iamsteve.in

Category: Law

Legally minded discussions

  • Thoughts on the DMCA Reform Draft Proposal

    The DMCA is one of the most significant laws on the Internet, as it is the de-facto standard process which governs the removal of content which allegedly infringes on copyright. That might sound mind-numbingly boring, but it’s a topic which has increasingly come into the cultural spotlight, as automated takedown mechanisms have impacted folks on Twitch, YouTube, etc – for a whole variety of arguably spurious reasons.

    It’s no secret that the DMCA has significant problems (it’s a topic I’ve written about at length) – and there has been an ongoing review of the statute to try bring it up to date. Earlier this year we saw the US Copyright Office publish their recommendations on the future for the DMCA, and just this last week, a draft proposal for change was put forward for comments by Senator Tillis. The full thing is pretty long and complicated, especially if you aren’t familiar with the statute, but the accompanying summary doesn’t really give a full picture of the changes.

    I’ve had a look through the proposals (specifically in relation to the notice and takedown process), and noted some specific areas of interest below. Note that this is nowhere near exhaustive, and based on first impressions. Caveat Emptor.

    1. s.512(b) – Qualifications added to the notice requirements. Here we see a bunch of different language added to the section detailing the requirements of a notice. This in of itself is not a bad thing, but the changes here make the statute much more difficult to both interpret and apply. The law is already vague and unclear in a number of areas, and this makes that worse. See s.512(b)(1)(C)(i)-(ii) specifically.
    2. s.512(a)(2)(C)(ii)Notice and Stay Down. This section introduces a requirement that material which is the subject of a DMCA takedown ‘stays down’ when a ‘complete or near complete copy’ is identified. In essence, this means that platforms will have to implement some kind of filtering technology to ensure that content is not re-uploaded. This comes despite the warnings from the USCO and others that this approach (following the European Copyright Directive) would be problematic (to say the least). It also isn’t clear at all whether this would apply retrospectively to content which has already been uploaded, or what a ‘near complete copy’ would entail. Again, this opens up issues of interpretation around the threshold for removal, and platforms would inevitably need to err on the side of caution to avoid liability. The impact of this would be that far more content would be taken down than users would expect. It also doesn’t address the question of fair use, in any way. In other words… not all unauthorised uses of copyrighted material constitute infringement (or where they do, there can be a fair use rebuttal).
    3. s.512(b)(1)(E)Good Faith Belief now subjective. The requirement for the copyright holder to make a statement that they have a good faith belief that the material is not authorised for use […] has been updated to include a ‘subjective’ qualifier. This will make it much more difficult for any claims to be brought against those who submit bogus takedown notices on the basis of their good faith statement. This directly relates to the hard-fought concession in the Dancing Baby case (Lenz v. Universal).
    4. s.512(b)(5)Anonymous Notices. This section allows for complainants to have their personal information redacted from notices, based on as-of-yet non-existent guidance from the Register of Copyrights. On the face of it this seems sensible. However, the DMCA already allows various ways for complainants to remain largely anonymous, or to have their details protected – something which is not afforded to users when submitting counter notices. Complainants can simply provide an e-mail address as the minimum contact information required, or submit through a third party agent. There is no similar provision or update given for counter notices. This is something which we have seen abused by abusive complainants to gain information on those who are critical of them.
    5. Counter Notification Challenges – Again on counter notices, this section essentially gives the complainant the final right to reply on the statutory process, before resorting to legal action. In other words, if a counter notice is submitted, complainants would be able to challenge this within the statute, and not have to show evidence that they have pursued the matter in court (as they do under the current provisions). This adds another step to the ‘complicated game of tennis’ which is the back-and-forth of the notice and takedown system, and one which benefits the complainants massively. The burden of proof is essentially reversed, and means that any users who have the right to use material will be forced to take legal action to show that the material was wrongfully removed – rather than the rights holders taking action against the infringement.
    6. s.512(f)(2)List of Abusive Complainants – This is the one positive from the list of changes. Essentially, this updates the penalties section of the DMCA to allow for those that consistently send invalid notices to be placed on a list which would allow service providers to disregard these notices for a set period of time. However, there are no real details about what the threshold for abuse would be, or about what the appeal process (if any) would be if someone was included on this list. Without these details, one suspects that the threshold would be set so high, and be subject to so much legal challenge, that it would in effect be worthless.

    General Thoughts

    This draft proposal is disappointing (at least with regards to the notice and takedown provisions), as it seems to ignore many of the key issues that have been consistently raised about the DMCA. Rather than correcting the imbalances that exist, the proposed changes further strengthen and entrench the position of rights holders, as well as the statute’s utility as a powerful unilateral censorship tool.

    The provisions relating to counter notification are particularly troubling, as the data collected over the 20-odd year life-span of the DMCA shows that the number of counter notices which are actually filed is miniscule. There are already so many barriers and disincentives for people to challenge takedown notices (on valid grounds) that adding in more hurdles seems to be completely at odds with all of the established literature on the topic.

    Despite its many flaws and criticisms, the DMCA has become a system which at least provided consistent results. These proposals bring some of the worst parts of the statute, and combine them with the very worst parts of the European Copyright Directive to give far greater takedown powers to rights holders, with seemingly no consideration of users, or the cultural importance of online expression.

    This is just a draft proposal, and open for stakeholder comments. If we are going to avoid a similar disaster to the approach taken in Europe, major changes need to be made.

  • Book Recommendation – “The Twenty-Six Words That Created the Internet”

    The latest book I have to recommend comes from law professor Jeff Kosseff, in which he examines one of the laws that have been most crucial to the development of the Internet: s.230 of the Communications Decency Act. For those not familiar with the CDA, it is a piece of American jurisprudence that has essentially enabled businesses such as Twitter and YouTube to develop platforms built on user generated content, without themselves becoming liable for everything that those users may say or do.
    Jeff Kosseff - Twenty Six Words That Created the Internet - Book Cover

    Understanding the CDA is increasingly important – not just for lawyers or academics focussed on intermediary liability – but for anybody with an interest in the future of the Internet. This book provides a comprehensive explanation of the law’s history and original aims, as well as its development through case law. Whilst it isn’t necessarily an ‘easy’ read due to the subject matter, Kosseff’s narrative style means that it remains engaging throughout, never letting things run dry, or too theoretically abstract.

    The Twenty-Six Words That Created the Internet‘ was published in April of 2019. Given the impact of the CDA, it is almost hard to believe that such a complete study hasn’t come around before now. Either way, if you want to learn (a lot) about one of the most important laws underpinning the Internet as we know it, read this.

    Disclaimer: I am not being paid to review or recommend this book, but if you click on the Amazon links above and buy a copy, Jeff Bezos might send me a few pennies to say thanks. 

  • Book Recommendation – “Speech Police: The Global Struggle to Govern the Internet”

    ‘Speech Police: The Global Struggle to Govern the Internet’ is the latest publication from speechpoliceUN Special Rapporteur on Freedom of Expression, David Kaye. Following on from his 2018 report on content regulation, this book looks at the issue of who decides what kind of speech is acceptable online, and the potential implications of the increasing expectations placed on platforms to regulate certain kinds of content.

    Kaye’s narrative style is both thoughtful and engaging, covering difficult concepts in a clear and concise fashion, but also exploring aspects of the debate that are often overlooked. Coupled with a relatively low page count, this means that Speech Police is not only a valuable read for those already familiar with the questions around content moderation and freedom of expression, but is also extremely accessible for those new to the topic. As a result, this book is a must read for anybody currently studying or working in tech policy, or those who are simply concerned about the future of the Internet.

    You can get a copy of Speech Police from Amazon here.

    Disclaimer: I am not being paid to review or recommend this book, but if you click on the Amazon link above and buy a copy, Jeff Bezos might send me a few pennies to say thanks. 

  • UK Immigration Problems: RBS Bank Statements

    Regular readers will be aware that my wife and I are currently going through the long process for her to gain British citizenship, after moving here from the United States. Contrary to popular belief, marriage doesn’t mean that you automatically have a right to stay in the UK.

    There are many, deep flaws and contradictions with the law and the Home Office’s application of it. I’ve written about some of this before, but there is plenty I haven’t covered, which is partly out of a very real fear that any concerns I raise publicly could prejudice the outcome of the process itself… which is in of itself a huge problem that we need to face up to. However, I want to do my bit to highlight a few of the more specific problems I have come across, with my conjoined perspective as a lawyer, and the spouse of a non-EU citizen.

    In this entry I am going to detail a practical procedural issue that has cropped up multiple times throughout our visa ‘journey’. Theoretically, it should be one of the most straightforward portions of the whole process, but in reality it has turned out to be a bit of a nightmare. That is: getting copies of bank statements that satisfy the Home Office Requirements.

    Fair warning: This is fairly long, and probably not much interest to those of you just looking for a casual read – but I think it’s important to be comprehensive, and I know that these posts are picked up by others looking for help on Google – so it is what it is.

    Home Office Requirements

    In order to qualify for a spousal visa, or visa renewal (called ‘Further Leave to Remain’, or ‘FLR(M)’ in this case), you need to prove that you and your partner have financial means of support. You can do this in various ways, but the most realistic for ‘regular’ couples is through income from employment. In other words, demonstrating that you have a job where you earn at least £18,600 per annum (this figure goes up if you have children).

    In order to prove your income, you need to submit payslips covering a 6 month period, with corresponding bank statements. If you’ve changed jobs, this becomes 12 months. In of itself, this seems straightforward enough. However, there are some complications:

    • You cannot apply for a visa renewal/extension more than 28 days before your current visa expires. (well, technically you can, but this will cause problems further down the line).
    • Any evidence you provide has to be from less than 28 days prior to the date of your application.
    • Once your evidence is submitted, you still need to either send off all of the documentation, or attend an appointment in person. There is no guarantee that you will get an appointment at short notice, or in the location you want. In the past, people have frequently had to travel across the UK to find any available open spot. In our case, we had to go down to Liverpool from Glasgow.

    When it comes to the bank statements themselves, things are complicated further.

    • Electronic print outs of bank statements are not accepted, unless accompanied by an official letter from the branch stating their authenticity or stamped on each page to the same effect.
    • Bank staff rarely understand the specific requirements of the Home Office, and are often unwilling to provide stamped statements/a letter in the first instance – leaving you to ‘order’ paper copies instead.
    • Ordering statements can take time, and are subject to delays.

    It isn’t unusual for banks to say that ordering copies of statements could take up to two weeks, which leaves a pretty short window of time for the evidence to arrive, be submitted, and then to get an appropriate appointment. All the while, the anxiety over the rapidly impending deadline is growing.

    Royal Bank of Scotland and Copies of Statements

    I am an RBS customer who gets digital statements. I used to get paper statements sent in the post, but they had such a problem getting my flat address correct (unbelievably, they couldn’t understand the slash or dash system), that it made things even harder. So, now I don’t. That means that I need to order copies of my statements every time we come for another round of visa extensions.

    The online RBS Support Centre states that ‘you should receive your paper statement within 5-6 days of ordering it.’ That isn’t ideal, but it’s also not awful. So long as they stick to that timeframe, you should be able to pull together everything you need.

    RBS Statements Website

    To THL, or not to THL?

    I logged onto digital banking as outlined above, and chatted with one of the advisors. Here we ran into the first problem. I was told that they could order me a ‘transaction history list’ (THL) instead of a statement. When I queried what the difference was between the two, they said ‘there’s no big difference’. Well, that isn’t really good enough. What might be a minor difference to customer support at RBS could well be enough to have the FLR(M) rejected. No thanks. After a while of trying to figure that out, I decided to just go into the branch.

    The branch staff were helpful, but nobody in there seemed to be able to tell me what the difference was between a THL and a statement either. We went through a checklist on the bank’s system to determine what I needed, and it came out saying THL – but again, no explanation of why there were two different sets of documentation, and what was what. To be safe, we ordered a ‘copy statement’ – despite all of the efforts of the bank’s systems to direct us down the THL route. I asked how long the statements would take to arrive, and the teller dropped the bombshell that it could be up to 2 weeks (10 working days). Reassured by his insistence that they usually come through much faster than that, I went home. In any event, he said he would check in on the status of the request in a couple of days and let me know if there had been no update.

    One week in. No Statements.

    After five days, I hadn’t received any statements, and I was beginning to get antsy. At this point I knew I wouldn’t be getting anything in the post over the weekend, and the clock was ticking. I went into the branch to get some kind of confirmation that the statements were on their way. However, after being told (again) that I could ‘just print them off from digital banking’, it turned out that they don’t have any visibility on the status of statement orders, as they are fulfilled from some central place. Great. I was again reassured that the statements would arrive within ten business days, and that there was ‘nothing’ they could do in the meantime. Gritting my teeth, I left, and tried to tell myself that it would be fine.

    Bad Memories

    At this point I was getting extremely stressed out with the seemingly blasé attitude of the bank, and for good reason. When we were first applying for a fiancée visa so that my partner could come to live in the UK, I had a huge bust up with the Royal Bank of Scotland’s main branch on Gordon Street, in Glasgow.

    As mentioned previously, the address on my paper statements had been messed up for months, and not fixed despite my repeated attempts. As a result, they were useless for evidentiary purposes. I went into the bank to get copies of the statements printed off and stamped, naively thinking that this would be a simple request. Oh no. I was flatly told that my request was ‘against RBS policy’. I didn’t really believe this at first, and thought that common sense would prevail after I explained the situation, and how the only reason I didn’t have paper statements in the first place was as a result of the bank’s failure to grasp Glasgow flat addresses properly. Unfortunately, it did not.

    Despite me stressing that my immigration lawyer had stated that I needed a specific format of statement to comply with the Home Office regulations, the staff told me that the bank manager had denied my request because ‘You know what lawyers are like. They say lots of things’ and ‘we see people all the time applying for student visas and the print outs from digital banking are fine’.

    Faced with the prospect of my entire life plans falling apart as the result of a decision made by a condescending bank manager who wouldn’t even come and speak to me directly, I blew a gasket, and caused such a scene that I was taken into a side room where the manager made me show him where in the Home Office regulations it said that this is what I needed (yes, really).

    Endless RBS Contradictions

    As you can imagine, I was a bit concerned (!) that if the statements I had ordered didn’t arrive in time, that my only option would be to go into the branch and get them printed/stamped/authenticated – and that I would have to carry out some kind of demonstration in order to do so. I had a full speech and strategy prepared, which included sitting down on the floor of the bank until they provided me with the proper documentation. That might sound extreme and ridiculous, but remember that getting these paper statements is necessary to make sure that my wife is not deported from our home in Glasgow, and our whole lives turned on their heads. With that in mind, it suddenly doesn’t seem all that unreasonable.

    Anyway, unsatisfied with the answer I’d received from the bank, I then attempted to call the branch directly and speak with a manger to get some kind of reassurance that if worst came to the worst, they would be able to help me. However, I was routed to a digital banking call centre in Liverpool (the cruel irony). At first, they seemed to understand my question, which was a relief – but then they came back to say I should just print off the PDF statements from my online account. After yet more explanations, they then told me that definitively speaking, branches were not allowed to print off, stamp, and authenticate statements like I had asked.

    At the same time as this though, I had tweeted the bank’s social media team at @RBS_HELP to pose the same question. They had a different answer – equally as definitive:

    RBS Bank Statements FLR(M)

    To throw more mud in the water, I also read about someone else in Scotland who was fighting a similar battle, and who had been told after a whole load of mucking about that it was down to the bank’s discretion.

    So… what one is it? Why was this so difficult? Is getting a copy of paper statements not simply a basic function of a bank? Why did we spend Billions of taxpayers’ money to bail out banks if they can’t even provide such a base line of service? Why is this process being made so much harder needlessly by an institution that is supposed to be making efforts to recover public trust?

    How many days again?

    By this point, my stress levels were through the roof. I can usually handle pressure well, but when you are trapped in a situation that you have no control over, and have to rely on other people who have no personal investment, it’s much harder – especially given the high stakes.

    I had talked myself off the ledge with the reasoning that I had only been charged for the ‘historic bank statements’ on Friday the 1st of March. Despite that being 5 working days after I ordered them in the first place, I thought they would surely turn up by Tuesday. Either way, if they weren’t here by the Friday I would go into the branch, armed with the rationale that they had failed to deliver on the 10 business days statement.

    Come Wednesday though, there was still no sign of the statements, and I was losing patience. I checked over the bank’s support documentation again, to see whether I had missed anything – but nope, it clearly said that statement copies would only take 5-6 days. At this point, we were at 8-10. I decided to ask the digital banking advisors for some reassurance, but that only served to frustrate me further, as they insisted that the statements would take 10 working days to arrive, irrespective of what their own site said:

    RBS Statements

    I asked RBS on Twitter what the deal was, and after telling me AGAIN to just download and print PDF statements, they said that the ‘timescales would depend on the type of statement’ – with zero recognition that their documentation says nothing about this.

    RBS StatementsRBS don't listen

    Not helpful.

    The crescendo

    In the end, I decided that waiting a few more days wasn’t worth the damage to my blood pressure, and I went into the bank determined to get the statements that day. As it turned out, the manager had been contacted by the Twitter team, and was prepared to help out. He was incredibly apologetic, and took the time to make sure that I got the statements and the accompanying letter in a format that would meet the Home Office requirements.

    The Lessons

    There’s a few things that can be taken from this experience:

    • The Home Office regulations are deliberately and unnecessarily restrictive on both the format of the statements, as well as the timescales involved – which makes it extremely difficult for applicants and institutions to reasonably comply.
    • Despite this, the Royal Bank of Scotland is failing its customers on a number of counts. Specifically by the inaccurate information on their website; the inconsistency and lack of clarity on process between different departments/members of staff; as well as the unreasonably long time to process basic requests.
    • Despite eventually providing the requested information, people should not have to rely on kicking up a fuss online.
    • RBS need to stop telling people to download PDF statements from online banking as the default response to any kind of statement query. It is misleading, shows a lack of interest or basic understanding, and will trip up people who are not as familiar with the specifics of the Home Office requirements as I am.

    This is just one example out of many of the procedural problems inherent in the UK’s immigration law. Having a broken system which places pressure on applicants purely as a kind of punitive stress test is not beneficial for anybody – irrespective of what your views on immigration might be.

    Further update

    After I posted the above, I contacted the office of the Chief Executive, Ross McDonald to complain about the lack of clarity in the process, and their lack of understanding. After a couple of back and forths, they said:

    All our staff have access to an online business support manual which clearly explains the process and timeframe for ordering and providing copy/historic statements. Five to six days is regularly achieved, but I am aware of instances where the process has taken longer and a project team is reviewing the process to establish what is going wrong.

    In terms of providing statements quickly, we provide up to seven years statements via Online Banking and these can be printed and are suitable for almost all purposes. You can get an up to date statement covering the last few months transactions at any of our branches and again these should be suitable for most purposes. It is our policy to no longer authenticate documents such as statements and passport documentation via the application of a stamp and signature.

    So basically:

    • Statements are (usually) provided within 5-6 days of ordering them – but there are problems with that.
    • No recognition of the disparity between the website information and the information provided by staff online and in branch.
    • A statement (again) that online banking statements are ‘suitable for most purposes’ – completely ignoring everything I’ve repeatedly said about the Home Office requirements.
    • A definitive statement that RBS will not authenticate statements via a stamp – contrary to what their online helpdesk and branch staff said.

    What a joke.

  • Freedom of Speech and the DMCA: Abuse of the Notification and Takedown Process

    Last month, my first academic journal article was published by the leading international publication on IP law: the European Intellectual Property Review from Thomson Reuters.

    From the abstract:

    The Digital Millennium Copyright Act’s “notice and takedown” process is increasingly referred to as a model solution for content removal mechanisms worldwide. While it has emerged as a process capable of producing relatively consistent results, it also has significant problems—and is left open to different kinds of abuse. It is important to recognise these issues in order to ensure that they are not repeated in future legislation.

    To that end, this article examines the DMCA with reference to its historical context, and the general issues surrounding the enforcement of copyright infringement claims. It then goes on to discuss the notice and takedown process in detail—along with its advantages, disadvantages, criticisms and praise. Specific examples of the kinds of abuse reported by online service providers are outlined, along with explanations of the statutory construction that allows these situations to continue. To finish, the viability of potential alternatives and proposed changes are discussed.

    The article itself is available on WestLaw, citation: E.I.P.R. 2019, 41(2) at 70However, you can also get a copy of the PDF below.

    Freedom of Speech and the DMCA: Abuse of the Notification and Takedown Process (PDF)

    This material was first published by Thomson Reuters, trading as Sweet & Maxwell, 5 Canada Square, Canary Wharf, London, E14 5AQ, in European Intellectual Property Review as ‘Freedom of speech and the DMCA: abuse of the notification and takedown process’.
    E.I.P.R. 2019, 41(2) at 70 and is reproduced by agreement with the publishers. This download is provided free for non-commercial use only. Further reproduction or distribution is prohibited.

  • Why Article 13 is Flawed: Practical Examples from an Independent Musician

    Why Article 13 is Flawed: Practical Examples from an Independent Musician

    There has been a recent trend of seemingly well-intentioned musicians taking to Twitter to engage with critics of the seriously flawed Copyright Directive, and in particular Article 13. Whatever the content of their arguments, it almost inevitably boils down to some kind of accusation that whoever disagrees with them is ‘just an academic’, a ‘big tech apologist’, or someone that doesn’t understand or appreciate what it’s like to be an independent musician.

    I’ve been on the receiving end of these kind of claims, to the point that engaging any further became fruitless. Simply by dint of my position as a legal academic/employee of a tech company, the claim is that I must have an inherent bias that clouds my ability to critically analyse how copyright law will impact artists, because I am not a musician.

    My Credentials

    The thing is, I am a musician, and have been for almost 20 years. I sing and play guitar in a grunge band called Closet Organ, who successfully crowdfunded our last album, which included a vinyl LP release. I make chip-music and have played live as unexpected bowtie in places as far flung as London and Osaka. There’s also the innumerable other projects including the ‘bizarre and disturbing’ electronica of cup fungus, the scuzzy pop of Hog Wild, and the chilled out samplewave of ease and desist. I’ve personally put on a pile of gigs, been on tour as a music photographer more than a few times, was Review Editor of a fairly significant indie zine, and currently run my own underground tape label Cow Tongue Taco Records. I loved and played music long before I ever took a law class, or was employed by… well, anybody.

    Safe to say, I have some investment in independent music.

    Closet Organ
    Me, playing to a rapt audience

    Why ContentID doesn’t work for independent artists

    For those not familiar with Article 13 of the proposed EU Copyright Directive, the long and short is that it will effectively require service providers such as Facebook to implement content filtering systems to detect and remove/prevent the upload of material that belongs to another party. YouTube already has a similar system in place – by far the largest and most complicated of its kind in the world – but the Directive would massively extend its reach.

    There are numerous and detailed criticisms of Article 13, but all of them seem to fall on deaf ears as they come from the perceived position of a ‘corporate shill’, so here I want to briefly outline just one major issue that independent artists experience with the current ContentID system – and why any kind of expansion will inevitably be damaging rather than of benefit.

    If an independent artist wants to get their music out there into the world, to the most popular music sharing sites, they need to use some kind of recognised distributor – as direct submissions are either impossible, or extremely restricted. A pile of these have sprung up, including Amuse, RouteNote, DistroKid, etc. Some charge a subscription fee per year, some take a cut of any revenue generated, and some of them don’t even have a website – operating just from an app. The concept is simple: You send your music to them, and they distribute it digitally to the various partners. One of these partners is YouTube.

    What isn’t made clear by these distribution networks is that by submitting your music to YouTube, you essentially give the distributor a licence to enforce your copyright on the platform using the ContentID system. This automatically detects any music uploaded along with a YouTube video (including short clips), and flags it up as unauthorised. To many this might sound great. Stop people stealing your stuff!

    The problem of course is that there is very often no way to denote authorised uses or channels with these common distribution services. Let’s consider the following two scenarios:

    Scenario A: a young singer songwriter starts to build up a decent following online, by sharing clips on SoundCloud and YouTube. With the money they’ve made from the ads on their DIY videos, they put together a full-length album and use one of the most popular distribution services to make it available on Spotify, Apple Music, Amazon, YouTube etc. As they get more and more well known, they dig deep and fund a really flashy music video to promote the album. After teasing it on Facebook and Twitter, they upload it only to find that it has immediately been flagged for a copyright violation – on behalf of the distributor. The video won’t necessarily come down, but it does mean that they won’t be able to monetise it – and will lose out on the ad revenue they were expecting to recoup the cost of the production. Panicked, they dispute the claim using YouTube’s resolution procedure, but there’s no indication of how long that might take, and it has thrown off all of the promotions they were planning. There’s no explanation of this anywhere in the distributor’s app that they used, and they can’t get a hold of anybody who understands the issue and has access to release the video for commercial use.

    Scenario B: An artist (A) is asked by a fellow musician (B) if they would be interested in a collaboration. The process is simple: B will supply A with some vocal samples that A can then chop up and use however they wish. A gladly accepts, and comes up with a whole electronic composition that brings the vocals to life. B loves the track, and asks if they can use it on their upcoming DIY release. A agrees. B’s friend runs a small label who agrees to put out the album, and they use a distribution service which sends the album to all the major partners automatically – including YouTube’s ContentID system. A few years later, A is producing short video blogs and decides to use one of their old tracks as background music. It gets flagged up as a copyright violation automatically, which A disputes – but the appeal is rejected by the distributor, who has no knowledge of how the track came about in the first place.

    Both of these scenarios are common, and a version of B actually happened to me personally. There are plenty of other similar situations, which are easily discoverable with a bit of Googling.

    There are a few takeaways here:

    1. Independent musicians are at the mercy of a system which locks them out from negotiating their own contracts without major label backing, and they therefore have to rely on gatekeepers which provide an inadequate level of information and control over their own music.
    2. Artists who are starting out lack the information required in order to make informed decisions about their interaction with such services, and can inadvertently give away their ability to exploit their creations commercially due to how the systems are constructed.
    3. The ContentID approach to copyright enforcement gives huge clout to the first entity to register a piece of work within their system – which is rarely going to be the artist themselves.
    4. This model has no room for the ad-hoc, informal, and varying ways in which independent musicians create and share their works online.

    In Summary

    The current ContentID system works on a first-come, first-served basis. It puts huge power in the hands of intermediary distribution services which do not provide a service that can ever give artists the amount of control over their licenses they would require to fully exploit their creations. The nature of the beast means that informal collaborations between like-minded folks can unexpectedly tie up their creative expression years down the road. Article 13 will only expand these systems, which will inevitably be less sophisticated on other platforms than ContentID. Independent artists lose the ability to share their work even further.

    So… as an academic, a tech employee, but perhaps most importantly a musician: Article 13 is a disastrous piece of law, and should be scrapped.

  • Home Office Data Subject Access Request: Part Two.

    Back in May I wrote about the data subject access request I had submitted to the Home Office, and how they required a ‘written confirmation of likeness’ signed by a very particular list of people before providing any information. This is purportedly to verify your identity, but as I noted at the time, the requirements are stricter than those that the same organisation sets for processing passport applications. One may reasonably surmise that this could be an attempt to put people off from making these requests.

    I am following up with this post to document what happened after I submitted the request, for those interested in the reach and limits of data protection law.

    Objection to the Home Office’s disproportionate requirements

    At the time, I objected to the unusually stringent verification requirements, as well as that these would not be accepted online. Extract below:

    As you will be aware, data controllers are required to undertake ‘reasonable measures’ to verify the identity of the person making the Data Subject Access Request. I submit that by providing a copy of my passport, and the passport number, that this more than satisfies the legal requirement.

    Further, I submit that since the list of those who are considered appropriate to provide this written confirmation is less extensive than those who can act as a counter-signatory for a passport application in the first place, that this requirement is demonstrably disproportionate, and as such not required to respond to my request.

    The Home Office responded simply to reiterate that the verification must be done via post:

    We require that you send in a copy of your ID via the post, please have your photographic ID certified and sent to us at the address below.

     [address omitted]

    We request certified ID in this method for security to reduce the chances of fraudulent data requests.

    ‘To reduce the chances of fraudulent data requests’? Aye, right. They did not address my questions about inconsistency.

    I responded to press them on this:

    I understand that you are obliged to take ‘reasonable measures’ to verify the identity of the person making the subject access request. However,

    1. I do not see how requiring this to come via the post makes any difference whatsoever.

    2. The requirements for certification are far stricter in terms of who can make such a certification than those who can counter-sign a passport (https://www.gov.uk/countersigning-passport-applications). This is not ‘reasonable’, or ‘proportionate’ within the meaning of the relevant law.

    I am prepared to send in a certified copy of my ID to verify my identity, but I reject the requirement to have the certification made by one of the following:

    * a legal representative, registered with the Office for the Immigration Services Commissioner (OISC)
    * a solicitor, barrister or chartered legal executive
    * a commissioner for oaths
    * a registered charity

    Instead, I ask you again to confirm that you will accept a ‘written confirmation of true likeness’ from someone on the same list that you accept for passport counter-signatories (detailed in the URL above).

    If you refuse this, then your requirements would appear designed solely to prevent people from getting access to their data by implementing unreasonable stipulations, and I will be making a formal complaint to the ICO.

    They did not respond to this, or my follow up e-mail a few weeks later, so on the 20th of June I reported them to the UK’s Information Commissioner (ICO).

    ICO Complaint

    Specifically, I drew attention to the inconsistency in the listed requirements for ID verification when it came to passport applications versus data subject access requests, and that it appeared that those that related to the latter were therefore disproportionate.

    They replied in just over a week:

    The DPA 1998 and DPA 2018 do not state what identification or verification data controllers may request. Data controllers must be satisfied as to the identity of the requester to ensure personal data is not inappropriately disclosed. This also helps prevent fraud. The ICO therefore reviews concerns regarding this matter on a case-by-case basis.

    The ICO is satisfied that generally, the level of identification and verification requested by the HO for SARs is both reasonable and proportionate. This is because the HO must be certain of a requester’s identity before releasing any personal information.

    In light of the above, we would advise that you provide the HO with the requested documents and verification of these documents to allow the organisation to process your SAR.

    Basically, they just reiterated that data controllers have to take steps to verify the identify of those requesting data before processing a subject access request – choosing not to address the specific questions I had raised around proportionality.

    I pressed them on this, and after about a month the ICO responded:

    I understand that you are concerned about the level of identification requested by the Home Office for subject access requests, as it requires more identification for this than for passport applications.

    As stated previously, this is not a matter that is of concern to the ICO at this time. I understand that it appears there is inconsistency within the Home Office in regards to identification requested. However, due to the nature of information held by the Home Office, it must satisfy itself as to the identity of a requester before disclosing personal data.

    As it is not up to the ICO as to what the Home Office requests for different applications, and if you are concerned about inconsistencies within the Home Office, we suggest you raise this with the organisation.

    I apologise the ICO can’t be of further assistance at this time. However, please note that the concerns you have raised will be kept on file. This will help us over time to build a picture of the Home Office’s information rights practices.

    What this tells us

    This process was informative as it demonstrates the barriers that organisations such as the Home Office will place in the way of those who seek to exercise their rights under data protection law. By making the process as difficult and cumbersome as possible, it locks out all but the most determined and able.

    It also tells us a bit about the ICO’s role and reach in these cases: Namely, that it is extremely limited – at least when it comes to making assessments of proportionality. Rather than taking a holistic view of the data protection practices and requirements of an organisation, the ICO simply looks at each portion in isolation. In other words, it doesn’t matter whether the Home Office’s approach is entirely inconsistent, and demonstrates a clear lack of proportionality on any reasonable assessment of all the facts. The ICO only has to be satisfied that the requirements relating to a very narrow and immediate situation are proportionate, irrespective of the wider context.

    This makes no sense except in the most literal of readings, and makes a mockery of the spirit of data protection legislation. We shouldn’t be too surprised that this is the approach of the Home Office though, given the appalling state of the UK’s immigration law.

    I am currently debating whether or not to proceed with the formal ID verification process to see what they will provide once you get through the barriers. Watch this space.

  • UN Special Rapporteur’s Report on Content Regulation (2018)

    With the news that the United States are to withdraw from the UN’s Human Rights Council, it seemed poignant to highlight one of their recently published Special Rapporteur’s reports, in which they looked at the state of online ‘content regulation’, and the impact on freedom of expression.

    [It] examines the role of States and social media companies in providing an enabling environment for freedom of expression and access to information online.

    The report itself is one of the better publications from an official entity, and talks about a lot of important issues that other bodies tend to ignore (willingly or otherwise). As a result, the whole thing is worth reading, but a few portions in particular stood out for me, and are worth sharing:

    Counter Speech

    One of the current major questions in the realm of intermediary liability is how platforms should deal with ‘extremist’ content. In an attempt to find a compromise between ‘doing nothing’, and total removal of anything questionable (with all of the resultant implications for freedom of expression), the concept of ‘counter speech’ is often brought up as a solution. In principle the idea is that instead of silencing disagreeable expression, people should instead seek to directly counter the ideas. This avoids the problem of subjective censorship, protecting free speech, and also ‘shines light into the dark’, rather than driving people underground where there is little or no critical dissent.

    As well intentioned as this approach may be, it is one that is now unfortunately being misconstrued as an obligation for platforms to incorporate, rather than interested individuals or groups. For example, there are suggestions that the likes of YouTube should place an interstitial banner on disputed content to warn viewers of its nature. In the case of pro-ISIS videos, this notice would include links to anti-extremism programs, or counter narratives. As the report wisely notes:

    While the promotion of counter-narratives may be attractive in the
    face of “extremist” or “terrorist” content, pressure for such approaches runs the risk of transforming platforms into carriers of propaganda well beyond established areas of legitimate concern.

    Despite the fact that there is little evidence that such an approach would do anything but bolster the already established beliefs of those viewing the content in question, there would inevitably be calls for it to be extended to any particularly contentious content. Ostensibly, pro-choice campaign websites could be overlaid with arguments from conservative religious groups; McDonalds.com with a link to the Vegan association. This may seem far fetched, but the danger is clear: as soon as we replace our own critical faculties with an obligation on intermediaries to provide ‘balance’ (even with the most extreme of content), we open the door to the normalisation of the practice. There is scant analysis of this particular issue out there at the moment, and I’m especially pleased to see it highlighted by the UNHRC.

    Trusted Flaggers

    Many companies have developed specialized rosters of “trusted” flaggers, typically experts, high-impact users and, reportedly, sometimes government flaggers. There is little or no public information explaining the selection of specialized flaggers, their interpretations of legal or community standards or their influence over company decisions.

    Lack of definition of terms

    You can’t adequately address challenges if the terms aren’t defined. For that reason, crusades against vague concepts such as ‘hate speech’, ‘fake news‘, etc are at best, doomed to failure, and at worst, a serious threat to freedom of expression. This isn’t a problem limited to the issues surrounding intermediary liability, but one which is made more visible by the globalised, cross jurisdictional nature of the Internet.

    The commitment to legal compliance can be complicated when relevant State law is
    vague, subject to varying interpretations or inconsistent with human rights law. For
    instance, laws against “extremism” which leave the key term undefined provide discretion to government authorities to pressure companies to remove content on questionable grounds.

    This is pretty self explanatory, but something which is often overlooked in discussions around the responsibilities of intermediaries in relation to content regulation. We should not accept the use of terms which have not been properly defined, as this allows any actor to co-opt them for their own purposes. Tackling ‘online abuse’, for example, is a grand aim which can easily garner much support, but which remains empty and meaningless without further explanation – and thus, open to abuse in of itself.

    Vague rules

    Following on from the previous section, platforms (perhaps partly as a direct result of the contemporary political rhetoric) adopt vague descriptors of the kind of content and/or behaviour which is unacceptable, in order to cover a variety of circumstances.

    Company prohibitions of threatening or promoting terrorism, supporting or praising leaders of dangerous organizations and content that promotes terrorist acts or incites violence are, like counter-terrorism legislation, excessively vague. Company policies on hate, harassment and abuse also do not clearly indicate what constitutes an offence. Twitter’s prohibition of “behavior that incites fear about a protected group” and Facebook’s distinction between “direct attacks” on protected characteristics and merely “distasteful or offensive content” are subjective and unstable bases for content moderation.

    Freedom of expression laws (generally) do not apply to private entities. In other words, Facebook et al are more or less free to decide on the rules of engagement for their platform. However, as these intermediaries increasingly control the spaces in which we as a society engage, they have a responsibility to ensure that their rules are at least transparent. The increasing multi-jurisdictional legal burdens and political pressures placed upon them to moderate content reduces the likelihood of this significantly. It also provides little to no stability or protection for those who hold views outside of the generally accepted cultural norms – a category that includes political activists and dissidents. In many parts of the world, having a homosexual relationship is considered ‘distasteful’ and ‘offensive’, as are the words of the current President of the United States – which demonstrates the problem with allowing (or expecting) a technology company to make such distinctions.

    ‘Real name’ policies

    For those not familiar, this refers to the requirement from certain platforms that you must use your actual, legal name on their service – as opposed to a username, pseudonym, nickname, or anonymity. Officially the reason is that if someone is required to use their ‘real’ name, then they are less likely to engage in abusive behaviour online. We can speculate as to the real motives for such policies, but it seems undeniable that they are often linked to more accurate (aggressive) marketing to a platform’s user base. Either way, the report notes:

    The effectiveness of real-name requirements as safeguards against online abuse is
    questionable. Indeed, strict insistence on real names has unmasked bloggers and activists using pseudonyms to protect themselves, exposing them to grave physical danger. It has also blocked the accounts of lesbian, gay, bisexual, transgender and queer users and activists, drag performers and users with non-English or unconventional names. Since online anonymity is often necessary for the physical safety of vulnerable users, human rights principles default to the protection of anonymity, subject only to limitations that would protect their identities.

    Within traditional digital rights circles (if there is such a thing), there appears to be a growing belief that anonymity is a bad thing. I’ve even heard suggestions that the government should require some kind of official identification system before people can interact online. This is clearly a terrible idea, and may seem utterly laughable, but when you consider that this is exactly what will be law for adult websites in the UK later this year, it seems like it might not be completely out of the realms of possibility after all. We need to better educate ourselves and others on the issues before the drips become a wave.

    Automated decision making

    Automated tools scanning music and video for copyright infringement at the point of upload have raised concerns of overblocking, and calls to expand upload filtering to terrorist-related and other areas of content threaten to establish comprehensive and disproportionate regimes of pre-publication censorship.

    Artificial intelligence and ‘machine learning’ are increasingly seen as some kind of silver bullet to the issues of moderating content at scale, despite the many and varied issues with the technology. Bots do not understand context, or the legal concept of ‘fair use’; frequently misidentify content; and are generally ineffective, yet the European Union is pressing ahead with encouraging platforms to adopt automated mechanisms in their proposed Copyright Directive. Rather than just trying to placate lawmakers, intermediaries need to recognise the problems with such an approach, and more vigorously resist such a solution, instead of treating it as a purely technological challenge to overcome.

    Finally…

    Companies should recognize that the authoritative global standard for ensuring
    freedom of expression on their platforms is human rights law, not the varying laws of States or their own private interests, and they should re-evaluate their content
    standards accordingly.

    This is a pretty strong statement to make, and demonstrates an approach that I strongly resonate with. In principle, at least. In practice however, companies are obliged to follow the legal obligations of the jurisdictions in which they are based (and sometimes even beyond, given the perceived reach of the GDPR). The extent and application of ‘human rights law’ varies significantly, and there are no protections for intermediaries that rely on mythical ‘global standards’ – even the UN Declaration of Human Rights.

  • Open letter to MEPs: Article 13 of the Copyright Directive

    The latest threat to both freedom of expression and the neutrality of the Internet is the proposed European ‘Copyright Directive’, and in particular, Article 13.

    Much has been written on the dangers of Article 13, so I won’t repeat it here. Needless to say, if implemented, there would be serious consequences for how we interact online. It would be far easier for people to have content taken down from the Internet, or to prevent you from posting certain things, even if they have no real legal justification for doing so. In other words, you’d better get used to seeing this:

    Facebook Link Blocked

    You can (and should) write to your MEP to express concerns about the upcoming law. You can do so using sites such as saveyourinternet.eu, but I didn’t think their template letter or MEP search was particularly good, so I wrote my own. Feel free to modify and use the below language. You can find and contact your MEPs using https://www.writetothem.com/.

    Attn:

    • David Martin MEP
    • David Coburn MEP
    • Catherine Stihler MEP
    • Nosheena Mobarik MEP
    • Ian Hudghton MEP
    • Alyn Smith MEP

    Thursday 21 June 2018

    Stephen McLeod Blythe
    [address redacted]

    Dear Catherine Stihler, Alyn Smith, Ian Hudghton, Nosheena Mobarik, David Martin and David Coburn,

    I am a legal academic and digital rights advocate from Glasgow, Scotland. I write with respect to the so-called ‘Copyright Directive’, and ask that you stand up against the proposal.

    My main area of concern regarding the proposed Directive lies in Article 13. While it does not specifically impose a requirement on intermediaries to introduce pre-screening mechanisms, the language does explicitly refer to ‘the use of effective content recognition technologies’. As a result, this approach is clearly seen as an appropriate norm.

    There are many problems with content recognition technologies, which I will not waste your time with by reciting in full. However, the bottom line is that they are expensive to implement; ineffective; easily defeated; frequently mis-identify content; and do not understand context, or the concept of ‘fair use’. In my work I already see significant abuse of copyright laws by complainants who wish to silence critics, and any kind of automated system will simply compound this problem.

    Should Article 13 go ahead unchanged, intermediaries will inevitably adopt ‘dumb’ filtering systems in order to reduce their liability, and the result will be a significant chilling effect on both freedom of expression, and free enterprise. The consequences will impact heavily both on individual rights, and the economy.

    Yours sincerely,

    Stephen McLeod Blythe LLB. LLM.

  • Facebook and Free Speech: Reinforcing the Echo Chamber

    In this Motherboard article, Vice yesterday highlighted some of the internal changes to Facebook’s policy on acceptable speech after the events of Charlottesville last year.

    Facebook Free Speech Policy
    Image via Motherboard. Included under the fair use doctrine.

    Specifically, it was noted that Facebook distinguish between statements supporting a white nationalist ideology, and white supremacy, with the latter in particular considered to be associated with racism – something prohibited on the platform. In response, there have been arguments that this distinction is meaningless, and that Facebook is effectively allowing Nazis to operate on their network as a result.

    Facebook infamously ‘curates’ what its users see through the use of algorithms, and they have faced ongoing criticisms that ‘echo chambers’ are created as a direct result. This was particularly true in light of both Donald Trump’s Presidential election victory, and the outcome of the EU membership referendum in the UK. On a personal note, it was something that first became obvious after the Scottish independence referendum in 2014.

    With this in mind, the question becomes what people actually want or expect Facebook to be. On one hand, the possibility of anybody sharing far right or extremist ideologies is seen as abhorrent and unacceptable, but on the other, the cultivation of echo chambers that distort political and social reality is decried as irresponsible.

    Unfortunately, you can’t break through an online bubble by only allowing that which you find inoffensive to be shared.

    The obvious response here is that there is a difference between healthy debate and sharing views which are hateful. However, this is something of a liberal utopian ideal which doesn’t actually play out in practice. Argument is messy. Debate isn’t always healthy. People don’t always play fairly. All of this is self-evident and will remain true whenever those with opposing positions come into conflict. Arguably, those beliefs that are considered most heinous are precisely those which need to be heard, challenged, and resisted, and in the same vein, the areas online which foster these biases without question need to be opened up to opposition.

    If all we want is Facebook to be a safe space to share pictures of our dogs and holiday photos, then that is one thing. However, that is never going to be the reality, irrespective of what some may claim. Whenever people have space to express themselves, they will share their views on how the world should be. If we want to avoid all of the problems that doing so within the so-called echo chambers brings, then we need to stop reinforcing them by banning the very opposing views that would break them apart in the first place.