Tuesday, 28 September 2010

Norwich Pharmacal orders and file-sharing

Attention has suddenly focused on the arcane but highly significant topic of the Norwich Pharmacal order. Quantities of ISP customer details apparently linked to Norwich Pharmacal orders obtained in pursuit of alleged unlawful file-sharers have leaked onto the internet following a denial of service attack against the website of solicitors ACS Law. And last week Chief Master Winegarten was reported to have adjourned an application by Ministry of Sound for a Norwich Pharmacal order against a number of ISPs after receiving letters expressing concern from members of the public.


The Norwich Pharmacal procedure is available when someone wants to sue in respect of some wrong, but does not know who did it. If an innocent third party is in possession of information that can identify the alleged wrongdoer, then the plaintiff (in England we are supposed to call them claimants, but let’s stick to the terminology familiar to the rest of the world) can ask the court to order the third party to produce the identifying information. If the court grants the order the plaintiff is then able to pursue legal action against the alleged wrongdoer on the basis of the disclosed information.

So a copyright owner may have gathered evidence that someone has been infringing its copyright, say using P2P file-sharing software to upload a music file.  But if the only identifying information is an IP address, the copyright owner can ask the court to grant an order against the internet service provider requiring it to disclose details of its customer to whom it allocated the IP address at the time of the upload.

In principle the Norwich Pharmacal procedure, or something like it, is a valuable aid to achieving justice. However it is inherently intrusive, and has the potential to wreak injustice if it is applied with insufficient safeguards.

The present controversy has the potential to expose some weaknesses inherent in the procedure. Here are a couple.

First, there is no mandatory requirement that the person whose identity may be disclosed should be notified of the court application and have a chance to make anonymous representations. However it may be possible to make such a notification. In 2001 the Court of Appeal in Totalise v Motley Fool said that the intermediary (in that case a website operator) can, where appropriate, “tell the user what is going on and offer to pass on in writing to the plaintiff and the court any worthwhile reason the user wants to put forward for not having his or her identity disclosed”.

Aldous LJ went on to say: “Further, the Court could require that to be done before making an order. Doing so will enable the court to do what is required of it with slightly more confidence that it is respecting the law laid down in more than one statute by Parliament and doing no injustice to a third party, in particular not violating his convention rights.”

However this has not become standard practice and indeed appears to happen hardly at all, if ever. This is in contrast to US procedure, where the plaintiff has to bring its claim against an anonymous ‘John Doe’ defendant and seek to subpoena the third party. The procedure allows the anonymous defendants to be notified and to make representations about whether the subpoena should be ordered without identifying themselves.

Second, in file-sharing cases the evidence is highly technical. The only explanation of the technical aspects before the court is likely to be the evidence adduced on behalf of the applicant, since many ISPs take a neutral stance and, while not consenting to the order, neither file evidence nor appear at the hearing. The procedure depends heavily either on the ability of the court to evaluate the evidence, or on the willingness of the ISP to scrutinise the applicant’s evidence and to make representations to the court or the applicant if the evidence appears on the face of it to be inadequate – for instance if it fails to make clear that an IP address can at best identify only the ISP’s customer, not necessarily the alleged infringer.

However an ISP has no particular reason to do more than satisfy itself that it can comply with the order requested.  ISPs are commercial entities, not the appointed guardians of justice. That task falls to the court. But how is the court supposed to assess the evidence in front of it in the absence of any opposing party, or even of an independent amicus curiae? Perhaps this would be a suitable case for the court to use its power to appoint a technically qualified assessor to sit with and assist the court.  In the 4th edition of my book Internet Law and Regulation I made some suggestions for ‘good practice’ when ISPs receive an application for a Norwich Pharmacal order. But in truth there is no obligation on an ISP to do anything more than stand by and allow the application to proceed to court. As Aldous L.J. said in Totalise v Motley Fool:

“It is difficult to see how the court can carry out this task if what it is refereeing is a contest between two parties, neither of whom is the person most concerned, the data subject; one of whom is the data subject's prospective antagonist; and the other of whom knows the data subject's identity, has undertaken to keep it confidential so far as the law permits, and would like to get out of the cross-fire as rapidly and as cheaply as possible.”

The problem identified by Aldous L.J. has only increased over time. The current controversy may refocus minds on whether the correct balance is being found and, if not, what should be done to restore it.

Saturday, 25 September 2010

RIPA and voicemail

Some comment recently over the Metropolitan Police's view that a Regulation of Investigatory Powers Act prosecution cannot be mounted over interception of voicemails after they have been accessed and read by the recipient.   This interpretation of RIPA has been well known ever since the legislation was enacted. It is something of a grey area, since the key question for stored messages under RIPA S2(7) is whether the system is used for storing the message in a manner that enables the recipient to 'collect it or otherwise to have access to it'. It can be argued that this does include opened incoming messages that are left on the system for future reference. However no court has yet had to consider this and the question remains unanswered.  

The main statute governing hacking is the Computer Misuse Act, which is generally much better suited than RIPA to penalising unauthorised access to data stored on computers. RIPA's predecessor (the Interception of Communications Act 1985) only governed communications in transit. RIPA extended the interception regime to some stored communications and created many anomalies in the process.  For instance whatever the position regarding read incoming messages, it is tolerably clear that the RIPA definition of interception does not cover copies of outgoing e-mail messages stored in a Sent folder, since such copies have never been transmitted to a recipient at all.  The anomalies created by RIPA are largely the result of trying to extend principles developed in the era of ephemeral communications (telephone calls) to self-recording communications such as voicemails and e-mails.

This all came up in the context of voice-mail hacking, discussed in the evidence of Assistant Metropolitan Police Commissioner John Yates to the Commons Home Affairs Committee on 7 September 2010.  He said (uncorrected transcript): "There are very few offences that we are able to actually prove that have been hacked. That is, intercepting the voicemail prior to the owner of that voicemail intercepting it him or herself.".  This comment itself illustrates the confusion between hacking and interception.  RIPA never was an anti-hacking statute.  It was enacted in 2000 to provide a human rights-compliant basis for government interception of communications and to give effect to the communications privacy provisions (Article 5) of the then EU Telecommunications Privacy Directive. 

Would it not be better to reinstate the bright line between the offences of intercepting communications in transit (RIPA) and hacking into stored communications (CMA) than to create more confusion by, as has been mooted, extending RIPA yet further into the area of stored communications?