Archive for the 'Confidentiality' Category

Kim Dotcom and Mega: Legal FAQs

You’re probably familiar with Kim Dotcom, the German-Finnish internet entrepreneur who currently resides in New Zealand, and is being pursued by the US Department of Justice regarding accusations of a “Megaupload” business empire built on rampant infringement of US copyright laws and the Digital Millennium Copyright Act. 

Much of what is currently being written about Mr Dotcom simply churns trite facts without actually offering much in the way of explanation.  I thought a blog which answered some of the main questions would be helpful.

How does the US have jurisdiction over Megaupload?
Why would Megaupload Limited, with its registered office in Hong Kong, be subject to US copyright laws and to the Digital Millennium Copyright Act?  The answer is that Megaupload deliberately carried out business in the US and with US residents.  The site leased more than 1,000 servers in North America (525 were at Carpathia Hosting, which received $13 million from Megaupload).   

Wired provides great analysis here, but the general principal is that individuals and companies can’t gain the benefits of doing business in a jurisdiction without complying with its laws and being subject to its enforcement efforts – assuming that the jurisdiction can gets its hands on you in “terrifying real life”. Which brings us to extradition!

Will Dotcom be extradited?
Under New Zealand’s Extradition Act, any request for extradition from New Zealand must relate to an “extraditable offence” which is defined as an offence that:

  • Carries a maximum penalty of not less than one year’s imprisonment in the requesting country; and
  • Involves conduct that would be regarded as criminal had it occurred in New Zealand, and would have carried a similar penalty

Unfortunately for Kim Dotcom, breach of copyright is just as illegal in New Zealand as it is in the US. 

Part 3 of the Extradition Act also provides a mechanism by which the requirements to provide evidence establishing a prima facie case in support of the extradition request can be replaced by the simpler “record of the case” procedure. This mechanism is available to select countries, including the US.  (A guide to New Zealand extradition prepared by the New Zealand Ministry of Foreign Affairs and Trade can be read here.)

Nevertheless the US is struggling to extradite Dotcom and is also struggling to make its case against Megaupload and the “conspirators” (Dotcom and various associates).  Dotcom actually received an apology from the Prime Minister of New Zealand for illegal surveillance.  A helpful timeline of the various legal twists and turns can be read here.

What’s the new service that he’s offering?
Kim Dotcom has launched a new service, Mega, which he says is distinct from Megaupload, and which he also insists is legal.

Mega is offering all users 50GB of free cloud storage, making it a potentially compelling competitor to the likes of Dropbox (2GB free) and SkyDrive (7GB free) — if you’re not worried about the service getting shut down like its predecessor.

Mega offers client-side encryption, meaning that (arguably) even Mega doesn’t know what is on the files that clients upload.  The only way a client file can be decrypted is if the client makes both the encrypted file and also the private encryption key publicly available.  This would presumably breach acceptable use of Mega, and Mega also has in place a take down process similar to what other content sharing websites (such as YouTube) offer, and which is required under US law in order for the website operator to qualify for “safe harbor” protection from copyright infringement claims.

Of course, the predecessor site Megaupload had a take down process as well, so this leads us to the next obvious question.

Is Mega legal?
Dotcom still insists that Megaupload was legal, despite the US Department of Justice’s claims that Megaupload’s overall operating model was geared towards criminal intent, because:

  • the vast majority of users did not have any significant long term private storage capability;
  • continued storage was dependent upon regular downloads of files occurring;
  • files that were infrequently accessed were usually rapidly removed, whereas popular downloaded files were retained;
  • only a small portion of users paid for storage subscriptions, meaning that the business was dependent on advertising revenue, and displaying adverts to downloaders;
  • an incentive programme was adopted encouraging the upload of “popular” files in return for payments to successful uploaders; and
  • (potentially most damning of all) there was a comprehensive take down process in use for child pornography and terrorist propaganda, but this same take down process was not deployed to remove infringing content.

Initial impressions would suggest that Mega does not share these strategies.  Certainly Dotcom would have to be incredibly foolish to not apply the take down  process this time around.  In fact, it’s perhaps a credit to Dotcom’s slick advertising/media persona, and Mega’s attractive user interface, that initial bloggers thought Mega would “dismantle copyright forever”.

As Jonathan Bailey succinctly puts it (in by far the best analysis of Mega which I have read):

where Megaupload provided incentives and tools that encouraged users to upload (often illegal) files for mass download, Mega  does not and in fact has a structure and service that puts barriers up against mass downloading of files, legal or otherwise.

What is certain is that we can expect plenty of fun and games over the next few months. 

When Mega launched this week as “The Privacy Company” their claims of super-security were bound to come under the highest levels of scrutiny (some cloud providers definitely perform better than  others in the security stakes – see my colleague Leigh’s analysis).  Yesterday the story was that Mega’s encryption was substandard, today the story (which is emerging as I write) appears to be some form of encryption prize – Kim Dotcom himself has just Tweeted:

We welcome the ongoing #Mega security debate & will offer a cash prize encryption challenge soon. Let’s see what you got ;-)

Who knows what tomorrow will bring?

John-McGonagle

European Commission considers reform of laws protecting business/research knowhow

The European Commission has announced a consultation on the effectiveness of laws protecting business and research knowhow.

Knowhow and trade secrets
The Commission notes that in many instances the protections offered by many forms of intellectual property rights are only available in certain circumstances, or are costly to apply for and/or maintain.

An inventor of a patenable invention will also need to keep the invention secret until the patent application is made (because inventions that form part of the prior art (ie they are in the public domain) cannot be patented). A failure to do this is likely to mean that the invention is not patentable, in which case the commercial value of the invention may be lost.

For this reason, many organisations often protect their intellectual assets by keeping them secret, and rely upon contractual and common law confidentiality undertakings, and other remedies such as espionage and theft. Confidentiality undertakings can be enforced by obtaining a court order to stop the recipient of confidential information from using that information, and compensation for damages.

The limits of confidentiality undertakings
However, these remedies are of limited use. For example, no exclusive rights to use the information are granted, and it is not possible to stop someone else creating the same knowhow (for example, by independent research or reverse engineering) and marketing it in parallel.

This means, for example, that there would be nothing to stop me independently coming up with the recipe for Irn Bru (a trade secret) and marketing the product my self (as long as my branding of the product did not infringe AG Barr’s trade marks).

In addition, the way in which trade secrets or knowhow is protected varies between different member states. This means that such information is not always properly protected in cross border business, and may not act as a sufficient deterrent against misappropriation.

The Commission is concerned that this could dissuade organisations from sharing confidential business information with business partners in other member states, who might otherwise be able to help develop innovative products.

The consultation
The Commission is therefore looking for views on how the law currently operates and how trade secrets and knowhow is used by organisations, with a view to considering reform of the law in this area.

The consultation closes on 8 March 2013.

Martin Sloan

The joke’s on Twitter – conviction quashed in the Twitter joke trial

Did you hear the one about the guy on Twitter who joked about an airport?  He experienced some turbulence.

The High Court in London has quashed the conviction of a man who was originally found guilty of sending a “threatening” tweet.

Paul Chambers was found guilty in May 2010 of sending a “menacing electronic communication” after he tweeted to his 600 Twitter followers:

Crap! Robin Hood airport is closed. You’ve got a week and a bit to get your shit together, otherwise I’m blowing the airport sky high!!

Mr Chambers has maintained that his tweet was obviously a jovial expression of his frustration at the airport closing due to heavy snow.

Did you hear that the guy who threatened the airport on Twitter was cleared?  He must have friends in high places.

“Out of date”, was the verdict of Lord Judge.  Surprisingly he wasn’t referring to Stephen Fry and Al Murray, both of whom attended court in support of Paul Chambers.  Lord Judge was actually admonishing the Communications Act 2003 under which Mr Chambers was charged.

Section 127 of the Act makes it an offence to send “by means of a public electronic communications network” a message that is grossly offensive or of an indecent, obscene or menacing character. The Crown Prosecution Services website, in its website guidance on Communications Offences, advises that section 127 should be used for indecent phone calls and emails, but doesn’t refer to Twitter – mainly because Twitter hadn’t been invented when the legislation was enacted.

Why did the guy on Twitter threaten to bomb Robin Hood Airport? He wanted to steal from the rich and fly to Darfur.

The decision is a common sense one, but also a reminder of the perils of social media and the ease with which flippant comments can be easily misconstrued. There has already been £90,000 worth of libel damages for a 24 word tweet.

In particular employers would be advised, if they have not already done so, to implement policy on the appropriate use of social media. The ACAS guide “Workplaces and Social Networking: The Implications for Employment Relations” offers guidance as to good practice.

And for all the lawyers who visit Brodies Tech Blog to keep up to date, I would refer you to the Law Society of Scotland’s recent guide “Social Media – Advice and Information for the Legal Profession”.

Remember, different businesses will require different policies, depending on the extent to which each business expects its staff to utilise social media. Brodies’ technology and employment lawyers can help you to develop an appropriate policy for your business.

Heard the one about Twitter accounts being anonymous?   The Net is tightening…

In the case of Paul Chambers, he didn’t seek to disguise his identity and was therefore easy for the authorities to identify. 

But what about Twitter users who definitely wish to stay anonymous (and aren’t just vicious internet trolls, who deserve no anonymity)?  A good local example would be whoever is running @rangerstaxcase, a Twitter account and blog that has won awards for publishing stories regarding the financial scandal at Rangers Football Club which the mainstream Scottish press failed to address.

At present the owner of spoof Twitter account @UnSteveDorkland, which makes fun of Northcliffe Media Limited’s chief executive Steve Auckland, is trying to prevent Twitter from revealing his details

We wrote last year about the legal means of compelling Twitter to surrender details of account holders, in the context of Ryan Giggs and tweets about his super injunction which he wished to suppress.

It’s still not clear if Twitter will always co-operate in such circumstances.  Nevertheless these developments create the impression that – while a presumption of anonymity on Twitter isn’t yet a joke, it is under serious threat – and that can’t be good for Twitter in the long term.

(Rubbish jokes are all my own.  For lots more, and some occasional legal comment, follow me at @denislawyer.)

Overridding Confidentiality

The recent case of Gray Construction v Harley Haddow (which can be found here) in the Court of Session has given some useful guidance on the circumstances in which a Court may order confidential documents to be disclosed and the balancing of confidentiality with the administration of justice.

Background

In the case, Harley Haddow (“HH”) applied to the Court for disclosure of documents held by Gray Construction (“GC”) relating to an arbitration between GC and the National House Building Council (“NHBC”).  The documents contained the subject matter of the arbitration, the parties’ pleadings and the terms on which the arbitration was settled.  GC had commenced an action against HH to recover the sums which it had spent in the arbitration with NHBC, including the settlement sum it had paid to NHBC of £110,000. 

The Judge, Lord Hodge, had no difficulty ruling that the documents which HH were trying to recover were confidential.  Although there was no case  law on this point, he said that the nature of arbitration was such that confidentiality was implied and the parties would have expected the documents disclosed (which were not otherwise publicly available) to be protected by confidentiality.  Moreover, confidentiality and privacy were amongst the main attractions for parties to try to resolve disputes via arbitration. 

The circumstances in which confidentiality can be overridden

Notwithstanding this finding, the Judge ruled that confidentiality in this context was not absolute and could be overridden in certain circumstances, for example, in the interests of justice.  In this case, in order to defend itself in the Court action, HH argued that it required to investigate the pleadings in the arbitration between NHBC and GC and the circumstances in which the settlement was reached.  GC argued that instead of disclosing the documents it could produce a sworn statement from their solicitor who advised it on the arbitration and that this evidence could be tested in cross examination.  The Court had to consider therefore whether HH could reasonably and fairly prepare its defence without the disclosure of the confidential documents and/or whether the information/documentation could be obtained from an alternative source.    

The decision

The Judge ruled that it would not be fair to allow HH to rely only on the evidence of GC’s solicitor as this could mean that facts about the arbitration and settlement only emerge for the first time at the trial.  Moreover, GC had not yet produced such a sworn statement and the date for the Court trial had been provisionally set for around 3 months from the date of HH’s application for disclosure of the confidential documents.  Accordingly, the Judge ordered the documents to be disclosed under the proviso that the documents could only be used for the purpose of the Court action.

Comment

It is always sensible to try to ensure that confidential documents are protected and are not disclosed except in circumstances in which their confidentiality is maintained.  However, this case is a useful reminder that the right to confidentiality is not always absolute and it can be trumped by, for example, the interests of justice.  It is also important to bear in mind that the documents which were ordered to be disclosed in this case had no ‘inherent quality of confidence’.  They were only confidential because they were disclosed in the context of the arbitration.  If, for example, the documents contained trade secrets or client lists, the decision of the Court may have been different.

Mark Cruickshank

Law Society cloud computing guidance: extra tips

The Law Society of Scotland recently issued guidance on cloud computing services following consultation with law firms, in-house counsel and cloud providers.

While some of the guidance inevitably reflects the particular duties that law firms owe to clients and regulators, the advice is clear and legible, there are no rubbish cloud puns, and overall it’s a valid read for any individual or organisation considering the acquisition of cloud computing services.  

There are however a few extra tips which it won’t hurt to mention.

Applicable law

Surprisingly, the guidance doesn’t mention applicable law and/or jurisdiction. Even a largely favourable contract may not be worth the paper it’s written on if you have to travel to a foreign country to enforce it, and the vast majority of cloud providers will typically offer the law of a particular US state as the choice of law in their standard terms.

Choice of law is usually more significant for UK SMEs or corporate customers because, unlike consumers, they won’t necessarily be protected from terms imposing a foreign legal system. (A further disadvantage of contracting on terms governed by US law is that they usually contain very broad disclaimers of warranty and/or limitations of liability.)

Data back-up

The Law Society guidance refers to back-up of data, noting that “you should carefully examine the SLA for the frequency the cloud provider will back up your data to a separate site”. I would go slightly further and say that you should check whether there is an obligation on the provider to back up data at all!

Some providers state that data integrity will only be guaranteed where the customer has paid for additional backup services, while others expressly disclaim the fitness of their services for back-up purposes! It’s therefore important that you understand who is responsible for maintaining back-ups, and if the provider’s offering is not sufficient what alternative steps can be taken.

Encryption

Under the heading “responsibility for security” the Law Society guidance encourages firms to understand “the measures you can take to protect the security of your data “. Again, it may be necessary to go even further, and make sure that there are no express statements in provider terms which either disclaim any duty of confidentiality, or oblige the customer to use encryption.

If I have piqued your interest in the cloud, the Law Society is holding a Cloud Computing Glasgow event next Tuesday. I may see you there.

Not all clouds have silver linings – how information security varies between cloud providers

You may have read in the press that Google has entered into its biggest cloud-hosting deal to date. And surprisingly this deal is with one of Spain’s largest banks, BBVA.

The fact that a bank is signing up to Google Enterprise Apps for email and other collaboration services could be taken as a considerable endorsement – banks are, by nature, very security-centric: they have to ensure that they comply with strict information security and regulatory requirements. On this basis banks normally use their own servers to store and share data.

This is what makes the BBVA / Google deal so surprising. BBVA’s data will be stored on one of Google’s public servers, rather than on a private servers. BBVA will initially only use Google Apps for “internal communications” (with customer data and systems continuing to be hosted only in BBVA’s dedicated data centres), but it is assumed that over time BBVA may move more and more data to the cloud.

While I suspect that BBVA may have agreed a tailored solution and not signed up to Google’s Enterprise’s general terms and conditions, the standard Google Enterprise offering (as opposed to the free to use standard version) is rather attractive for businesses considering moving to the cloud, and in particular, using a cloud solution for data sharing and storage, such as Google Apps.

How safe is it to store data using Google Apps?
When storing data to an external server you have to make sure the data will be secure.

From an information security perspective Google Apps for Business has pretty good security credentials, so much so, that some of the US Government Departments use it. Google Apps is actually FISMA certified as being a secure way to store and share data. Google has also obtained an SSAE 16 Type II report (an independent audit) confirming that Google Docs actually adheres to the security controls it has in place and that these systems are operating effectively. The SSAE 16 report may give potential customers reassurance in relation to the effectiveness of Google’s security measures.

The other key information security concern for organisations is compliance with data protection rules and the security of personal data. Google Apps is currently hosted in the US and Europe, but Google Inc is a member of the US Safe Harbor Scheme. This is a US Federal Trade Commission scheme that allows US companies to certify compliance with a set of rules approved by the European Commission as being equivalent to the requirements of the EU Data Protection Directive.

This is important for organisations subject to EU data protection controls, as a transfer to an organisation that meets the Safe Harbor requirements allows the organisation to comply with the eighth data protection principle (which restricts transfers of data outside the EEA) without the need for putting in place model form contracts or making a finding of adequacy. This will give considerable comfort to users of Google Apps in relation to the any personal information that they store in the cloud.

However, potential customers should still be aware that Google may be obliged, under the Patriot Act, to disclose information stored in Google Apps to the US authorities.

How do other cloud services compare?
The fact that BBVA is using the Google Apps should not be taken as a green light for companies to store confidential, commercially sensitive or personal data on a similar cloud-computing solution. Google Apps is unique in terms of the FISMA and Safe Harbor accreditation and a number of cloud storage alternatives, such as Dropbox, simply don’t compare.

Dropbox – Information security risks
Dropbox and similar cloud-drive services are becoming an increasingly popular option for storing and sharing large files and for accessing documents from multiple devices. But, looking at the Dropbox terms and conditions, it appears to pose a number of potential information security risks which users may be overlooking.

Storing information
Firstly, Dropbox doesn’t have the greatest reputation as far as security is concerned.

Putting hacking to one side, there is a lack of certainty over what happens to your data once you remove it from the system. Normally, when you are storing confidential information on a third party’s system you want the comfort that at your request all of the confidential information is permanently deleted from the system. However, the Dropbox terms and conditions state that they are ‘likely’ to continue to hold the information on their back-up systems once you have deleted the data.

Releasing information
Another key concern is how readily Dropbox will share your data (confidential, personal or otherwise) with third parties. While there is a general obligation to release information when ordered to do so by a court order, Dropbox will seemingly release your files rather readily. In comparison, Google will inform you of the request and give you the opportunity to object.

Lack of independent certifications
Most importantly for potential customers within Europe, Dropbox states that it does not have Safe Harbor certification, nor is it able to provide a SAS 70 or SSAE 16 report in respect of its information security measures. This causes problems from a data protection perspective, and also means that their is no independent verification of the controls that Dropbox claims to have put in place.

The moral of the story is that you should carefully consider what data you are uploading to a data sharing  cloud – particularly if it is commercially sensitive or personal information – and, as boring as it is, read the site’s terms and conditions and carry out some due diligence on how your information will be protected.

Leigh Kirktpatrick

News International and hard drive shredding – why its good information security practice

I read in the papers at the weekend that, following an office move, News International last year “shredded” most of the computers used by a large number of News of the World staff.

Leaving aside whether this was a prudent thing to do given the phone hacking allegations and court cases, shredding a hard drive is one of the best ways of securely destroying information. (I love the photos on that website – you really can shred metal).

I blogged about this last year. The problem with erasing data from a drive is that the data recovery people are becoming ever cleverer at reconstructing data. It’s essentially an arms race between data destruction and data reconstruction.

So if you want to make sure data definitely has been deleted then you need to either shred the drive or follow something like the US Department of Defense erase/rewrite standard.

Destruction of disks is something that should be addressed in an organisation’s information security policy, and appropriate requirements specified (or referenced) in any outsourcing or services agreement under which a supplier is processing personal or confidential information.

So whatever the News of the World’s other failings might have been over the years, it’s good to see that their information security policy is robust and ensures that data is properly and completely destroyed, such that it cannot ever be reconstituted.

Giggs, Twitter and Unmasking Anonymous posters

There are lots of interesting legal angles to the current storm in relation to super injunctions, and the Brodies’ public law team has already blogged about some of them (including the question of whether the Sunday Herald was caught by an English super-injunction).

However, I wanted to pick up on the action taken by Ryan Giggs against Twitter in order to get Twitter to give details of the Twitter users who were naming him as a super injunction holder.

This is not unusual. Quite often a party (or brand owner) objects to on-line comments made under cover of a user name (such as @BrodiesTechBlog on twitter).   However, in order to go to Court against that user you need more than a username, you need the actual name and address of the poster.

How do you get that name and address?

Well, you could ask the hoster, i.e. the person who hosts the relevant forum (in the Giggs case Twitter), to disclose the name and address. However, most hosters won’t give up this information unless compelled to by a Court Order (because of the fear of breaching data protection law).

So you raise proceedings against the hoster to get that court order.   Typically the hoster won’t defend that action (in order to minimise costs).   (In fact yesterday the European boss of Twitter confirmed  that Twitter would comply with any court order to disclose personal details of users. )

In England these orders against hosters are known as Norwich Pharmacal orders (after the first case in which they were used).   Scotland provides for a largely parallel type of order.

My experience is that because the actions are not typically defended by the hoster you can get the order quite quickly/cheaply, and when presented with a Court order the hoster will cough up the information fairly quickly.

Of course all that legal work only gets you the name and address of the person you actually want to sue!  It also assumes that the information the hoster holds is complete and accurate (it’s pretty easy to set up a fake email address).

One final word of caution. Quite often suing an online “nutter” is much more trouble than it is worth because the nutter will: (i) become more determined/vitriolic; and (ii) use the fact that you are taking court action to paint you as a bully or having “something to hide”. To put it another way, when thinking about enforcing legal rights always remember the PR angle (something that certain footballers would be well advised to consider in the future).

HOLLYWOOD HACKING: WIKILEAKS

“Hollywood Hacking” is the trusty cinema cliche whereby a geek with a laptop hits lots of buttons on his keyboard very quickly, says “we’re in” (or something similarly breezy), and gains access to the military system/bank account of his choosing. While Hollywood Hacking is usually very silly and completely unrealistic, the current Wikileaks saga is actually happening right now, in real life, and there’s more than a touch of unbelievable Hollywood Hacking about the whole tale.

As you’ll probably be aware, Wikileaks is the whistleblowing website that last week made available for download more than 250,000 confidential U.S. diplomatic cables. The cables contain correspondence between American embassies throughout the world and the U.S. State Department, and their contents are proving to be highly embarrassing for the U.S. Government and its allies.

Wikileaks founder Julian Assange has been placed on Interpol’s Most Wanted list (for “sex crimes” being investigated by the Swedish authorities, although the US government is also investigating if espionage laws were broken), and the Wikileaks website is under continuous heavy attack from unidentified and mysterious “internet hackers”.

These hackers are bombarding the site, or more accurately, the computer servers which hold or “host” its content, with “Distributed Denial of Service” (“DDoS”) attacks of unprecedented ferocity. (In DDoS attacks incoming messages flood the target system and force it to shut down, thereby denying service to the system to legitimate users).

In an attempt to defend itself, Wikileaks moved last week from smaller internet providers to a larger one whose servers would be more likely to withstand a DDoS assault. Wikileaks provider of choice was Amazon.com and its’ much-vaunted EC2 cloud computing system, which operates on vast banks of computers, meaning that network capacity can be quickly scaled up or down to meet surges in traffic. The tactic was working well for Wikileaks until Amazon.com decided on Thursday to kick them out.

In a blogpost, Amazon.com denied that it was acting under pressure from politicians, saying WikiLeaks had breached its terms by not owning the rights to the content it was publishing. (I imagine Amazon.com might also have been a bit nervous about potential liability for the illegally sourced cables.)

The wikileaks.org web address was then withdrawn from Wikileaks because its domain name service provider EveryDNS.net claimed that WikiLeaks had violated part of its Acceptable Use Policy, which requires members not to “interfere with another member’s use and enjoyment of the service or another entity’s use and enjoyment of similar services. WikiLeaks had interfered with other members’ service because, said EveryDNS, “wikileaks.org has become the target of multiple DDoS attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites.”

Wikileaks solution has been to move to Switzerland, with a new domain wikileaks.ch.  The domain name is registered by the Pirate Party of Switzerland, associated with an IP address in Sweden, and points to a web address in France (where the Wikileaks documents are actually believed to be hosted).  If wikileaks.ch is also withdrawn, Wikileaks has announced that content will still be accessible by bypassing the DNS look-up and typing in Wikileaks’ actual IP address: http://88.80.13.160/.

Over the weekend online payment service provider PayPal cut off the WikiLeaks account, eliminating one of the easiest means for donors to send money to the organisation. It’s simply impossible to tell what’s going to happen next!   The latest development is that Julian Assange is under arrest, having voluntarily reported to a police station in central London this morning.

Who said Tech Law was boring? Hopefully in the inevitable Hollywood dramatisation of the saga there will at least be a cheeky cameo of yours truly writing this blog.

The Stig, confidentiality and trade marks

I’ve been following the recent story about a battle between the BBC and HarperCollins over whether or not The Stig’s real identity can be revealed in his planned autobiography. For the purposes of this blog, I’ll refer to him as “Mr X”.

For those that are not a fan of the BBC’s Top Gear programme, The Stig is the show’s “tamed racing driver” – known only by his white overalls and white helmet (which he never removes). The BBC maintains that revealing his identity would “spoil viewers’ enjoyment of the show.”

What’s the issue?
At play here is a conflict between the contractual obligation of confidence given by the Mr X in his contract with the BBC and Mr X’s attempt to cash in on the fame of the character that he plays. Top Gear and The Stig are very lucrative for the BBC, but newspaper reports suggest that Mr X does not do as well out of this as his fellow presenters.

However, an autobiography about being The Stig is likely to be hugely successful.

Psuedonyms and trade marks
Interestingly, there is no (legal) reason why The Stig could not publish his autobiography under a pseudonym. Section 77 of the Copyright, Designs and Patents Act 1998 specifically provides that moral rights (the right of an author to be named every time a work is published) can be asserted using a pseudonym. However, “The Stig” is a registered trade mark of the BBC, and therefore any attempt to publish an unauthorised book under that pseudonym would infringe that trade mark.

So Mr X is rather stuck. Contractually, he cannot publish his autobiography under his real name, and trade mark law is likely to prevent him from publishing his autobiography under his on-screen alter ego.

This may seem unfair, but The Stig brand is owned by the BBC, and Mr X is contracted to the BBC to play that role under a condition of anonymity. The BBC is therefore simply doing what any brand owner would do to prevent third parties from cashing in on, or damaging, its brand.

So what next?
It will be interesting to see how the battle between the BBC and HarperCollins pans out. A Google News search shows plenty of newspapers revealing Mr X’s suspected identity, and HarperCollins’ argument is that his identity is now no longer confidential. Whilst this might make a common law obligation of confidence no longer enforceable, it may not be as simple as that for a contractual obligation.

I see that the case has been adjourned for a week. I expect that those discussions will lead to the autobiography being published under the pseudonym of “The Stig” (with the BBC getting a cut of the royalties) or Mr X being allowed to publish his autobiography under his own name, but on the condition that (as with Mr X’s predecessor, The Black Stig) he leaves the show and is replaced by a new Stig.

Anyone want to have a guess at what colour he will be?


Twitter: @BrodiesTechBlog feed

December 2017
M T W T F S S
« May    
 123
45678910
11121314151617
18192021222324
25262728293031

%d bloggers like this: