Joris van Hoboken

Our German neighbors are about to vote about a controversial legislative package introducing mandatory internet censorship at the network level. Netzpolitik has an excellent overview of the political debate until now. AK-Zensur, the Working Group on Internet Filtering and Censorship, has a comprehensive overview of arguments against the proposals. Germany would be the first EU country to adopt mandatory Internet filtering for Internet access providers. Some ISPs in some other European countries already filter on the basis of black lists provided to them by government agencies and/or private organizations. Here is part of Markus Beckedahl’s account of the action against the proposed censorship:

The net community did not only oppose the governments plans, but also made constructive suggestions how to deal with the problem of child pornography without introducing a censorship architecture and circumcising constitutional freedoms. The working group on censorship demonstrated the alternatives for instance by actually removing over 60 websites containing child pornographic content in 12 hours, simply by emailing the international providers who then removed this content from the net. The sites were identified through the black lists of other countries documented on Wikileaks. This demonstration underlines the protesters main arguments: instead of effectively investing time and efforts to have illegal content removed from the internet, the German government is choosing censorship and blocking – an easy and dangerous way out. The greatest fear of the protesters is that once in place, the infrastructure will be used to censor other forms of unwanted content, not only child pornography. German politicians already seem to be lining up with their wish-list of content to be censored in future – the suggestions ranging form gambling sites, Muslim web pages, “killer games”, and the music industry cheering up with the thought of finally banning pirate bay and p2p.

You can find a detailed linklist of the zensursula-debate here (in german).

Today, the European Court of Justice issued its judgment in the case Ireland v. the European Parliament and Council. The Court concludes that the Data Retention Directive (2006/24/EC) relates predominately to the functioning of the internal market, so it was necessary to adopt it on the basis of Article 95 EC Treaty.

The Court makes clear at the outset that its judgment concerns not the question whether the Directive violates fundamental rights such as the right to privacy. It bases its judgment about the appropriateness of the legal base on three arguments, each of which seems enough (for the Court) to come to that conclusion:

UPDATE (COMMENTS):

It’s not too hard to comment on the ruling because I am not very impressed by its logic. Since I have already commented on some of the main arguments, which are informed by the Opinion of the Advocate General, I will restrict myself to one main point, that is the implications of this ruling for the question whether the directive is a violation of fundamental rights.

Although it is true that the Court was not asked directly to rule on the interference of blanket data retention with fundamental rights, the Court’s complete separation of that issue from this case is striking. In fact, Slovakia directly claimed the Directive could only be a third pillar measure because the interference could only be argued to be proportional in view of the fight against crime and terrorism.

It is questionable whether such far-reaching interference may be justified on economic grounds, in this case the enhanced functioning of the internal market. The adoption of an act outside the scope of Community competence, the primary and undisguised purpose of which is the fight against crime and terrorism, would be a more appropriate solution, providing a more proportionate justification for interference with the right of individuals to protection of their privacy.

The Court decides to separate these issues. The Commission had stated that “the reference to the investigation, detection and prosecution of serious crime falls under Community law because it serves to indicate the legitimate objective of the restrictions imposed by that directive on the rights of individuals with regard to data protection.” The Court does not address this specific question explicitly but states that “the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy contained in Directive 2006/24.” Implicitly, it seems to agree with the Commission and the AG (who had adopted the Commission’s position on this matter).

If we combine this argument with the Court’s conclusion that the directive is not about access to the data, the result is striking. The references to the investigation, detection and prosecution of serious crime in the directive no longer serves as a restriction with regard to the purposes of the retained data but merely as an indication that national law can legitimately retain these data for that purpose. Hence the directive does not obligate the member states to restrict lawful access to certain cases, but it also does not obligate them to provide access in certain cases. The preliminary ruling of the German Constitutional Court is thereby legal under European law.

However, it is clear that merely giving an indication of the purpose of an interference is not enough to respect the proportionality and subsidiarity required by Article 8 ECHR. Interferences need to be narrowly targeted. Thus access to the data need to be restricted in some manner, depending on the line that is drawn as a result of this test. The lack of access restrictions in the directive moves the burden to establish the proportionality and subsidiarity entirely to the member states. In my opinion this significantly weakens the already weak case for the proportionality and subsidiarity of the European legislature’s interference with fundamental rights through the enactment of the Directive.

See here.

This Tuesday, I attended a lecture at Suffolk Law School by copyright law authority David Nimmer. Nimmer discussed the copyright implications and legal developments for text, image, video and book search. As the title suggests, he focused almost entirely on services provided by Google. His discussion of video search did not implicate ’search’ in the strict sense, but addressed the Viacom v. YouTube lawsuit. The Google Book Search has taken a different legal path since the proposed settlement, which received preliminary approval this week. Below are my notes of professor Nimmer’s discussion of text and image search.

Netcom and pre-DMCA

Nimmer started his discussion with the famous Netcom case of 1995. In RTC v. Netcom, Scientology sued a Bulletin Board Service (BBS) for infringement of copyright of Scientology material. Users of the BBS had posted the material on the BBS. In a pragmatic decision, the court concluded there was no direct and no contributory infringement, because there was no volition and no knowledge of the infringing activity respectively.

Nimmer then referred to the WIPO discussions about copyright leading to the WIPO Internet Treaties, and the legislative efforts in the United States leading to the well known Digital Millennium Copyright Act (DMCA), which currently provides for safe harbors for online intermediaries, including search engines, in section 512. He pointed out that part of the intermediary copyright liability regime in the DMCA are two provisions that state that exempted intermediaries have to (1) adopt a policy for repeat infringers and (2) conform to standard technological measures to prevent infringing activity (in other words adopt filtering measures if there is standard accepted filtering technology). He clarified that until now the latter provision has proven meaningless, because there are no such accepted filtering technologies yet. He did point to filtering technology companies as Audible Magic, claiming they had improved over the last decade to the extent that the provision would start to be meaningful. Recently, this reasoning received a serious blow when a Belgium court lifted an order to use filtering technology because it considered it to be ineffective.

Field v. Google

Focusing on text search and search engine caching, Nimmer discussed the case Field v. Google. Before addressing that case he discussed an image search case, Kelly v. Arriba Soft. In that case, the 9th Circuit held that the use of thumbnails did not require authorization by the rights holders because of fair use. The court considered the use of thumbnails transformative and stressed the value of the service provided by Arriba. Nimmer did not address the issue of inline linking in Kelly.

Going back to Field, he first explained the background of the case. Field, an attorney, was the publisher of a website with various stories and essays in which he held copyrights. He waited for Google to crawl, index and make available cached copies of this website and then sued Google for copyright infringement. Field, probably not surpisingly, lost on all accounts. The district court found no direct infringement. The court  also held that Google had four defenses with regard to possible direct copyright infringement. First, it had an implied license for the publication of cached copies. Second, Field was estopped from asserting its copyright claim against Google. Third, the conduct of Google amounted to fair use. And fourth, Google was entitled to the caching safe harbor in Section 512 (b) of the DMCA. It might be interesting to note that Field did not assert that the initial copying by Google as a result of crawling and indexing constituted direct infringement.]

The court in Field relied on Netcom in its conclusion that there was no direct infringement by Google:

[...] when a user requests a Web page contained in the Google cache by clicking on a “Cached” link, it is the user, not Google, who creates and downloads a copy of the cached Web page. Google is passive in this process. Google’s computers respond automatically to the user’s request. Without the user’s request, the copy would not be created and sent to the user, and the alleged infringement at issue in this case would not occur. The automated, non-volitional conduct by Google in response to a user’s request does not constitute direct infringement under the Copyright Act. See, e.g., Religious Tech. Ctr., 907 F. Supp. at 1369-70 (direct infringement requires a volitional act by defendant; automated copying by machines occasioned by others not sufficient);[...] Summary judgment of non-infringement in Google’s favor is thus appropriate.

Nimmer asserted that this reference to volition in Netcom was wrong, since the legislative history had replaced the holding in Netcom with the DMCA and the DMCA did not codify the volition criterion. He explained how in the Judiciary Committee, the Playboy ruling had first been overruled and the Netcom ruling held in favour, but that later the current DMCA framework was adopted that replaced both rulings.

Robots.txt and implied license

Nimmer seemed to be more pleased with the court’s conclusion with regard to the implied license. The argument of the court is based on the availability of an opt-out for webmasters, in the form of robots.txt, that makes it possible for them to exclude their material from crawling, indexing and caching in search engines. This, in Nimmer’s words, ‘idiot proof computer program’ lies at the basis of the implied license and the estoppels defense.

Fair use and DMCA defenses in Field problematic

Nimmer pointed out that the he considered the fair use defense problematic, because Googe copied and made available the complete material as an archival (cached) copy. Nimmer stated that the defense of section 512 b of the DMCA was not available to search engines. He clarified that this caching safe harbor involves 4 actors in the statutory provision. It is not applicable to search engine cache, because the actors involved in the statute do not map to the search engine context. The caching safe harbor is written for proxy caching. For a complete discussion, see Peguera 2008.

Nimmer also shortly discussed the famous Napster litigation, in which the safe harbor for linking and search engines did not apply because of knowledge of the infringement taking place with the help of its service.

Perfect 10 v. Google

Moving on to image search, Nimmer discussed the Perfect 10 v. Google case, which hasn’t ended yet. Perfect 10, a rights holder in adult pictures, sued various intermediaries, including Google and major credit card companies, for direct and/or indirect copyright infringement. The case is different from Field because the material that ended up in Google consisted of unauthorized copies. As a result the implied license and estoppels defense were not applicable here, since Perfect 10 had no control over the postings of the content like Field had. In his lecture, Nimmer focused on the question about fair use and indirect infringement. The fair use defense failed at the district court level, because the court found that there was an actual market for thumbnail size pictures (mobile phone downloads).  The Ninth Circuit reversed and remanded, with a complex ruling in two steps, arguing that the use of thumbnail images was commercial in nature but that the public interest had to be taken into account when determining whether the use was transformative. The case is back at the district court level. Nimmer said he was agnostic as to who we will ultimately win the case.

European developments

It is interesting to note that the European Commission has issued a Green Paper that deals with some of these important issues (in footnote 21) and that in Germany the image search litigation continues to be challenging for search engines.

A recurring argument in defense of legislative measures eroding civil liberties is that these measures provide the needed security for citizens. Especially the right to privacy has suffered immensely because of this seemingly strong but false argument.

Now the argument has been put forward in a rather extreme form -“security and privacy are a zero sum game”- by a National Intelligence officer in the United States. He makes the argument in the context of Internet surveillance proposals that would include easy access to Web search records for the U.S. government.

The Opennet initiative has a reaction that sums up a number of reasons why the argument is wrong and dangerous. It concludes: “To describe conflicts between privacy and security as a zero-sum game is to obscure the value of [Congressional, judicial, popular, or other form of] oversight and of careful weighings, and thus is inappropriate whatever one’s views of the appropriate trade-off between privacy and security in any given situation.”

I agree that the argument of the zero sum game is wrong and probably dangerous, and there are many more reasons for that. They result from the falsities in the general argument that in case the prevention of (perceived) new or increased harms to society is considered to justify a change in the existing scheme of civil liberties, that process has to be understood in terms of “striking a new balance between liberty and security”. A great analysis of that argument in the context of terrorism politics has been made by Jeremy Waldron in his article ‘Security and Liberty: The Image of Balance’, Journal of Political Philosophy 11 (2), 191–210.

Waldron gives four fundamental reasons why this general argument deserves close scrutiny:

“(i) Objections to consequentialism. Talk of balance—particularly talk of changes in the balance as circumstances and consequences change—may not be appropriate in the realm of civil liberties. Civil liberties are associated with rights, and rightsdiscourse is often resolutely anti-consequentialist. [...]“ The zero sum game argument especially suffers from the objection against consequentialism.

“(ii) Difficulties with distribution. Though we may talk of balancing our liberties against our security, we need to pay some attention to the fact that the real diminution in liberty may affect some people more than others.” I find this argument rather important in practice. History has shown that all sort of groups have suffered disproportionally, often unjustifiably, from the lack of civil rights, be it political opposition, ethnic or religious minorities or economically less well off.

“(iii) Unintended effects. When liberty is conceived as negative liberty, a reduction in liberty is achieved by enhancing the power of the state. This is done so that the enhanced power can be used to combat terrorism. But it would be naive to assume that this is the only thing that that enhanced power can be used for. We need to consider the possibility that diminishing liberty might also diminish security against the state, even as it enhances security against terrorism.”

In the case of Web search privacy, one of these (unintended?) effects is the chilling effect on the information practices of citizens. Recently I taught a class in Internet & privacy at the Institute for Information Law in Amsterdam, where I conduct my PhD research. We got to discuss Web Search Privacy in detail. In the discussion several students stated they would not search about certain sensitive issues they had an interest in, because they were worried that these queries might end up in the hands of certain government agencies. Now the legislation is drafted that makes the conceptions of these students reality. The cited judgment of the German Constitutional Court below can serve as further comment.

“(iv) Real versus symbolic consequences. Though talk of adjusting the balance sounds like hard-headed consequentialism, it often turns out that those who advocate it have no idea what difference it will actually make to the terrorist threat. Accordingly we must subject these balancing arguments to special scrutiny to see how far they are based on fair estimates of actual consequences and how far they are rooted in the felt need for reprisal, or the comforts of purely symbolic action.” Such symbolic legislation is widespread. An example in the Netherlands is the Identity obligation.

I would like to add to this long list of arguments that security and privacy are in many ways overlapping. Data privacy for instance protects us from identity theft, the Fourth Amendment protects Americans (in theory) from warrantless searches, thus security against the State. That makes it difficult to put them on a scale. Another flaw results from the complexity of both of these notions. Privacy is understood in various ways. Most times security is all together ill defined.

Finally, a defense of data privacy , which could be stressed in this context, is the fundamental relation data privacy has with pluralism and democracy. The German Constitunional Court concluded in 1983:

” A society in which citizens can no longer know, who what when and in which occasions knows about them, is not compatible with the right of informational self-determination. One who is uncertain, whether deviant behavior is continually noticed and durably registered, used, or shared, will attempt not to attract attention through such behavior. [...] This would not only affect the possibilities of individual self-fulfillment, but also the common good, while self-determination is a qualitative requirement of a free and democratic society, built on autonomous citizens. Hence, self-development sets a limit for the individual to the aggregation, registration, usage and sharing of his personal data.

[ my translation of: „Mit dem Recht auf informationelle Selbstbestimmung wären eine Gesellschaftsordnung und eine diese ermöglichende Rechtsordnung nicht vereinbar, in der Bürger nicht mehr wissen können, wer was wann und bei welcher Gelegenheit über sie weiß. Wer unsicher ist, ob abweichende Verhaltensweisen jederzeit notiert und als Information dauerhaft gespeichert, verwendet oder weitergegeben werden, wird versuchen, nicht durch solche Verhaltensweisen aufzufallen. […] Dies würde nicht nur die individuellen Entfaltungschancen des Einzelnen beeinträchtigen, sondern auch das Gemeinwohl, weil Selbstbestimmung eine elementare Funktionsbedingung eines auf Handlungsfähigkeit und Mitwirkungsfähigkeit seiner Bürger begründeten freiheitlichen demokratischen Gemeinwesens ist. Hieraus folgt: Freie Entfaltung der Persönlichkeit setzt unter den modernen Bedingungen der Datenverarbeitung den Schutz des Einzelnen gegen unbegrenzte Erhebung, Speicherung, Verwendung und Weitergabe seiner persönlichen Daten voraus.”]

The German branch of the originally franco-german Quaero project gets further funding. The idea is to build something European on the search engine technology level. Theseus is a project in which many companies, such as Bertelsmann work together. I would not be suprised if a significant amount of this money will dissolve into unneeded overhead.

A German news source reports (here in English) that Google threatens to close its German Gmail service. Peter Fleischer says Google will do so if the German legislator will not alter its proposals, that would prescribe the registration of identification data of users of such services. Fleischer notes that users that want to use anonymous e-mail will move to use foreign e-mail services (including US based Gmail?!) that do not ask to enter personal data at registration.

Filtertechnics has won a case about the legality of its webspam filter for Google results in Germany. The Court of Appeals in Hamm, concludes that the website in question was in fact constructed with thousands of Doorway Pages, a construction with the sole purpose to manipulate the search engine. Filtertechnics had appealed an earlier ruling, in which Filtertechnics was ordered to stop denoting the particular site as spammy.

The case shines some light on legal questions about search engine’s guidelines, which include anti spam policies. The legal battles over webspam, or spamdexing, are a focal point in the conflicts between search engines and information providers.

The Court of Appeals states: In the case of a verifiable suspicion of search engine manipulation, Filter software is allowed to denote the particular site as ‘Spam’.

Interestingly, the court states that it does not matter whether the particular site does not contain any relevant material for the Internet user. It is enough that there is manipulation involved. The lower court had given a lot of weight to the spamdexing definition in the German Wikipedia, that states that the spam site would not contain any such useful information. According to the Court of Appeals the wider Spam definition in the context of Filtersoftware is in fact appropriate and user friendly, while Internet users exactly want to find the websites that really earn their ranking in search engines.

The Court concludes that spamdexing filters, in view of the flood of unjustifiable search engine results, are also permissible from the point of view of user protection. The user and the public have a legitimate interest to use suitable technical means to filter spam, which one was not primarily looking for.

A recent judgement (20.02.2007) of the German High Court of th State of Hamburg (Oberlandes Gericht Hamburg) on the liability of search engines has some interesting arguments. The fact that search engines provide their results automatically, without human interference is an argument to lower liability standards. The judgement refers to the Paperboy judgement as well; the crucial value of search engines to find information on the Web gives it a freedom of expression/information (Meinungsaüßerungs- und Informationsfreiheit) defence.