Tuesday 28 September 2010

Norwich Pharmacal orders and file-sharing

Attention has suddenly focused on the arcane but highly significant topic of the Norwich Pharmacal order. Quantities of ISP customer details apparently linked to Norwich Pharmacal orders obtained in pursuit of alleged unlawful file-sharers have leaked onto the internet following a denial of service attack against the website of solicitors ACS Law. And last week Chief Master Winegarten was reported to have adjourned an application by Ministry of Sound for a Norwich Pharmacal order against a number of ISPs after receiving letters expressing concern from members of the public.

The Norwich Pharmacal procedure is available when someone wants to sue in respect of some wrong, but does not know who did it. If an innocent third party is in possession of information that can identify the alleged wrongdoer, then the plaintiff (in England we are supposed to call them claimants, but let’s stick to the terminology familiar to the rest of the world) can ask the court to order the third party to produce the identifying information. If the court grants the order the plaintiff is then able to pursue legal action against the alleged wrongdoer on the basis of the disclosed information.

So a copyright owner may have gathered evidence that someone has been infringing its copyright, say using P2P file-sharing software to upload a music file.  But if the only identifying information is an IP address, the copyright owner can ask the court to grant an order against the internet service provider requiring it to disclose details of its customer to whom it allocated the IP address at the time of the upload.

In principle the Norwich Pharmacal procedure, or something like it, is a valuable aid to achieving justice. However it is inherently intrusive, and has the potential to wreak injustice if it is applied with insufficient safeguards.

The present controversy has the potential to expose some weaknesses inherent in the procedure. Here are a couple.

First, there is no mandatory requirement that the person whose identity may be disclosed should be notified of the court application and have a chance to make anonymous representations. However it may be possible to make such a notification. In 2001 the Court of Appeal in Totalise v Motley Fool said that the intermediary (in that case a website operator) can, where appropriate, “tell the user what is going on and offer to pass on in writing to the plaintiff and the court any worthwhile reason the user wants to put forward for not having his or her identity disclosed”.

Aldous LJ went on to say: “Further, the Court could require that to be done before making an order. Doing so will enable the court to do what is required of it with slightly more confidence that it is respecting the law laid down in more than one statute by Parliament and doing no injustice to a third party, in particular not violating his convention rights.”

However this has not become standard practice and indeed appears to happen hardly at all, if ever. This is in contrast to US procedure, where the plaintiff has to bring its claim against an anonymous ‘John Doe’ defendant and seek to subpoena the third party. The procedure allows the anonymous defendants to be notified and to make representations about whether the subpoena should be ordered without identifying themselves.

Second, in file-sharing cases the evidence is highly technical. The only explanation of the technical aspects before the court is likely to be the evidence adduced on behalf of the applicant, since many ISPs take a neutral stance and, while not consenting to the order, neither file evidence nor appear at the hearing. The procedure depends heavily either on the ability of the court to evaluate the evidence, or on the willingness of the ISP to scrutinise the applicant’s evidence and to make representations to the court or the applicant if the evidence appears on the face of it to be inadequate – for instance if it fails to make clear that an IP address can at best identify only the ISP’s customer, not necessarily the alleged infringer.

However an ISP has no particular reason to do more than satisfy itself that it can comply with the order requested.  ISPs are commercial entities, not the appointed guardians of justice. That task falls to the court. But how is the court supposed to assess the evidence in front of it in the absence of any opposing party, or even of an independent amicus curiae? Perhaps this would be a suitable case for the court to use its power to appoint a technically qualified assessor to sit with and assist the court.  In the 4th edition of my book Internet Law and Regulation I made some suggestions for ‘good practice’ when ISPs receive an application for a Norwich Pharmacal order. But in truth there is no obligation on an ISP to do anything more than stand by and allow the application to proceed to court. As Aldous L.J. said in Totalise v Motley Fool:

“It is difficult to see how the court can carry out this task if what it is refereeing is a contest between two parties, neither of whom is the person most concerned, the data subject; one of whom is the data subject's prospective antagonist; and the other of whom knows the data subject's identity, has undertaken to keep it confidential so far as the law permits, and would like to get out of the cross-fire as rapidly and as cheaply as possible.”

The problem identified by Aldous L.J. has only increased over time. The current controversy may refocus minds on whether the correct balance is being found and, if not, what should be done to restore it.

Saturday 25 September 2010

RIPA and voicemail

Some comment recently over the Metropolitan Police's view that a Regulation of Investigatory Powers Act prosecution cannot be mounted over interception of voicemails after they have been accessed and read by the recipient.   This interpretation of RIPA has been well known ever since the legislation was enacted. It is something of a grey area, since the key question for stored messages under RIPA S2(7) is whether the system is used for storing the message in a manner that enables the recipient to 'collect it or otherwise to have access to it'. It can be argued that this does include opened incoming messages that are left on the system for future reference. However no court has yet had to consider this and the question remains unanswered.  

The main statute governing hacking is the Computer Misuse Act, which is generally much better suited than RIPA to penalising unauthorised access to data stored on computers. RIPA's predecessor (the Interception of Communications Act 1985) only governed communications in transit. RIPA extended the interception regime to some stored communications and created many anomalies in the process.  For instance whatever the position regarding read incoming messages, it is tolerably clear that the RIPA definition of interception does not cover copies of outgoing e-mail messages stored in a Sent folder, since such copies have never been transmitted to a recipient at all.  The anomalies created by RIPA are largely the result of trying to extend principles developed in the era of ephemeral communications (telephone calls) to self-recording communications such as voicemails and e-mails.

This all came up in the context of voice-mail hacking, discussed in the evidence of Assistant Metropolitan Police Commissioner John Yates to the Commons Home Affairs Committee on 7 September 2010.  He said (uncorrected transcript): "There are very few offences that we are able to actually prove that have been hacked. That is, intercepting the voicemail prior to the owner of that voicemail intercepting it him or herself.".  This comment itself illustrates the confusion between hacking and interception.  RIPA never was an anti-hacking statute.  It was enacted in 2000 to provide a human rights-compliant basis for government interception of communications and to give effect to the communications privacy provisions (Article 5) of the then EU Telecommunications Privacy Directive. 

Would it not be better to reinstate the bright line between the offences of intercepting communications in transit (RIPA) and hacking into stored communications (CMA) than to create more confusion by, as has been mooted, extending RIPA yet further into the area of stored communications?

Saturday 24 July 2010

Software Story 3

First there was Navitaire v Easyjet, then Nova v Mazooma. Now we have SAS Institute Inc. v World Programming Ltd, delivered by Mr Justice Arnold on 23rd July 2010, the third in a trilogy of cases grappling with the scope of copyright protection for software under the EU Software Directive.

The cases are notable for their broad exclusion as mere ideas of material such as programming languages and interfaces; and for the courts’ enthusiasm for eliminating the possibility of indirectly infringing copyright in source code or underlying design materials by copying the functionality of software. In this case however, unlike the previous two, Mr Justice Arnold has referred a number of questions to the European Court of Justice.

SAS Institute developed and markets software enabling users to carry out a wide range of analytical and statistical tasks. The SAS software comprises a suite of components. Users are able to create applications that will run with the components by writing scripts in SAS’ proprietary language, SAS Language.

WPL set out to write software (WPS) capable of running user applications written in SAS Language. It did this by studying the published SAS Manuals and the response of SAS Learning Edition to a large number of programs written in SAS Language. WPL developers had not had any access to SAS source code, nor had they copied the text of any SAS source code, nor had they copied any of the structural design of the SAS source code, nor had they decompiled SAS object code. However the WPS software did reproduce elements of the SAS Language such as keywords (words and symbols reserved to the SAS Language) and was able to read and write SAS data file formats.

SAS alleged that WPL had infringed copyright in the following ways:

1. WPL had copied the SAS Manuals when creating WPS and thereby had infringed copyright in the Manuals.

2. By copying the SAS Manuals when creating WPS, WPL had indirectly copied the SAS programs and infringed copyright in the SAS programs.

3. By its use of SAS Learning Edition WPL had contravened the terms of its licence and had thus breached contract and infringed copyright in the Learning Edition.

4. In creating its own manuals and quick reference guides WPL had infringed copyright in the SAS Manuals.

On the second claim, left to himself Arnold J would have followed Navitaire and Nova and found that there was no infringement of copyright in a computer program by copying functionality.

On the first claim, he would have applied similar reasoning to the protection of the Manuals as non-computer programs under the Copyright in the Information Society Directive.

On the third, he would have found that WPL were protected by the Software Directive’s provisions permitting study of the functioning of a computer program in order to determine the ideas and principles underlying it.

However, on all three of these claims he decided that questions of interpretation of the Software Directive should be referred to the European Court of Justice.

The fourth claim, since it concerned direct copying from one document to another, was a relatively straightforward question of ordinary UK copyright law on which Mr Justice Arnold found in favour of SAS in respect of the manuals, but not the quick reference guides.

The WPS quick reference guides, which reproduced lists of keywords from the SAS Manuals, did not infringe – either because the original compilation of keywords formed part of the SAS System and thus the SAS Manual was not in that respect an original copyright work; or because on the facts the list of keywords grew by accretion and was not the intellectual creation of an author or group of authors. Alternatively the use of the keyword lists in the WPS Guides would, had there been sufficient acknowledgment of the SAS Manuals as source, have been protected as fair dealing for the purpose of criticism or review, since its purpose was to compare the functions supported by WPS with those available in the SAS system.

While the precise questions to referred to the ECJ are yet to be formulated, they will cover these points:

1. Recital (14) of the Software Directive says that “to the extent that … programming languages comprise ideas and principles, those ideas and principles are not protected under this Directive”. In Navitaire Pumfrey J interpreted that as meaning that programming languages were not protected at all. In this case counsel for SAS argued that it did not exclude protection for the expression of programming languages. Arnold J, while not persuaded that Pumfrey was wrong on the point, agreed that guidance from the ECJ was required.

2. Similarly Recital (13) and Article 1(2) of the Software Directive exclude protection for "ideas and principles which underlie any aspect of a computer program, including those which underlie its interfaces”. Pumfrey J in Navitaire interpreted this as meaning that interfaces were not protected in situations not covered by the decompilation provisions of the Directive. Arnold J, while again not persuaded that Pumfrey was wrong on the point, agreed that guidance from the ECJ was required.

3. Pumfrey J in Navitaire and the Court of Appeal in Nova had held that on the true interpretation of Article 1(2) of the Software Directive copyright in computer programs does not protect the functions of the programs from being copied. SAS argued that this was incorrect, particular having regard to the inclusion of preparatory design material within the definition of Article 1. Arnold J’s view was that there is a distinction between the design of a program (its structure, sequence and organisation) and its functionality, the former being protected and the latter not. However the point should be referred to the ECJ.

4. SAS argued that even if Navitaire and Nova were correctly decided, they applied only to computer programs. SAS claimed that WPL had reproduced substantial parts of the Manuals in the WPS source code. The Manuals were ordinary literary works and the normal rules of infringement should apply, unaffected by the Software Directive.

Arnold J’s view was that it is not an infringement of copyright in a manual describing a computer program’s functions to use the manual as a specification of the functions that are to be replicated and, to that extent, to reproduce the manual in the source code of the new program. Functions were on the wrong side of the idea/expression dichotomy expressed in the Software Directive, TRIPS and the WIPO Copyright Treaty. The Information Society Directive applied to non-computer programs and should be interpreted in the same way as the Software Directive. However the point should be referred to the ECJ.

5. As to the use of SAS Learning Edition, Article 5(3) of the Software Directive provides “The person having a right to use a copy of a computer program shall be entitled, without the authorization of the rightholder, to observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do.”

SAS argued that this is a ‘for avoidance of doubt’ provision which simply confirms that the acts of observation, study and testing are not infringements provided that the user is licensed to use the program in the manner in question. WPL argued that that provided the user was doing the kind of acts of loading, displaying, running, transmitting or storing that he was entitled to do under the licence, then he could not be prevented from doing those acts for the enumerated purposes of observation etc. Arnold J’s provisional view favoured WPL, but the point was difficult and should be referred to the ECJ, as should the question whether “ideas and principles’ has the same meaning as in Article 1(2) of the Directive.

Apart from the questions referred to the ECJ the case is of interest for its treatment of data file formats. On the facts SAS was not able to show that the data file formats were present in their own source code, as opposed to being capable of generated by it. “There is no evidence that the SAS source code sets out the SAS7BDAT format, as opposed to reading and writing files in that format.” And on the WPL side “It is common ground that WPS is able to read and write files in SAS7BDAT format ... . For the reasons given above, I conclude that this in itself does not constitute an infringement of the copyrights in the SAS Components.”

Of more general significance, however, Arnold J considered that the data file formats constituted interfaces and so were not protectable: “As for the SAS data file formats, I agree that these are interfaces. These are precisely the kind of information which is required by third parties in order to access data stored in those formats for the purposes of interoperability.”

The judgment runs to 112 pages and is replete with examination of the minutiae of the travaux preparatoires of the Software Directive, its relationship to TRIPS and the WIPO Copyright Treaty, and the question whether the idea/expression dichotomy is now part of copyright law as applied to computer programs (yes).

A software engineer (or a lawyer for that matter) could be forgiven for thinking that software copyright shouldn’t be this difficult. Indeed the founder of WPL looked at it rather more simply: “ … he believed as a result of his experience in the industry, and in particular his time at IBM, that there would be nothing unlawful in creating such software provided that WPL did not copy the source code of the SAS System.” Whilst that remains an over-simplification, if the ECJ supports the view of the English courts it will be closer to the truth than ever.