is nil.
Anyone in the UK with an expertise in basic computer security has a prime opportunity to make some money selling advice to just about every commercial concern on mainland Britain. And, no doubt, the same goes for the rest of the EU.
AndrewD
Slight disclaimer: don't rely on the above as legal advice for your particular circumstances. I'm only qualified to advise in the UK on English law, and what appears here is only a broad outline statement of that law. In short, relying on comment postings on /. to take business decisions that might cost you money is your own affair and don't come crying to me if it all goes horribly wrong.
Small hint, tip or suggestion: when filling out registration forms, tick the lowest income box on the form to get ignored (peasants make poor marketing targets) and the highest income box to make sure your junk data corrupts the sample.
It is by these methods that I have acquired my fine collection of credit offers in the name of Bhagwan Sree Dennis, and a building materials catalogue offering tools and hardware to the Kzinti War Fleet.
Alternatively, fill in your details as Hugh G. Rection and list the editorial office of your favourite member of the yellow press as a care-of address.
Provided you aren't providing false details in order to obtain anything, you're fine.
AndrewDI think you're confusing the innocence of the source of the pads - which could be more or less anything, as you correctly point out - with the innocence or otherwise of actually turning that souce material into pads. Sure, the judge's own personal site (and the thought of a judge maintaining a personal site is one that amuses me no end, dealing with judges as I do on a regular basis) might have been turned into a pad, but that doesn't involve him in the scheme.
As I understand the scheme, the creation of pads involves taking the source material, innocent or otherwise, and mashing it up to make something that looks a lot like noise. That, and the act of making the pad available to form the component of other messages, are the acts that go to creating the scheme.
In the case of the judge's page, the only person it actually involves is the person who did the necessary acts to turn that page into a pad (and never mind the fact that the derivative work that is the pad might well infringe the judge's copyright in the page).
No, what the prosecution has to show is that these particular pads - whatever else they might be a part of - are a part of of a piece of content the publication of which is a criminal offence.
Showing what the content is is trivial: the means for turning pads into readable material is freely available and the combination of pads that make up the offending message must have been publicised somewhere. Interesting point: does publishing a list of pads that can be turned into document X amount to publication of Document X? Almost certainly no case-law on that anywhere, but the common-sense answer is that it does.
Back in court, the next step is to show that the defendant, whether alone or jointly with others, published the offending material. Provided you have one or more of the pads that go to make up the offending message on your site, server or what-have-you, freely available for download to the public, you're caught.
Intent is the tricky part. The prosecution has to show that you knew or ought to have known that the mess of noise you maintain on your site was likely to be used to disseminate material the publication of which amounted to a criminal offence.
That, I have to say, is an issue of jury sympathy and I think that it more or less depends on what it was they prosecuted the defendant for publishing. Unkind remarks about politicians, and the prosecution gets laughed out of court. Porn involving the mutilation of small children and kittens, and you're in trouble.
I think the moral of the story is that technology does not and probably never will be much good at solving political problems.
AndrewD
There's a serious product liability issue here, as well.
Speaking from the UK perspective, the UCITRA passing into law would have had me ordering a rifle by mail-order and looking for a handy book depository to perch on.
Those EULA, Shrink-wrap, click "I agree" widgets and so on have always been at best doubtful to incorporate disclaimers and terms between a software company and a business end user and - what with the Unfair Contract Terms Act - totally useless as regards the consumer here in the UK in so far as the manufacturer couldn't persuade a judge that they were fair and reasonable.
Which, frankly, they mostly ain't. There's usually a clause in there that states that the software is supplied "as is" and as such the manufacturer, supplier or what-have-you cannot be liable in any way, shape or form for the product's failure to perform as advertised or, indeed, at all. As it happens, it's more or less completely impossible to rely in a UK court on a term that excludes your liability to actually perform on your contract (which, at the end of the day, is to deliver working software).
Not that it makes a blind bit of difference: most of the customers don't sue anyway.
I have been perennially annoyed by the willingness of clients to simply grin and eat excrement when supplied with lousy software. I have a client now on the brink of taking a supplier to court after eighteen months of misery for their stock-control, accounting and payroll department.
Had I been supplied with the dreck they got for somewere north of four grand - and this is four grand sterling, mind, not your johnny foreigner funny-money - I would have been round the manufacturer's premises frothing at the mouth and calling their MD out to give satisfaction at dawn.
My client, on the other hand, ran its business on spit and string for the last quarter of 1999 and the whole of 2000, after having done without computerised stock control - which they'd paid for! - since March 1998.
Only now do they decide to come to me, having thrown another couple of grand down the u-bend on trying to sort the mess out. And they wouldn't have done that if the supplier's proposed settlement was simply to sell them a different system at a slight discount.
Naturally, I shall be taking that "software supplied as is" clause and ramming it where it'll do some good, but it no longer surprises me that the software-selling community gets unbelievably arrogant with its customers.
The moral? If you behave like a serf, you shouldn't be surprised if you get kicked like one.
AndrewDIf I had a penny for every time someone in my profession made a bone-headed error like this in the use of IT, I'd be posting this from the Cayman Islands. Or rather, I probably wouldn't. I'd be able to pay someone to post it for me...
It's worth pointing out, though, that the reason this happened wasn't the technology as such, but the fact that the lawyer concerned regarded the use of a word-processor as beneath his/her dignity.
You'd be amazed (actually, you probably wouldn't, you probably know the same kind of people as me) at how many people in professional and managerial positions regard the use of IT as something the peons do. It goes like this:
Hence the phenomenon of senior management stating, with evident pride, that they don't even know where the power switch is, a matter which my eldest son mastered at the age of two years.
Andrew D
I'm not terribly impressed with this one from the legal point of view, I have to say.
There are two possible attacks, in civil and criminal law respectively.
The civil attack looks, at first glance, trivial to defeat: ensure that your pads are distributed across four or more jurisdictions.
I would recommend splitting them half-and-half between civilian and common-law jurisdictions (jargon: common-law systems are based on English Law, civilian systems are based on the law of the Roman Empire by way of Napoleon) and similarly between UK/US and backwater places.
Because an attempt to get a civil injunction is being funded from the private means of an individual or corporation and because the cost of multi-jurisdictional litigation is what we lawyers like to call "staggering", distribution works quite well.
As I say, "at first glance". I know several people who represented - plucking an example that will do as well as several others - MacDonald's, in the McLibel trial.
I can't go further than saying that - this being the perspective of someone with an office down the corridor, and information you can readily get from the court records - MacDonalds ordered bodies to be thrown at that fight like litigation was on its way out of fashion. Some of those bodies charge three hundred sterling an hour (what precise rate MacDs had negotiated I couldn't say). Moral? Don't libel the clown. He's vindictive and has no sense of proportion. I remain convinced to this day that that was the reason McDs took the case all the way: pour encourager les autres.
I digress. A civil attack on a distributed document system such as this would require multiple injunctions (or local equivalent) in multiple jurisdictions, which militates against anyone being able to afford the remedies required. Until you consider just how big-budget some of the potential oppressors are.
You can discount that First-Amendment protection right now, as well. It doesn't apply anywhere outside the US in that strong a form, and even in the US there are enough judicially-applied exceptions that it's all but a dead letter for anyone but Big Media.
Criminal content is a real problem. You can discount the "destruction of innocent messages" argument straight away. As a defence, that wouldn't hold water at all. Provided the prosecution shows that the offending pad forms part of a scheme for distributing unlawful content/information (pick your offence, there are dozens) the innocent uses of same ceases to matter.
The presumption of innocence does not operate to say that where there is an innocent and a guilty explanation of an action, the innocent one must always be taken. What it does is require that the prosecution knew that the actor knew, ought to have known or at least was reckless that his act had or potentially had bad consequences.
All it takes is one good advocate for the prosecution and a sufficiently gullible jury and the defendant is stuffed the minute he gives an honest answer to the question of why he maintains this thick wad of noise on his ftp site. Answer? To make it hard for law enforcement to trace the author/publisher of the content. That hissing noise was your jury sympathy deflating, as the Four Horsethings of the Infocalypse canter into court.
Certainly anyone using this scheme in the UK would run a small risk (under present law) a moderate risk (under the law as it might easily be modified by the kind of government that would table the present RIP Bill) and an absolute dead certainty (if the RIP Bill passes as presently drawn) of conviction of something, should it turn out one of his pads is a component of the complete spec for the kiddie-porn-powered neutron bomb that's supposed to be sitting on a webpage somewhere for a hacker to download.
I could probably say more, but it's 0200 here. I'm for me bed.