20 April 2012

Is an Australian ISP liable for the infringing acts of its customers?

Roadshow Films Pty Ltd v iiNet Ltd [2012] HCA 16 (20 April 2012):

The decision

By a unanimous five judge court in the Hight Court of Australia, iiNet did not authorise the infringement of copyright held by the movie owners (the appellants).

There was no question that copyright infringement by iiNet's customers had occurred - the fundamental question was whether iiNet had authorised the infringement, which would fall foul of s 101 of the Copyright Act 1968. This secondary infringement could result in damages being paid by iiNet to the copyright owners.

The appellants relied on passages from University of NSW v Moorhouse [1975] HCA 26; (1975) 133 CLR 1 (1 August 1975) as noted in para 58. They argued that control was within the meaning set out by Gibbs J:
It seems to me to follow from these statements of principle that a person who has under his control the means by which an infringement of copyright may be committed - such as a photocopying machine - and who makes it available to other persons, knowing, or having reason to suspect, that it is likely to be used for the purpose of committing an infringement, and omitting to take reasonable steps to limit its use to legitimate purposes, would authorize any infringement that resulted from its use.
The appellants argued that after receiving a notice of infringement, iiNet had to take action against the account holder who had been assigned the relevant IP address. That person, of course, may not have been the person committing the primary infringement - it could be a family member, employee, house guest or housemate.

iiNet argued that it would be "a complex and costly task" to investigate allegations in notices, and it is obvious that if it did not thoroughly investigate before taking action then it might end up breaching its own terms of service with its customers.

Thoughts about policy

Moorehouse  was about the use of photocopiers in the university library, and it led to legislative change to protect the university and other educational institutions. The case was distinguished in iiNet in para 144 on the topic of indifference to infringement.  The theme running through copyright legislative change in Australia has been to protect the providers of goods or services which can be used for legal or impermissible purposes - it is up to the user to obey the law.

In my opinion there is a practical issue here - the Australian legal system is generally predicated on punishing or controlling people for what they have done, not what they might do. If someone has stolen copyrighted property then that is wrong, but does it indicate that they should receive a contractual punishment dictated by someone who is not party to the contract? iiNet's terms of service clearly give it the ability to terminate a contract with a customer who breaches the law, but that is a matter between iiNet and the customer.

Past behaviour may indicate a tendency toward future behaviour, but in Australian law the court confine the ability to lead that sort of evidence to very limited cases. Third-party-enforced termination of service of an internet connection is a type of retributive punishment, which has no place in civil law. The punishment does not attempt to put the victim back into a position as if the offence had not occurred, nor does it provide compensation for the damage. These are valid consequences of copyright breach, but termination of service after the fact is unrelated.

Questions and answers

Did iiNet have the power to prevent use of BitTorrent?

para 65 ... iiNet had no direct technical power at its disposal to prevent a customer from using the BitTorrent system to download the appellants' films on that customer's computer with the result that the appellants' films were made available online in breach of s 86(c).

What contractual power did iiNet have?

69 Even it if were possible to be satisfied that iiNet's inactivity after receipt of the AFACT notices, and its subsequent media releases, "supported" or "encouraged" its customers to continue to make certain films available online, s 101(1A) ... makes it plain that that would not be enough to make iiNet a secondary infringer. An alleged authoriser must have a power to prevent the primary infringements ...  there must be such a power to prevent...
70 As explained, the extent of iiNet's power was limited. It had no direct power to prevent the primary infringements and could only ensure that result indirectly by terminating the contractual relationship it had with its customers. 
Per Gummow and Hayne JJ: 146 Further, iiNet only in an attenuated sense had power to "control" the primary infringements utilising BitTorrent. It was not unreasonable for iiNet to take the view that it need not act upon the incomplete allegations of primary infringements in the AFACT Notices without further investigation which it should not be required itself to undertake, at its peril of committing secondary infringement.

Did iiNet take reasonable steps?

76 iiNet's inactivity after receipt of the AFACT notices was described by the appellants as demonstrating a sufficient degree of indifference to their rights to give rise to authorisation. However, the evidence showed that the inactivity was not the indifference of a company unconcerned with infringements of the appellants' rights. Rather, the true inference to be drawn is that iiNet was unwilling to act because of its assessment of the risks of taking steps based only on the information in the AFACT notices. Moreover, iiNet's customers could not possibly infer from iiNet's inactivity (if they knew about it), and the subsequent media releases (if they saw them), that iiNet was in a position to grant those customers rights to make the appellants' films available online. 

The key point

77 The appellants' submission, that iiNet should be taken to have authorised the infringements unless it took measures with respect to its customers, assumes obligations on the part of an ISP which the Copyright Act does not impose. A consideration of the factors listed in s 101(1A) does not permit a conclusion that iiNet is to be held liable as having authorised the infringements. (my emphasis)

iiNet - the winner

The High Court of Australia handed down judgement today in Roadshow Films Pty Limited & Ors v iiNet Limited [2012] HCA 16.

The court dismissed the appeal by the copyright owners from the Full Court of the Federal Court of Australia - in other words, iiNet won.

The case was based on "authorisation" under the Copyright Act 1968, which extremely roughly means "aiding and abetting" someone in copyright infringement. The court held that iiNet had not authorised the infringement by its Bittorent-using-customers by not terminating customer accounts despite being given notice that infringements were occurring.

The logic of the decision is obvious - iiNet's only real power was to terminate its contracts with its customers on the basis of material given to it by third parties. However, the court held that these notices were not a sufficient basis for iiNet to cancel or otherwise limit its users' accounts.

The full text of the court's decision is not yet available.

iiNet - the High Court of Australia decision

The High Court of Australia has handed down its decision in the claim by movie copyright owners against the ISP iiNet.

The High Court dismissed the appeal by the film and television companies! (I had quite a few beers riding on that result - I won)

The copyright owners claimed that iiNet had "authorised" infringement of their copyrights by permitting Bittorrent users to continue using the ISP's services despite being notified by the copyright owners.

Authorisation is a right under s 13(2) of the Copyright Act 1968, and a similar provision was used to convict the Pirate Bay operators - it is no excuse that you don't actually host the files. However, this was not enough to sink iiNet.

Analysis of the judgement to follow shortly.

18 April 2012

Stuff I use at home - Netgear ReadyNAS NV+

I've had a Netgear ReadyNAS NV+ for about a year, and yesterday I bought and installed a second one. What do I think?

These boxes are about the size of a toaster, and have room for four discs. I've put Seagate 2TB discs into them, and to be specific, 4 x Seagate ST2000DL003-9VT166 into the latest machine. The ReadyNAS is a SPARC based linux machine, but you'd never know because the interface is web-based and easy to use.

I put the four discs into their drive cages (5 minutes), connected the power and network, turned it on and went to bed. By this morning it had checked the drives, updated its firmware, built a RAID 5 array (technically it's something else, but it has RAID 5 functionality), and created two shares. These were CIFS (SMB) and AFP, but it also can create shares based on NFS, RSYNC and FTP. There is also functionality around http and https, which I don't use.

They are interesting boxes, since they prioritise sharing heavily - don't bother trying to use the management interface while pushing its gigabit ethernet interface. These are not meant for more than a handful of users if you push them.

Plenty of other people have reviewed these machines, so I won't go into detail other than to say that it offers Time Machine backup for my Mac Mini, RSYNC works perfectly, it keeps the discs at a few degrees above ambient temperature, the discs are hot-swap, they're quiet, and a pleasure to use.

This machine will eventually replace my ageing Windows Home Server v1, which I will miss, but its habit of killing discs is becoming a bit old. I have pulled a disc out of the ReadyNAS and it responded as advertised.

One major point: if you run one of these (or any other consumer RAID 5 array), have a spare disc ready - the moment a disc fails you should replace it, because if another disc goes bad or is already marginal you need to get that new disc in immediately.

17 April 2012

Cyberspace May 2012

Lies, damned lies

In 2050 no grandchild will see a photo of his grandfather sitting on his antique motorcycle, because that photo was taken on a phone or digital camera and was never backed up or handed over to the children (“Here honey, take my 30 GB of family photos before I die”).. Another problem with digital photographs is that they are easily edited... but are those edits undetectable?

You might be involved in an AVO defence, a claim against police or a family law matter where some photographs are being tendered. What can you do to ensure that they haven’t been tampered with? I’d start by cross-examining on the chain of custody of the digital images, starting with the photographer and ending with the person tendering them in court.  The concept of an “original” photograph is fairly nebulous - perhaps the only original is that on the SD or Compact Flash card - everything else is suspect. But the truth is that you can analyse a photo that has been resized, cropped, altered and find the fakes.

There are many techniques (and multiple techniques should always be used) but only some deal with visible issues. Classic visible problems are where the light appears to illuminate a subject from several directions when there clearly could only have been one light source. This analysis can show that one or more subjects have been added, moved or reversed. Another visible problem is where perspective anomalies arise.  If an object is inexpertly added then its perspective will not match the rest of the photograph. This can show, for example, that the wheels on a car are too close together or people are too far away from a background object. Changes in highlights (bright areas) where you would expect them to be similar was noted in a Scientific American article (http://goo.gl/Og0Tv), where a photograph of American Idol judges was analysed to show it had been doctored.

But what about edits that are seriously professionally done using quality software? These are still detectable.  A great recent example was by Dr Neal Krawetz, who has been conducting digital photo forensics for many years. In the USA a recent lottery draw for over $640M was world news. A person posted three photographs of a “winning ticket” on Reddit, and Dr Krawetz decided to examine them (http://goo.gl/qhcjS). . These photographs were seriously believable visually, but the context indicated they were probably fake, and he ultimately proved so. How?

The first picture was analysed to see if different areas of the image had been compressed at significantly different levels (all JPEG photos have some degree of compression). Even after multiple saves we should see consistent degradation across an entire photo. This sort of analysis will easily reveal that something has been added to or removed from a photograph, but if something has been copied within a photograph then other tools will be required.

The next step was to consider whether tools such as Photoshop were used - these introduce distinct artifacts that are peculiar to the brand of software used. After processing experts can visually identify which software has been used.

Another anomaly that can be introduced is varying colour spaces, which is what the Dr used to detect the lottery fake. Altered parts of the photo will be revealed by detecting changes in the colour values used in different parts ofthe photograph.

The moral is that you need not accept defeat in the face of what your client tells you is a digitally altered photograph - you should consider calling in the experts.

13 April 2012

Cyberspace April 2012

Computer assisted review

It can be hard to find specific evidence to support broad assertions of systematic misconduct, such as a glass ceiling for female employees. These cases often require very extensive discovery, and the inspection process can run into the millions of dollars.

Keyword searches can provide some results, but it is easy to write a document on a particular topic without using any particular keywords. Keyword searching will miss these documents. So what to do when you have millions of emails between many senior managers over many years?

One technique is “computer-assisted review”, or “predictive coding”. Searches are performed using rules created by watching how experienced lawyers analyse a set of documents taken from the actual potential discovery set. These rules are far more complex than keywords, but they require that very experienced lawyers create the rules. The software watches while the documents are coded, and it attempts to predict the coding results. After sufficient cycles of review and feedback the software becomes capable of either determinig yes/no relevance or providing a relevance score. This enables the legal team to prioritise the review of those documents. Where a relevance score is used the parties may attempt to agree on a minimum threshold for manual review, thus containing costs.

In Da Silva Moore et al v Publicis Groupe & MSL Group (USDC, SD of NY, 24 Feb 2012) (http://goo.gl/0pNzq)  the court dealt with consent orders using computer-assisted review in relation to a glass-ceiling case. Particular processes were required, such as maintaining the sample set and a documented quality control regime to assist in dealing with arguments as to the accuracy of the process. Magistrate Judge Peck had previously said “Key words, certainly unless they are well done and tested, are not overly useful. Key words along with predictive coding and other methodology, can be very instructive.”

The defendants proposed that the top 40,000 documents be produced, but this approach was rejected as it did not deal with what the statistics showed for the results. It may result in many relevant documents being excluded.

Since some data was in an email account of a French citizen, Peck MJ also mentioned the Sedona Conference’s (a research and educational institute) International Principles of Discovery, Disclosure and Data Protection publication. This deals with the challenges of competing international privacy laws. This is a particular issue since the EU is drafting a replacement General Data Protection Regulation that requires strict personal data protection compliance for non-EU countries. A penalty of up to 2% of world-wide turnover may be applied for breach, and it will be compulsory to notify data protection authorities and the individuals concerned of of a breach or leak within 24 hours. The rules will apply to non-EU based businesses who have subsidiaries in the EU or offer goods or services to EU-based customers.

The parties started by selecting a sample of documents with a 95% confidence level. using that to train the software. Keyword sample sets were also produced, and in the end around 7,000 documents were given to senior attorneys to create the seed set, and the court made the point that these were not paralegals, in-house lawyers or junior associates. The defendants proposed seven iterative rounds of training and testing, at which the plaintiffs baulked, but the court “reminded the parties that computer-assisted review works better than most of the alternatives, if not all of the [present] alternatives. So the idea is not to make this perfect, it’s not going to be perfect. The idea is to make it significantly better than the alternatives without nearly as much cost.” Now, there’s an idea.