Archive for December, 2011

How does Amazon’s new religious beliefs patent equate with data protection laws?

According to online reports, internet retailer Amazon has just been granted a new US patent for a system aimed at “mining of user event data to identify users with common interests”. The system analyses user behaviour to profile users into different categories.

Amongst the things monitored are the purchasing of gifts and “the gift wrap used by such other users when purchasing gifts for this user, such as when the gift wrap evidences the user’s religion (in the case of Christmas or Hanukkah gift wrap, for example)”.

So if someone orders me a gift from Amazon, has it gift wrapped and sent to me at some point in December, Amazon will apparently assume that I am of Christian belief.

That’s quite a leap of faith (pun intended), given that a substantial proportion of people who give Christmas presents are likely to class themselves as aethiest or ambivalent in their religious beliefs.

The preamble to the patent states that:

A computer-implemented matching service matches users to other users, and/or to user communities, based at least in part on a computer analysis of event data reflective of user behaviors. The event data may, for example, evidence user affinities for particular items represented in an electronic catalog, such as book titles, music titles, movie titles, and/or other types of items that tend to reflect the traits of users. Event data reflective of other types of user actions, such as item-detail-page viewing events, browse node visits, search query submissions, and/or web browsing patterns may additionally or alternatively be considered. By taking such event data into consideration, the matching service reduces the burden on users to explicitly supply personal profile information, and reduces poor results caused by exaggerations and other inaccuracies in such profile information. [emphasis added]

What about data protection rules?
This raises some interesting data protection questions.

In the EU, religious beliefs are one of the categories of personal information that are classified as “sensitive personal data”, and therefore subject to a stronger set of rules. In particular, a data controller may only process sensitive personal data if it can satisfy one of the specific conditions set out in Schedule 3 of the Data Protection Act. The majority of these grounds relate to things like processing that is required by law, processing that is necessary to protect the vital interests of the data subject or processing for the administration of justice.

None of these are applicable to Amazon.

Which means the only condition it could rely upon is the “explicit consent” of the data subject.

It’s difficult to reconcile this need for explicit (not implied) consent with the last sentence of the preamble, which states that the system will “reduce the burden on users to explicitly supply personal profile information” – in other words, it will allow Amazon to guess the things that users don’t tell it.

European data proctection rules make it clear that Amazon cannot activate this system in respect of a user unnless he has expressly given his informed consent. So if a user decided that it would like Amazon to profile him based on his religious beliefs, would that user rather tick a box saying “would you like Amazon to guess which (if any) religious beliefs you hold?” or simply complete the details in his personal profile?

And how does this guessing system equate with the fourth data protection principle, which states that personal data shall be “accurate and, where necessary, kept up to date”? Will Amazon periodically ask you to confirm its assumptions to check that they are up to date?

Organisations such as Amazon often apply to patent new ideas without necessarily ever putting them into practical appplications. In Europe at least, I suspect that this may be one such idea.

Will YouTube Mess With The Big Man?

You have probably seen the “Don’t Mess With The Big Man” YouTube video.  It shows a passenger on a train from Edinburgh to Perth arguing with a ticket inspector and seemingly refusing to pay his fare, before being then carried off the train by a fellow passenger.  The parties have been dubbed “the Ned” and “the Big Man” respectively, by the person who posted the video on YouTube.  (In the interests of not repeating any potential slander I won’t use the term “the Ned”!)

The video has provoked a lot of debate and the latest development is that the Big Man has been identified, and charged with assault.  I’m no criminal lawyer and I’ll leave the discussion about whether or not the Big Man’s actions constituted assault to the experts.

I’m more interested in considering what remedies both parties may seek.   Both probably wish the video had never existed, and are maybe wondering if they have any recompense against the person who posted the video and/or YouTube itself. 

Has the poster of the video on YouTube broken any law?
Murray v Big Pictures (the case involving tabloid photographs of JK Rowling’s son in his pram) makes it pretty clear that, in certain circumstances, the taking of photographs of somebody in a public place can infringe their rights to privacy.  It’s not impossible to imagine this precedent being extended to making a video clip of somebody in a public place.

Further, the processing of the parties’ data on YouTube is arguably contrary to the Data Protection Act, because the processing has been carried out without their consent. 

In reality the Information Commissioner is unlikely to respond to any data protection complaint by pursuing the poster for this type of content.

However breach of privacy rights could feasibly entitle both parties to claim damages. 

Has YouTube itself broken any law?
In the event of any claim or claims, YouTube would probably argue that it was a “mere conduit” under the E-Commerce Directive.  (This “mere conduit” defence provides that a web host isn’t liable for content on the basis that the host has no actual knowledge of illegal activity or information (provided that they act expeditiously to remove content if something or someone does alert them to illegality).)   YouTube would probably also say that they might well have removed the video if either of the parties had asked.

The catch is that the “mere conduit” defence doesn’t technically extend to privacy/data protection complaints.  This is at least partly why Italy is pursuing prison sentences for 3 executives of Google in relation to footage posted on Google Video in 2006.  (According to the San Francisco chronicle, an appeal will be heard early in 2012.)

As far as any financial liability is concerned, YouTube’s Terms of Service are drafted to protect the company from liability arising from user-generated content.  The Terms state that the user agrees to comply with all applicable laws. As discussed above, the user has possibly broken some laws.

The Terms also state that users are solely responsible for content and the consequences of submitting and publishing content, and that users indemnify YouTube against any and all “claims, damages, obligations, losses, liabilities, costs or debt, and expenses” arising from violation of the Terms.

What is likely to happen?
It’s impossible to predict how things will develop.

I imagine it’s pretty likely that charges may be quietly dropped, with both parties being encouraged to resume their normal (and private) lives.  

But it’s not impossible that this incident may come to have serious repercussions for “vigilantes”, “citizen journalists” and web hosts of user-generated content.

e-update on government’s response to ICB recommendations on banking reform

We have today published an e-update on the government’s response to the ICB’s recommendations on structural reform of the banking sector.

The government stated on Monday that it will adopt the recommendations in full. As John mentioned in a previous blog, the proposals to ring fence retail banks will have an impact on the way in which banks structure their key IT and outsourcing contracts to ensure that the ring fenced bank’s access to key infrastructure is protected.

You can read the e-update in full here.

If you’d like to discuss the impact of the recommendations and how you might be able to structure your key IT and outsourcing contracts, then please contact Grant Campbell or John Mcgonagle, or your usual TIO Group contact.

Advertising rules for websites and social media – some top tips

This blog post was published earlier today as an e-update to our email subscribers. To receive e-updates from Brodies’ Technology, Information and Outsourcing Group please register your details or contact your usual TIO Group contact.

On 1 March the remit of the Adverting Standards Authority (ASA) was extended to include the claims companies make on non-paid for space online. This covers adverts for a company’s goods and services on its own website and on any social media sites within its control.

Since the ASA’s digital marketing remit was extended earlier this year the independent UK regulator has received a 40% increase in complaints.

The rules and criteria that are applicable to digital and online marketing are the same as those applicable to ‘traditional’ media, such as the obligation that the advert is not misleading, exaggerated or offensive. However, there are some particular things to look out for when advertising online, including via social media channels.

Here’s a quick list of do’s and don’ts to ensure that your company doesn’t have to explain itself to the ASA:

  • Don’t exaggerate savings by comparing an offer to the most expensive alternative.
  • Don’t say something is free if it isn’t. If the product is free, but postage is not, then say that upfront.
  • Don’t include unnecessary price breakdowns for a product or service unless the costs being detailed are optional. If they are not optional then it is pointless explaining what they are.
  • Don’t pick and choose customer reviews to appear on your website to make your company look good.
  • Do include any surcharges, such as booking fees, upfront.
  • Do make sure a discount is actually a discount. If the prices are the same before, during and after the promotion then it’s not really a promotion and is in breach of regulations.
  • Do ensure that you have robust evidence of quality and performance if you are going to make claims about your product.
  • Do state clearly that an offer may be extended at the company’s discretion if you think you may want to exercise this option.

For further information please contact me or get in touch with your usual Brodies contact.

Victoria Moore

Not so stealthy ‘astroturfing’ of new Nokia Lumia Smartphone

You may have heard the recent outcry over favourable product reviews by Nokia and a Microsoft employees posted (anonymously, of course) about the new Nokia Lumia 600 Smartphone (which sits on Microsoft’s Mango OS) on a third party website.

These comments have been criticised for not being genuine reviews of the product but rather a marketing ploy to try to boost sales and customer opinion. This advertising ‘technique’ of masquerading as a genuine customer and making positive, inflated reviews about your own product (or, indeed, negative comments about a competitor’s product), coined astroturfing, is a risky strategy – not least because in many countries it is unlawful but also because if found out, it could be very damaging to your brand’s reputation.

The Nokia employee was found out because (in a not terribly covert manner) his ‘anonymous’ post was sent from an IP address that was owned by Nokia. This, of course, opens up a whole new can of worms because the Nokia IP address – and the employee’s email address – was released by the company that hosted the review website, presumably in breach of the site’s privacy policy.

The law in the UK
In the UK, advertising is broadly controlled and regulated by the Advertising Standards Agency (ASA). In March of this year the ASA remit was extended to include digital media which meant that restrictions were tightened around what companies could claim on their own website and other online media in their control, such as their Facebook or Twitter accounts.

In relation to product or service reviews, the ASA will address complaints made where websites are picking and choosing which reviews will appear on their website, so as to cast the company in a better light. Similarly, the ASA are currently investigating the transparency of the reviews that appear on the TripAdvisor website. TripAdvisor had stated that the reviews on its website were ‘trustworthy’ but in reality it is unlikely that TripAdvisor really knows whether the reviews are honest or not, so the endorsement has been taken off the site.

While the digital remit is a welcomed extension of the ASA’s powers, astroturfing – such as the Nokia Lumia incident, where one company posts fake review on another’s website – still falls through the cracks.

It won’t fall far though before being caught by the Consumer Protection from Unfair Trading Regulations 2008, which prohibits companies from falsely representing themselves as a consumer. The Regulations are enforced by the Office of Fair Trading (OFT) which can impose unlimited fines for a breach. On the face of it, the OFT has more bite than the ASA. However, the OFT may be less inclined to get involved in smaller, isolated cases – such as a couple of blog posts by employees where there doesn’t appear to be any evidence of a larger astroturfing strategy.

Remember though, that even if astroturfing doesn’t result in any formal fine or sanction it could still cause serious reputational issues for your brand. Nokia and Microsoft have learnt this the hard way.

Leigh Kirktpatrick

Rooney’s Result: Wayne and Image Rights

Followers of my Twitter account will know that I tweeted last week: “Wayne Rooney has paid £5k to get his image rights back.  I would have advised Shrek to hold out for £10k”.    I was joking about Wayne’s appearance, but also referring to his dispute with Proactive Sports Management Limited.

The dispute
When Wayne Rooney was 17 he entered into an Image Rights Representation Agreement (“IRRA”) with Proactive, under which Proactive would negotiate contracts with third parties for exploitation of his image rights.  Proactive would take 20% of the gross sums payable on any contracts agreed, and the agreement was to run from 16 January 2003 to 16 January 2011.  All was well until October 2008, when Wayne and Proactive fell out.  The IRRA was subsequently terminated, and since then Proactive have been claiming that it is owed millions in damages and further millions in future commission.

The parties ended up in court, and on 1st December the Court of Appeal broadly upheld the earlier Manchester Mercantile Court decision that the IRRA was unenforceable on ground of restraint of trade.  Proactive will receive a payment for the reasonable value of its services, which will be established at a later hearing, but it won’t be calculated according to the contractual commission rate of 20%. (In case you’re wondering, the £5k in my joke above was how the tabloids reported it, but in typical tabloid-disinformation style actually refers to an accountancy bill which was adjudged to have been owed by Rooney to Proactive as the result of a totally separate agreement.)

In reaching their decision the judges found several aspects of the deal between Proactive and Rooney persuasive, including:

  • Wayne was only 17 years old when the IRRA was signed;
  • Wayne and his parents were “wholly unsophisticated in legal and commercial matters”, but were not advised to take legal advice;
  • The IRRA was not in any sense a standard form – on the contrary, it was unusual in many respects; and
  • The duration of the IRRA was excessive (notwithstanding Proactive’s submissions that it needed to “adopt a long terms strategy to develop the value of the player’s brand”).

What are “Image Rights”?
A good result for Wayne then.  But what are “Image Rights”?  “Image Rights” in the context of footballers refer to the rights in the likeness, name and other personal attributes of that individual, exploited through various off-field activities such as sponsorship, promotional appearances and shirt sales.  Legally, the UK has no actual codified law of image rights, so an individual wishing to protect these rights has to rely on a mix of privacy case law, and assorted legislation regarding data protection, copyright and trade marks.

At a World IP Day conference in Edinburgh a few years ago, I asked Patrick Stewart (Head of Legal at Manchester United) about image rights.  Patrick said it was the one thing he had hoped he wouldn’t be asked about!  At the time I was just genuinely interested to hear how they operated, and how they could be enforced – but with hindsight I was potentially putting Patrick on the spot about a pretty sensitive issue.

Image rights contracts in football
Football clubs increasingly use the concept of image rights as a way of offering paying star players suitable remuneration.  Payments for image rights allow players to avoid paying 50% income tax on all their earnings, whilst also saving the club from having to make National Insurance or PAYE contributons.

Here’s how it works.  Players are paid wages for their services on the pitch, but further image rights payments are made to a company which has been set up to hold the player’s image rights.  These payments are subject to corporation tax levied at 22%, and the players can take interest-free loans from the companies as a “benefit in kind” taxable at 2% (instead of salaries and/or dividends which would be income, and be taxable at the corresponding higher rate). 

Unsurprisingly these tax arrangements attract a lot of negative publicity.  In August the Press Complaints Commmission rejected a complaint made by Wayne Rooney about a Sunday Times article investigating the structuring of his finances.  Arsenal striker Dennis Bergkamp won a test case against the Inland Revenue in 2000 after it attempted to claim that a percentage of the image rights income that had been paid into an offshore business established in his name constituted tax evasion.  Nevertheless, HMRC has recently announced a new crackdown on tax evasion in football, so it looks like things will “kick off” (ah a football-pun in stoppage time!) again in 2012.

[Ed: the Techblogggers will now be negotiating image rights deals at their next appraisals.]

ICO publishes updated guidance on cookies compliance

The Information Commissioner’s Office has today published updated guidance on how organisations should comply with the new rules on cookies that came into force earlier this year.

As regular Techblog readers will remember, the new rules came into force without any clear guidance on how organisations should technically comply with them – even the ICO itself appeared to be unclear as to what was required. In recognition of this, the ICO announced a year long grace period for achieving compliance.

What does the updated guidance say?
The updated guidance builds on previous guidance issued by the ICO by giving a number of examples of how compliance can be achieved. Which of these is appropriate will depend upon what the cookie is used for (and the ICO generally leaves it to the organisation to work this out).

There are a couple of points to highlight:

  • Consent needs to be informed – users need to understand the potential consequences of allowing each specific cookie to be used
  • There is still no browser based solution to getting consent.
  • Implied consent is unlikely to be sufficient – implied consent must be based on a “definite shared understanding of what is going to happen.” The ICO’s view is that consumers do not yet have this level of awareness, but that may change over time as consumter awareness increases.
  • Wherever possible cookies should be delayed until users have had a chance to understand how they are used – they should not be set as soon as the user visits the site.
  • There are no exceptions for analytical cookies – the ICO’s view is that analytical cookies do not fall into the “strictly necessary” category.
  • However, cookies for online shopping baskets and those that are necessary to ensure security (for example, on online banking websites) are likely to fall within the exception.
  • If cookies are used on more than one website (for example, for third party behavioural advertising purposes), then in order for consent to be valid it has to be “absolutely clear” which websites the cookies will be used on, what they are used for, and exactly what the user is agreeing to.
  • You can copy what the ICO does on its website, but the ICO is giving no guarantees that this approach complies with the law.

This last point is particularly disappointing. The worked examples in the new guidance will be welcomed by organisations grappling with how best to comply with the new rules (in the absence of an acceptable browser-based solution), but the reluctance of the ICO to stand behind its own approach, gives organisations little comfort that the suggested approaches in the guidance will be compliant.

The ICO makes clear that the lack of clarity over how the law is supposed to apply will not be accepted as an excuse for non-compliance, and that it is not acceptable for organisations to simply sit back and wait for a browser-based solution.

We’re now six months in to the 12 month transitional period for compliance, after which the ICO will start investigating complaints. The ICO states that organisations now need to be able to show that they have carried out initial assessments over cookie use, and that “sensible, measured action to move to compliance” is being undertaken.

Techblogger article on digital participation in Scotland in new Scottish policy magazine

For those of you not on Twitter, I have an article in the launch edition of a new online magazine called Scottish Policy Now.

The magazine aims to provide regular news and analysis of changing government policies; regulation; initiatives and legislation and the impact of all of these on Scotland and people living in Scotland. The first issue looks at digital participation in Scotland, and follows up last month’s GovCamp Scotland conference.

You can read my thoughts on some of the policy and legislative changes that I think need to be implemented in Scotland in order to increase digital participation in Scotland by following this link. I look at the effective use of IT in the public sector, broadband infrastructure, e-accessibility and the need to effectively lobby the Westminster government and Europe on future legislation and policy.

Happy birthday BS8878 – some thoughts on the first year

Jon Hassell, the lead author of BS 8878, contacted me last week asking me to provide some thoughts towards a blog he was pulling together with views from industry experts on its first year. BS 8878 is the British standard that provides a code of practice for commissioning accessible websites and web products. You can read more about it in this blog.

Jon kindly included some of my comments in his blog, which was published earlier today. Here is the long form version of what I said:

BS 8878 is undoubtedly a useful tool for providing organisations with a framework to follow when commissioning new websites and apps. In turn, this makes it an important tool in assisting organisations with complying with their obligations under the Equality Act 2010.

BS 8878 is unusual in that it is a British standard that has been driven primarily to help promote and improve equality and compliance by service providers, employers and educational institutions with their legal obligations under equality law. Often standards come into existence to codify/bring together good practice, and provide an objective way of comparing organisations or easily referencing a requirement in a contract, but it is less common for them to emerge to assist with complying with law. From a lawyer’s perspective, BS 8878 exists because, unlike the building of physical premises, the law does not mandate specific accessibility requirements when building a website. It is true to say that BS 8878 does not do that either, but it does at least provide website operators with a process to follow, issues to consider, questions to ask, and pointers to external technical guidelines like the W3C’s WCAG.

BS 8878’s current standing
But BS 8878 currently sits in an awkward place.

The development of its predecessor, PAS 78 was funded and led by the Disability Rights Commission (DRC), giving endorsement from the organisation mandated with promoting compliance with the Disability Discrimination Act (and therefore implicitly saying “follow this and you’ll be ok”). However, the successor body to the DRC, the Equalities and Human Rights Commission (EHRC) did not appear to formally particpate in the development of the successor standard. So, whilst BS 8878 is mentioned (here and here) on the EHRC website, it is not formally referenced in any of the codes of practice issued by the EHRC. This is despite the EHRC’s code of practice for service providers being published three months after the launch of BS 8878. I look forward to the EHRC updating its statutory codes of practice to include a reference to BS 8878 and provide organisations with clear guidance on what it expects.

The need for education
It is clear that there is still work to be done on educating people on the use of BS 8878. When referring to it in a recent blog, I was asked why I hadn’t referred to the W3C’s WCAG instead. My answer was that whilst that particular blog may have had a techie slant to it, the majority of people involved in procuring web and app design services (or responsible for internal legislative compliance) will find BS 8878 a far more accessible (no pun intended) document than the W3C’s technical guidelines, and provides a framework that goes beyond a list of technical design requirements. BS 8878 emphasises, and this is important, that simply complying with the WCAG guidelines is unlikely to meet the requirements of the Equality Act. As BS 8878 explains, organisations can’t simply carry out an automated tick box check of the HTML, but instead need to user test the site or app itself to ensure that it actually is accessible.

So happy birthday BS 8878. It’s been a good first year, but there is still much work to do to explain to the world how you fit into the legislative framework and to educate people on your true purpose.

IT upgrades and the Christmas change freeze

The BBC is today reporting that a number of glitches with the Royal Mail’s website are causing disruption to customers in the run up to the pre-Christmas posting cut-off dates.

The problems are affecting apps on the website that allow customers to calculate the prices of letters and packages. The problems also appear to be affecting services that allow customers to pay for postage online and print out smart stamps.

Here’s what the Royal Mail says about it:

A Royal Mail spokesman said that the shutdown had been caused by a shift of online services to a new server – a process that had been ongoing for 18 months…He said the migration problems had not been anticipated before Christmas.

I can imagine the Royal Mail has a lot of unhappy customers at the moment. It seems that online retailers and mail order businesses are being particularly hit, as they use the systems when fulfilling orders. They are presumably having to use the Royal Mail’s compeititors to fulfil those orders, which won’t be good for the Royal Mail’s business.

It is for this reason that most businesses operate a “change freeze” on their IT systems around their busiest times of the year (for example the run up to Christmas for any retailer, Valentines Day for online florists etc, bank holidays for banks providing ATMs and transaction processing). No matter how much planning is done, IT projects often encounter unanticipated problems, and once the damage is done it is very difficult to pedal back to the previous release.

It is therefore just sensible practice to ensure that no system upgrades or modifications take place during or in the run up to those key periods.

Note that this doesn’t just apply to your internal IT systems, but also those of your key contractors and suppliers. Do your contracts make sure that your contractors don’t implement major changes at the time when you are most reliant upon them?

Twitter: @BrodiesTechBlog feed

December 2011
« Nov   Jan »

%d bloggers like this: