Padlocking your pocket?

There was an interesting article on the BBC Website last week about what happens to your email accounts, social networking accounts and other data after you die. In particular, how your next of kin get access to passwords so that they can access all that data that you hold in the cloud. Today also sees the launch of yet another social networking type site, with Google’s new Wave service, which aims to bring email, instant messaging, chat and third party apps together in one big happy family. Hnmmm, isn’t that what Facebook does?

However, one thing that rarely gets mentioned is the plethora of data that each of us now carry, or have access to, through mobile devices, such as mobile phones and PDAs. Whilst (the lack of) encryption of mobile devices used by the public and private sector is becoming an almost daily news event, how often do you hear about protection of personal, non-work, mobile devices, which are almost always unprotected?

You may think that there isn’t really anything to protect here. But consider this. If you have an iPhone, iPod Touch, Blackberry or other “smart” device offering access to the Internet, it’s likely that you can access your email account, social networking account, contacts and other personal information without needing to enter a password – you simply load up the relevant app and will be logged straight in. The Internet browser may also have saved website passwords. As the app market matures, it is likely that banks will start offering Internet banking apps that allow you to access your personal bank account through your iPhone or Blackberry. We may also see apps allowing access to NHS and other sensitive records and services. The “Internet in your pocket” isn’t just marketing fluff.

But what happens if your device is lost or stolen? As well as the inconvenience of losing your device (and any data on it that hasn’t been backed up) and people spamming in your name, you will probably need to reset all the passwords for your email and other accounts. There’s also a reasonable risk of identity theft in one way or another – whether it be people hijacking your email account, attempting to access your bank or credit card account, or buying things through Amazon with your saved credit card details. If you have been negligent in protecting your account (or card number), it is likely that a bank would take a dim view of any loss suffered – have a look at your online banking ts and cs. Other organisations are likely to take the same view.

Most devices tend not to come with their security features activated. One of the easiest things to do to reduce this risk is to regularly back-up your device and activate the main password protection function on the device. It’s a fairly simple step, but it is amazing how many people don’t use it. On the iPhone and iPod Touch, you can also set the device to erase all data on it after ten failed password attempts.

Whilst this protection may not stop a determined hacker with time and specialist software at his disposal, it may stop the average phone thief from easy access to your data.

Licence with a c

This post is for you if you are a fan of the book “Eats Shoots and Leaves“.  Yes, I know it’s the punchline to a dirty joke, but it’s also the name of a very good  book about linguistic pedantry.

And linguistic pedantry is the main point of my post.  In particular how do you spell “licence”?  Is it “licence” or “license”?

If you are in the US it’s always license. This annoys me when I review US documents, but I have learned to get over it.

If you are in the UK the spelling depends on whether you are using it as a noun or a verb.

Where it is a noun, e.g. “my driving licence”, or “I grant you a licence”, then it is spelled with a “c”.

Where it is a verb, e.g. “the Owner hereby licenses the Company”, then it is spelled with an “s”.

I trained in a less gentle time, and my first boss used to throw stuff at me when I got this distinction wrong. It didn’t take too many dunts to the head before I started to get it right.  (Hmm – some lesson there I think.)

And while we are at it, a company is always singular, so it is “the Company performs” and not “the Company perform”.

Anyway enough patronising pedantic chat.  I also realise I have set myself up for a fall here, so I really hope that there are no licence/license errors in Techblog.  I tell you what – a special prize to the first reader to find one.

Paperback Fighters

You may be aware that since 2004 Google has been digitising books.   You may also be aware that not everybody is delighted about it.

It’s pretty hard to find a decent, snappy round-up of the Google Books story, and some bright spark somewhere is probably writing a dreary tome entitled “The Google Books book” right now. However, just to prove how efficient and clever we are here at Brodies, I’m going to sum up the whole saga in under 500 words.

Starting now.

Google claims that since 2004 it has scanned at least 7 million books. These books are variously out of copyright, still under copyright, commercially unavailable or, in many cases, “orphan works” with no known copyright holder. Despite Google employing a variety of access restrictions, and only showing snippets from the copyright works (with a few pages around a searched-for term or phrase), the project has been very unpopular with writers and publishers who believe that it infringes their rights.

In the US the Authors Guild and the Association of American Publishers  filed a class copyright infringement suit in 2005.  At the end of last year Google proposed a settlement which is currently under consideration by the US court. Under the settlement Google has offered to pay 125 million dollars to resolve outstanding claims and establish an independent “Book Rights Registry” which will provide revenue from sales and advertising to authors and publishers who agree to digitise their books. Thanks to the peculiarities of US class action law, if this settlement receives US court approval it will apply automatically to the entire US books industry.

However the objections are numerous! Some authors want an opt-in system, rather than an opt-out (the problem being this would leave the “orphan works” in limbo). Publishers are concerned that Google will have a monopoly over the index and over commercially unavailable works. Civil liberties campaigners highlight the privacy risks of Google being able to monitor your reading. Other objections have come from Google’s competitors in the search business, including Microsoft. And Germany has recently announced its opposition, arguing that the settlement violates international treaties on authors’ rights because it would be easy to get round restrictions on non-US access to the index.

In Europe, Google is facing a different set of copyright laws in each country, with little harmonisation. Differing rules at national level are hampering co-operation. What is out of copyright in Germany may still be protected in France. The European Commission has started hearings on how it should respond to the deal. The Commissioners are attempting to formulate a response and will report to the European Parliament and the Council with their findings.

Supporters of the single market would like the EU to formally back the US deal and devise a similar pan-European legal instrument to promote the digitisation of its cultural heritage. Opponents point out that harmonisation of EU copyright laws could take decades, that a single US company should not be trusted as a repository of European culture, and that a deal with Google would cut European companies out of this emerging market.

On 7th September European Commissioners held an open meeting to discuss the effects of the Google Book settlement agreement on the European publishing sector, European authors and European consumers. The result was that Google proposed to offer scanned books to Europe’s publicly funded digitisation initiative “Europeana”, and also offered two positions on its proposed Books Rights Registry to European representatives.

(For the record, that was 492 words. At Brodies we always like to come in a bit under our quote – and crucially, with the job also done.)

So that’s all the reporting, but what is my personal opinion?

Firstly I don’t believe that Google is doing all this for the greater good, no matter how cuddly its marketing makes the company appear.

Secondly I think the EU has to take some sort of action regarding book digitisation or we’re going to end up with a dearth of online European knowledge.

Thirdly, Europeana is hugely underfunded.

All of which leads me to the conclusion that the EU is going to have to do some sort of deal with Google. A check on what might rapidly become a digital books cartel will have to be agreed. It may be that Google’s business model is the most effective check of all. Google’s business is fundamentally based around search and it’s going to be in Google’s best interests to make sure books are available to be searched.

Freedom of information and privacy – finding the right balance

Yesterday I attended a very interesting seminar at the University of Dundee’s Centre for Freedom of Information.

The topic under consideration was the interaction between freedom of information and data protection legislation, and in particular how the law seeks to balance the “right to know” (the basic premise of freedom of information) and the privacy rights of the individual.

Christine O’Neill, Head of Brodies’ Public Sector Services Group, gave an excellent presentation on key case law to date, looking at where the law stands following the House of Lords’ decision last July in the case of Common Services Agency v Scottish Information Commissioner.

There was general consensus that the law in the UK on this issue is badly in need of clarification, in particular given the importance of the competing interests at stake.  The interaction between freedom of information and data protection legislation relies heavily on how we define “personal data” – the personal information to which data protection legislation applies. Broadly speaking, personal data is any information about a living individual from which that individual can be identified. However the decision in the CSA case (which dealt with statistical information about the incidence of childhood leukaemia in Dumfries and Galloway) has left information lawyers struggling to understand precisely how the “identifiable” element of the statutory definition should be interpreted, in particular in cases where an organisation tries to anonymise personal information in order to permit its release.

Comments from David Banisar of Privacy International supported a general view that the problems currently being encountered in the UK, in seeking to reconcile these two bodies of legislation, stem mainly from the wording of the UK’s Data Protection Act 1998. Many other jurisdictions around the world have both freedom of information and data protection legislation, but appear to have succeeded in achieving a smoother and more effective interaction between the two regimes than we have to date.

More developments are in the pipeline, with the Scottish Information Commissioner preparing to give his further decision on the CSA case in the coming months and another case (this time on the incidence of registered sex offenders living in certain postcode sectors) heading to the Court of Session.  This looks set to present more difficult issues, both from a policy and a technical, legal perspective.

Ultimately, it is looking increasingly likely that a satisfactory level of clarity will be achieved only through suitable amendments to the DPA. However, any light which further case law can shed on the issue in the meantime would be very welcome indeed.

Data Storage – The Future – Part II

Following on from Martin English’s article about data storage I thought I would report a very interest discussion I had at a dinner hosted by the NVT Group a couple of weeks ago.

The main topics of conversations were data de-duplication, and data profiling.

Data de-duplication is a solution that makes sure you are not holding the same data in multiple places, and therefore wasting disk space.  While this sounds sensible there is (of course) a cost to the solution.  The question is will that solution cost less than the total cost of ownership of the disk space used up by the duplicate data (including its power consumption) .  Also I had a slight concern regarding proprietary lock-in here.  That is, if you purchase a data de-dup solution from one supplier you may be “tied” to that supplier, or at least moving between suppliers will have a hassle factor (apparently you need to “re-hydrate” the de-duped data).

The other technology was data profiling (or at least that is what I call it).  This is a SAN solution that identifies how often data is accessed.  Data that is accessed often is stored on faster/more expensive storage, while data that is rarely accessed is stored on cheaper/slower storage.  Again this makes sense as long as there is a saving, and there is no proprietary lock-in. 

I came away from the dinner with two distinct thoughts.

1       The volume of data being stored is increasing, and will continue to increase despite data protection laws, and other measures.  Put simply, people don’t like deleting data.

2       In my experience where large ICT solutions are being purchased the hardware component (or “tin” as people in the business invariably call it) tends to be a bit of an after thought.  It is the unglamorous end of the deal, and is seen as being a low cost commodity.  However, with the massive increase in data it may be these priorities should be reassessed.

What do the people out there think?

Consultation on new rules governing distribution arrangements

My colleagues Charles Livingstone and Roger Murray have written a short article on some proposed changes by the European Commission to the way in which competition law governs supply chain relationships – in particular distribution agreements. The new rules will replace the current block exemptions, which are due to expire next May.

Distribution relationships are common in the IT industry as a way of reselling hardware, software and other goods and services, and suppliers will often seek to use distribution agreements as a way of controlling the supply of their products.

The article is well worth reading for anyone involved in that supply chain – be they a manufacturer/licensor or distributor (or any of a multitude of other IT industry monikers, such as “partner” or “reseller”).

In particular, the proposed new rules would change the rules in relation to online sales.

Anyone wishing to comment on the proposed new laws has until 28 September 2009 to do so.

See: Competition in the supply chain: changes to the rules every business needs to know.

Supplier Insolvency Seminar – Reminder

Just a wee reminder that I am speaking on Supplier Insolvency this Thursday in Edinburgh.  The seminar runs from 0830 to 1000, and bacon rolls will be provided.  Full details of the seminar can be found by clicking on this link.

For those on the west coast I will be re-running the seminar in Glasgow on Wednesday 30 September. 

If you want to sign up to either event then email rachel.osborne@brodies.com.

Is your website legal?

Sorry for the lack of posts recently.  I was in Spain last week (without the kids – yah!).

Even on holiday, I noticed a news item where the EU consumer commissioner complained that most websites do not comply with law.  This was not a big surprise to me!!

If you are selling stuff from your website then generally you have to comply with the fairly complex distance selling directives.  There is a good guide to the distance selling directives at the OFT website.  The main headline is that in the sales process you have to display certain information to the customer, and the customer has a right to reject the goods even if they are in perfectly good condition. 

Even if you don’t sell stuff online then there are still legal requirements for your website.  In particular there are requirements to provide certain information to the customer/browsers.  These requirements come from a number of different sources (most notably the e-commerce directive).

I usually advise clients to provide the information as part of a wider set of website terms and conditions of access (as opposed to terms and conditions of sale).  For an example, see the terms and conditions relating to the main Brodies website here, and the supplemental terms and conditions relating to this blog site here. 

As you will read one of the main jobs of the terms and conditions to disclaim liability.  This is particularly relevant given the recent case where a disgruntled purchaser of a swimming pool tried to sue the trade association that recommended the swimming pool installer on the basis of statement on a website. 

You should probably also add a privacy statement to the terms.  This sets out what you do with data collected using the site, and is a key plank in compliance with data protection law.

A final word of warning.  Don’t just copy somebody else’s terms and conditions and put them on your site.  Ignoring the copyright infringement problem, this is probably not going to give you the protection you need.  In particular don’t copy terms from a US website. 

If you want Brodies to review your website and report on legal compliance then give us a call.

 

Data storage – the bigger picture

Technology and information law are two of the central pillars of our practice. We know the law around data storage – keeping it safe, how long to retain it and so on. However we also try to keep up-to-date with the wider challenges facing our clients in the provision and receipt of data storage and similar services, including in particular the technology options available to suppliers in this field.

If it is hard enough for you to comprehend the 300 gigabyte storage capacity of the hard disk drive on your office or home PC (which believe me is massive), spare a thought for data centre managers who have to grapple with terabytes and petabytes of information, and the ever increasing demands placed on their storage resources and budget. Storage Area Network (“SAN”) and Network Attached Storage (“NAS”) systems are scalable to manage storage needs, but is throwing more tin at the problem the solution?

More data means more storage. Right? Wrong. The savvy data centre manager knows that he not only has to manage increasing levels of data, mainly mission critical, but he also has to keep an eye on Capex and Opex. He is focused on return on investment and total cost of ownership. He therefore will be contemplating, if not already doing so, implementing a strategy centred round simplifying his storage infrastructure, not adding complexity and cost. At the same time he will be looking for ways of making it more efficient and looking to the future needs of the business. He should therefore be looking at optimisation. He will do this through virtualisation, consolidation and automation. And looking to the future, he will be looking at convergence of the storage network with the IP network.

In running a virtual environment, he will consider virtual storage, and running virtualised backup using virtual tape libraries utilising data deduplication and  thin provisioning technology.

Looking to the future he will possibly look to converge the fibre channel storage network with the Ethernet IP network, on fibre channel over Ethernet, (FCoE) and run his SAN and LAN on the same wire.

All these technologies are designed to increase optimisation, reduce cost and deliver better levels of service to the business, all with a short return on investment cycle.

Martin English (trainee) and Eleanor Peterkin

Pitcher’s, Pimm’s, Penguins and Puffins

Picture the scene. It’s Saturday morning in 1990 and a happy child has just poured himself a bowl of delicious Kellogg’s Ricicles. As he prepares to watch cartoons he cheerily scoops a spoon of Ricicles into his mouth. Imagine the child’s alarm when the Ricicles taste absolutely disgusting! The Ricicles are promptly regurgitated all over the carpet as the child exaggerates his disgust! The child was of course yours truly. So, what was wrong with my usually delicious cereal snack? Was the milk out of date? No. Were the Ricicles out of date? Nope. Was it because the “Ricicles” weren’t actually Ricicles? Bingo!

It turned out that my mum had been experimenting with buying the supermarket’s own brand of “lightly sugared rice cereal”, on the basis that she had been pointlessly paying over the odds for the Ricicles brand and packaging. However I had detected a definite difference in quality (as the carpet could attest), and I think my interest in branding started there and then. How were supermarkets getting away with ripping off branded products? I had to find out and I looked into all the exciting details for a school project. I am reminded of this strange youthful obsession by the news this week that Diageo are issuing proceedings against Sainsbury’s for brand infringement. Diageo is rights holder in Pimm’s, the alcoholic summer drink which can be served with lemonade and fruit. Sainsbury’s has launched a new product called “Pitcher’s”, an, er, alcoholic summer drink which can be served with, um, lemonade and fruit. Diageo are not impressed.

I expect Diageo may found their action on s.10(2) of the Trade Marks Act 1994 (as amended), which prohibits use of similar or identical marks on similar or identical goods or services, where there is a likelihood of confusion on the part of the consumer. Diageo will also probably argue that Sainsbury’s are “passing off” Pitcher’s as Pimm’s. The law of trade marks and the law of passing off deal with the same set of facts in different ways. In instances of trade mark infringement, it is the right to the mark that is being protected. The initial comparison is therefore between the registered mark and the allegedly infringing copy mark. In contrast, in cases of alleged passing off, it is the goodwill or reputation built up through the use of a mark that is protected. By definition, passing off will always involve a wider comparison, not only of the registered mark (if there is one) and the allegedly infringing copy of that mark, but also of all of the other elements of the “get-up” (packaging and presentation) of the respective products in relation to which they are used.

The leading case in the field of “rip-off” supermarket brands is United Biscuits (United Kingdom) Limited v Asda Stores Limited [1997] RPC 513. Asda manufactured its own brand of “Puffin” biscuits in get-up similar to that of the popular biscuit “Penguin”. United Brands sought to restrain production of Puffin biscuits, claiming that Asda had infringed their registered trade marks in realtion to biscuits (the name “Penguin” and various pictorial depictions of penguins). It was held that changes to the pictures of the penguins used on the Penguin biscuit get-up over the years undermined the trade mark infringement claim. The marks hadn’t properly been in use and didn’t deserve protection. In contrast United Brands’ passing off claim was more successful. The “classic trinity” which must be proved in an action for passing-off is: i) reputation in the brand; ii) likelihood of damage to reputation; and iii) misrepresentation as to origin. United Brands clearly proved reputation and likelihood of damage, and the judge considered that the Puffin packaging’s use of a prominent picture of an upright dark coloured sea bird with a white front, in addition to the word “Puffin”, suggested a connection between the manufacturer of the “Puffin” biscuit and the manufacturer of “Penguin”.

Returning to Sainsbury’s and Diageo, and Pitcher’s and Pimm’s, it will be interesting to see what happens. Besides the obvious similarity in the names, Pitcher’s is the same colour as Pimm’s, the get-up is very similar, the serving suggestion (lemonade and fruit) is similar – but would you actually buy Pitcher’s instead of Pimm’s by mistake? Or believe they had been manufactured by the same company?

Who knows, I’m off to p-p-pick up a Puffin* and have a cup of tea.

John D.

*”p-p-pick up a Penguin”, surely? – Tech Blog Ed.