Current developments in Open Source Software

Open Source Software (OSS) has hit the mainstream in recent years and its scope is set to increase. Best seen as a range of associated licensing techniques, there are many different types of OSS licences. Coupled with a lack of settled case law and rapidly developing market practice, legal interpretation of the OSS world presents challenges to lawyers. Of the ‘top 20’ OSS licences, the GPL is the most commonly used and among the most radical in legal effect. The GPL's legal radicalism centres on its Article 2(b) concept of ‘copyleft’. Copyleft is an inheritance requirement to pass on the GPL's terms to other software that ‘contains’ or is ‘derived from’ the initially used GPL software. I illustrations of Article 2(b) issues from the Linux and Java worlds are provided. Current case law (such as it is) is then overviewed. Finally, contractual and policy implications of OSS governance are then reviewed as the increasing uptake of OSS in the organisation is mirrored in the growing importance of OSS governance.     

Encryption: A 21st Century National Security Dilemma

As the 21st century approaches, encryption is presenting a national security dilemma in the US. While the use of strong encryption for computerized data is essential in protecting our nation, widespread, unregulated encryption poses serious problems on two levels: encryption could inhibit the government's ability to enforce the law as well as gather foreign intelligence. As a result, the government has established export controls on encryption products and proposed a 'key recovery' system designed to enable law enforcement officers to access encrypted data in the course of lawful investigations. The export controls have been ineffective and counterproductive policy and are arguably unconstitutional under the First Amendment. However, export controls are the only viable solution to the intelligence gathering problem and will need to survive these political and legal attacks or our national security could be jeopardized. Key recovery will be difficult and costly to implement and has come under attack by civil liberties' groups. Nevertheless, a cost-effective compromise on key recovery is necessary to meet the needs of law enforcement. Such a system, if it mirrored current electronic surveillance law, would effectively balance individual privacy rights and governmental interests and thus should survive constitutional scrutiny. Congress and President Clinton ought to enact key recovery legislation soon before the use of encryption becomes commonplace. A failure to act intelligently and effectively on this critical, cutting-edge issue could compromise our nation's future.     

Links and copyright law

For at least 15 years, there have been question marks over the legal permissibility of connecting one web resource to another by means of links. The purpose of this paper is to assess where we stand in terms of the legal state on the threshold of the new decade. The substantive argument in this paper is that, fundamentally, there are only two sorts of links. ‘Normal’ links facilitate access to subject matter that has been made available to the public and are visible to users as ‘activatable’ references. ‘Embedding’ links, by contrast, automatically incorporate online material and cause it to become a part of the embedding document. On the grounds of the cumulative judicial custom in the member states of the European Union, this paper proposes that normal links as such should invariably be deemed not to create a state of interference with copyright law. Embedding links, however, may constitute an infringement of the exclusive right of alteration, communication or reproduction enjoyed by the copyright holder, depending on the facts and circumstances.     

Brief history of law enforcement intelligence: Past practice and recommendations for change

Controversies have surrounded law enforcement intelligence because of past instances where the police maintained records of citizens' activities that were viewed as suspicious or anti-American, even though no crimes were being committed. This, of course, violates fundamental constitutional guarantees and offends the American sense of fairness with respect to government intrusiveness. Unfortunately, the boundary is not precise regarding the types of information the police can collect and keep. Some legal guidelines appear contradictory and the application of law to factual situations is often difficult. Beyond the legal ramifications, early intelligence initiatives by the police typically lacked focus, purpose, and process. Important lessons can be learned from these historical experiences that provide context and guidance for law enforcement intelligence today. Aggravating the [kinds of factors referred to above] has been the tenuous relationship between law enforcement intelligence and national security intelligence that has changed continuously since the mid-20th century. These changes have been both politically and legally controversial, responding to changing socio-political events in American history and most recently through post-9/11 counterterrorism efforts. As a result, there is value in understanding selected portions of history from both types of intelligence to gain context and understand the lessons learned.     

What police want from liquor licensing legislation: the Australian perspective

Qualitative interviews were undertaken with 53 Australian police officers with specialist expertise in liquor law enforcement to ascertain their perspectives concerning the liquor licensing legislation in Australia’s eight states and territories. Respondents generally indicated that current arrangements favoured the interests of the alcohol industry and did not sufficiently empower them to reduce alcohol-related harms. Other key themes included: ambiguity surrounding the police role in liquor licensing; difficulties in enforcing drunkenness-related offences; partnerships; strategies to enhance enforcement; data/intelligence gathering; and the separation of Ministerial responsibilities for liquor licensing and policing. Overall, police in Australia are not currently being given the tools they require to effectively reduce alcohol-related harms.     

Data attack of the cybercriminal: Investigating the digital currency of cybercrime

It is increasingly argued that the primary motive of the cybercriminal and the major reason for the continued growth in cyber attacks is financial gain. In addition to the direct financial impact of cybercrime, it can also be argued that the digital data and the information it represents that can be communicated through the Internet, can have additional intrinsic value to the cybercriminal. In response to the perceived value and subsequent demand for illicit data, a sophisticated and self-sufficient underground digital economy has emerged. The aim of this paper is to extend the author’s earlier research that first introduced the concept of the Cybercrime Execution Stack by examining in detail the underlying data objectives of the cybercriminal. Both technical and non-technical law enforcement investigators need the ability to contextualise and structure the illicit activities of the cybercriminal, in order to communicate this understanding amongst the wider law enforcement community. By identifying the potential value of electronic data to the cybercriminal, and discussing this data in the context of data collection, data supply and distribution, and data use, demonstrates the relevance and advantages of utilising an objective data perspective when investigating cybercrime.     

Open-source intelligence and privacy by design

As demonstrated by other papers on this issue, open-source intelligence (OSINT) by state authorities poses challenges for privacy protection and intellectual-property enforcement. A possible strategy to address these challenges is to adapt the design of OSINT tools to embed normative requirements, in particular legal requirements. The experience of the VIRTUOSO platform will be used to illustrate this strategy. Ideally, the technical development process of OSINT tools is combined with legal and ethical safeguards in such a way that the resulting products have a legally compliant design, are acceptable within society (social embedding), and at the same time meet in a sufficiently flexible way the varying requirements of different end-user groups. This paper uses the analytic framework of privacy design strategies (minimise, separate, aggregate, hide, inform, control, enforce, and demonstrate), arguing that two approaches for embedding legal compliance seem promising to explore in particular. One approach is the concept of revocable privacy with spread responsibility. The other approach uses a policy mark-up language to define Enterprise Privacy Policies, which determine appropriate data handling.     

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Cloud computing is an information technology technique that promises greater efficiency and reduced-cost to consumers, businesses and public institutions. However, to the extent it has brought better efficiency and minimal cost, the emergence of cloud computing has posed a significant regulatory challenge on the application of data protection rules particularly on the regime regulating cross-border data flow. The Data Protection Directive (DPD), which dates back to 1995, is at odds with some of the basic technological and business-related features of the cloud. As a result, it is claimed that the Directive hardly offers any help in using the legal bases to ‘process’ and ‘transfer’ data as well as to determine when a transfer to a third country occurs in cloud computing. Despite such assertions, the paper argues that the ECJ's Bodil Lindqvist decision can to a certain extent help to delineate circumstances where transfer should and should not occur in the cloud. Concomitantly, the paper demonstrates that controllers can still make the most of the available possibilities in justifying their ‘processing’ as well as ‘transferring’ of data to a third country in cloud arrangements. In doing so, the paper also portrays the challenges that arise down the road. All legal perspectives are largely drawn from EU level though examples are given from member states and other jurisdictions when relevant.     

‘Modernising’ data protection Convention 108: A safe basis for a global privacy treaty?

Proposals for the reform or ‘modernisation’ of Council of Europe Data Protection Convention 108 have now been forwarded from the Convention's Consultative Committee for consideration by the Council of Ministers. This article assesses the changes proposed, which strengthen the obligations of Parties to implement the Convention as a matter of effective practice, not just as a law on paper. It tightens most of the existing data protection principles, and adds new ones which better align the Convention with the EU Directive (and proposed Regulation). The Convention Committee will have explicit new functions including assessing candidates for accession, and periodically reviewing implementation by existing parties. However, the proposals concerning the required standard for data export limitations are in some respects ill-defined and dangerous for data subjects. The existing standard that personal data can only be exported if the recipient provides ‘adequate’ protection has been abandoned for an undefined requirement of ‘appropriate’ protection. The article situates the risk of abandoning meaningful data export restrictions in the context of the USA's push for ‘interoperability’ of very different data protection standards.     

Say cheese! Privacy and facial recognition

The popular social networking site, Facebook, recently launched a facial recognition tool to help users tag photographs they uploaded to Facebook. This generated significant controversy, arising as much as anything, from the company’s failure to adequately inform users of this new service and to explain how the technology works.The incident illustrates the sensitivity of facial recognition technology and the potential conflict with data privacy laws. However, facial recognition has been around for some time and is used by businesses and public organisations for a variety of purposes – primarily in relation to law enforcement, border control, photo editing and social networking. There are also indications that the technology could be used by commercial entities for marketing purposes in the future.This article considers the technology, its practical applications and the manner in which European data protection laws regulate its use. In particular, how much control should we have over our own image? What uses of this technology are, and are not, acceptable? Ultimately, does European data protection law provide an adequate framework for this technology? Is it a framework which protects the privacy of individuals without unduly constraining the development of innovative and beneficial applications and business models?     

Identity crisis: Global challenges of identity protection in a networked world

Modern identity is valuable, multi-functional and complex. Today we typically manage multiple versions of self, made visible in digital trails distributed widely across offline and online spaces. Yet, technology-mediated identity leads us into crisis. Enduring accessibility to greater and growing personal details online, alongside increases in both computing power and data linkage techniques, fuel fears of identity exploitation. Will it be stolen? Who controls it? Are others aggregating or analysing our identities to infer new data about us without our knowledge or consent? New challenges present themselves globally around these fears, as manifested by concerns over massive online data breaches and automated identification technologies, which also highlight the conundrum faced by governments about how to safeguard individuals' interests on the Web while striking a fair balance with wider public interests. This paper reflects upon some of these problems as part of the inter-disciplinary, transatlantic ‘SuperIdentity’ project investigating links between cyber and real-world identifiers. To meet the crisis, we explore the relationship between identity and digitisation from the perspective of policy and law. We conclude that traditional models of identity protection need supplementing with new ways of thinking, including pioneering ‘technical-legal’ initiatives that are sensitive to the different risks that threaten our digital identity integrity. Only by re-conceiving identity dynamically to appreciate the increasing capabilities for connectivity between different aspects of our identity across the cyber and the physical domains, will policy and law be able to keep up with and address the challenges that lie ahead in our progressively networked world.     

Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

Digital evidence and ‘cloud’ computing

The term ‘cloud computing’ has begun to enter the lexicon of the legal world. The term is not new, but the implications for obtaining and retaining evidence in electronic format for the resolution of civil disputes and the prosecution of alleged criminal activities might be significantly affected in the future by ‘cloud’ computing. This article is an exploratory essay in assessing the effect that ‘cloud’ computing might have on evidence in digital format in criminal proceedings in the jurisdiction of England & Wales.     

Asia-Pacific news

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications’ industries in key jurisdictions across the Asia-Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

Asia-Pacific news

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications’ industries in key jurisdictions across the Asia Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

Asia-Pacific news

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications’ industries in key jurisdictions across the Asia Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

Asia-Pacific news

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications’ industries in key jurisdictions across the Asia-Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

The Foreign Intelligence Surveillance Act of 1978: The Role of Symbolic Politics

Since 1978, the Foreign Intelligence Surveillance Act (FISA) has governed United States intelligence gathering for national security purposes. Enacted in response to the Watergate–era civil rights violations and revelations of a Senate investigation headed by Senator Frank Church that other presidential administrations had authorized similar warrantless surveillance, FISA established a statutory framework for national security surveillance. Understanding FISA contributes to the study of criminal justice policymaking because law enforcement and intelligence communities view it as an important tool for combatting espionage and terrorism. This article examines the enactment of FISA from the perspective of symbolic politics.     

The European Court, National Judges, and Legal Integration: A Researcher's Guide to the Data Set on Preliminary References in EC Law, 1958--98

We hope to stimulate more systematic research on all areas of legal integration by making available for free and open use a comprehensive data base on preliminary references in EC law. The Data Set, which has been under construction since 1996, is now online at various websites. The data are not publicly accessible elsewhere. In this article, we provide a brief summary of the data base and its potential uses. We begin by introducing the main features of the Data Set. We then discuss some of the dynamics of legal integration in light of our analyses of the data.     

The Cyprus and other EU court rulings on data retention: The Directive as a privacy bomb

This paper discusses the controversy surrounding the Data Retention Directive with an emphasis on the 2011 decision of the Cyprus Supreme Court which has annulled several district court orders that allowed the police access to telecommunications data relating to certain persons relevant to criminal investigations. The annulment has been on the ground that the legal provisions upon which the orders have been issued are unconstitutional. It will suggest that the decision does not entail a direct rejection of the EU Data Retention Directive and that in any event, Cyprus is not a Member State resisting the particular measure. This is because the legal provisions are deemed unconstitutional, though part of the law that has transposed the relevant Directive into national law are provisions that go beyond what the EU legislator intended to regulate through that Directive. Still, the particular Directive sits rather uneasily within the ‘human rights’ regime, in particular the one governing the individual right of privacy.