Most Popular Resources

All I want for Christmas is a CryptoKitty

What is crypto? What is blockchain? What is Bitcoin? As Wittgenstein might have put it, many of these terms are only familiar to those who are involved in this “language game”. Now, these arcane digital concepts are going mainstream. Why?! CryptoKitties.

CryptoKitties are digital cats. Each one has different attributes and users can breed, buy and sell these kitties on Ethereum. The most expensive kitten was Founder Cat 18, a bug-eyed orange animal with purple spots. This CryptoKitty was sold for $122,095 on December 6.

If you have developed an affinity for Ethereum, you could ask for ERC-721 tokens for Christmas to buy your CryptoKitty. Better still, ask for Bitcoin but it won’t come cheap.

So what do CryptoKitties show us?

1. Application of blockchain

CryptoKitties is the first mainstream recreational decentralised application (“Dapp”). If you don’t know what a Dapp is, it consists of: (1) a frontend, written in HTML; and (2) a backend (think of it as the ‘database’ for your frontend). The fact that the first mainstream Dapp is a game and is about cats shows that practical applications of the blockchain can extend well beyond Initial Coin Offerings (“ICOs”).

2. Cats, Digital Assets or Securities?

You will be delighted to hear that CryptoKitties are probably not securities. Just like Bitcoins or Ether, CryptoKitties are peer-to-peer tradeable, provably scarce digital items that are accounted for by an open blockchain network.

Rather than finance itself through an ICO), it is using its own revenue model: The CryptoKitties team releases a new “Gen 0” CryptoKitty every fifteen minutes (up until November 2018). The starting price of “Gen 0” CryptoKitties is determined by the average price of the last five CryptoKitties that were sold, plus 50%.

There are https://www.cryptokitties.co/faq#How-much-does-it-cost-to-buy-a-CryptoKittycomplicated arguments as to whether some ICOs might be unregistered securities issuance. In the United States an offer and sale of “tokens” or “coins” may qualify as “securities” and be subject to the U.S. securities laws and the jurisdiction of the U.S. Securities and Exchange Commission (“SEC”). It all comes down to the “Howey” test. If an investment of money is made with an expectation of profits arising from a common enterprise that depends solely on the efforts of others (i.e. a promoter or third party) SEC v. W.J. Howey Co., 328 U.S. 293 (1946).

In a similar fashion, the Financial Conduct Authority (“FCA”) in the United Kingdom has issued a consumer warning about the risks of ICOs. It says “ICOs are very high-risk, speculative investments.” It adds that whether an ICO falls within the FCA’s regulatory boundaries or not can only be decided case by case and states: “Businesses involved in an ICO should carefully consider if their activities could mean they are arranging, dealing or advising on regulated financial investments.”

If we apply the Howey test, CryptoKitties are not being marketed as profit making investments, and ownership of a CryptoKitty doesn’t give you a right to dividends or revenue streams from the CryptoKitty team or anyone else for that matter.

Takeaway. I have had several clients asking us to review their ICO Whitepapers to determine, amongst other things, whether they would be likely to fail the “Howey” test. The utmost care should be taken when drafting documentation and promotional materials. If your offering is not a security then your materials should faithfully reflect that.

3. Capacity and labour pains

The interest CryptoKitties generated across the Ethereum network almost brought the network to a halt. At one point, its smart contracts accounted for up to 25% of the entire network’s transactions. As traffic increases, transactions become more expensive to execute quickly. CryptoKitties responded by issuing a tweet: Due to network congestion, we are increasing the birthing fee from 0.001 ETH to 0.002 ETH. This will ensure your kittens are born on time! The extra is needed to incentivize miners to add birthing txs to the chain. Long-term solution will be explored very soon!

Takeaway. This isn’t the first time the Etherum network has come under strain. CryptoKitties shows how scalability should be (and is) a top priority for the Ethereum development team. For blockchains to become fully mainstream, solutions will need to be found that can overcome the threat posed by digital cats. Ethereum is making progress on developments such as ‘Proof of Stake’, ‘sharding’, and second layer technologies that will support its ability to scale.

4. Cybersecurity and data protection

From a cybersecurity perspective, the immutability, encryption, and cryptographic elements inherent in cryptocurrency transactions on a blockchain lend themselves well to a secure environment.

Despite the added security benefits of cryptocurrencies’ underlying blockchain technology, it is not without risk. Notably the mechanism by which digital currencies are stored (e.g. in digital wallets) introduce penetration points that can be used to exploit the blockchain’s irreversibility, meaning that pilfered digital tokens and coins cannot be returned, and victims can be left without much recourse (unless issuers and users are properly insured or indemnified). Similarly, the use of private and public key authentication on a distributed network can create risk with respect to users’ private keys that, if lost or compromised, can result in serious losses. Further, many users are not actually holding their private keys (and therefore their Bitcoin) and instead entrust them to third parties.

No article nowadays would be without a discussion on data protection. The General Data Protection Regulation (GDPR) brings in a new data subject right, the “right to be forgotten/right to erasure”. This does not sit well with the decentralised and immutable components of blockchain technology which by its very nature does not enable the permanent deletion of data. Data subjects may however be less concerned if their data is pseudonymised. Regardless, further security features may need to be built on top of the existing framework to ensure compliance.

Takeaway. Issuers and users of cryptocurrencies should consider the need for adequate insurance solutions to account for these risks.

Conclusion
CryptoKitties may be as cool as cats but they are of the feral not the domesticated variety.
For further information please contact Anne Rose, associate in the technology law team at Simons Muirhead & Burton LLP [email protected] or Simon Halberstam at [email protected], head of the technology law team.

 

Love Data, Hate Data – John Anderton! You could use a Guinness right about now!

Yesterday, the iconic lights in London’s Piccadilly Circus were switched back on after nine months of renovation. The patchwork, which has become one of London’s most famous sights, has now been replaced by Landsec with a single 4K LED screen with in-built facial recognition technology that will feature six advertisers.

Today, we are closer than ever to the advertising ecosystem that Minority Report predicted in which billboards scanned the retinas of passers-by to show them personalised adverts. According to Landsec’s press report, the digital screen will be able to “react to certain external factors, such as the weather or temperature”. The facial recognition technology could also be used to deduce the age, gender and even mood of passers-by, as well as the make and model of cars; using that info to deliver targeted ads.

How this might work in practice was explained by Tim Bleakley, chief executive of Ocean Outdoor, the company that runs the board’s advertising. “Coca-Cola, for example, can log on at any given moment, see a large group of Spanish tourists and change the copy of the ad from ‘hello,’ to ‘buenos dias’.” Combine this data with all the data users of the billboard’s free WiFi hand over, could result in marketeers being able “to monitor and capture your every online move” warns Douglas Crawford, editor of independent online security and VPN advice service BestVPN.com. Landsec has tried to allay these concerns and has stated that the technology “does not collect or store any personal data and is unable to record images or audio.”

The advances in digital technology has given marketeers the ability to target individual consumers directly. According to an article in The Guardian last year, facial recognition technology is now used by an approximately 59% of UK fashion retailers. This is not set to go away; Apple’s new iPhone X incorporates Face ID technology – allowing you to pay with a smile! Other technologies being used by retailers are beacons. Harrods, for example, has a network of more than 500 beacons which connects to a user’s iPhone through Bluetooth and highlights consumers’ location on a map. This technology can also be used to send consumers location specific deals and recommendations to their phones while they browse in store.

While these tools may be a marketer’s dream, businesses should ensure that they are transparent at the way in which they use such data. There are strict rules in place regarding what businesses can and can’t do with data they have collected from consumers. In May 2018, with the advent of the General Data Protection Regulation, failure to comply could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater).

If anonymised data is being used to change the layout of a store or to provide a consumer with an enriched customer experience, then that is from a legal perspective far less controversial than the use of facial-recognition technology to track an individual and then send unsolicited, personalised marketing materials based on that data.

Video Games and the Jurassic future – the legal issues

Confession is good for the soul so let’s start with my admission that I am a scrabble addict. Whilst that idea may not set your pulses racing, it points to an obsession with words and that, as you will see below, is a fundamental requirement in the context of video game legals. The multi-dimensional world of video games entails myriad, inter-linking legal issues. This is anticipated to reach a new zenith next year with the launch of Jurassic World Evolution. Who would have thought that dinosaurs would be shaping the legal agenda in 2018?

Rather than bore you with extensive legalities, I will briefly highlight some of the key legal issues and leave you to ponder and contact me should any alarm bells start to sound.

Intellectual Property Rights (IPR)
• You need to protect your work and/or investment. This is mainly about copyright and database rights. Make sure you get assignments from anyone from whom you have bought or commissioned any code, graphics, sound effects or any other creative input.
• Patents may be relevant but the originality barrier is high and will require specialist assessment to determine if you have any qualifying ideas or concepts.
• Trademarks and domain names are generally more straightforward as they protect/reflect brands and names rather than underlying code and concepts. However, you will need to consider not only what you can protect but also whether what you have in mind might infringe third party rights. For that reason, it is advisable to run some clearance searches before you invest in your brand/developing your game; running a search on Google is a start.
• If you are planning to depict any people in a game, you will typically need to procure releases from the rights holders and failure to do so may result in “passing off” or other actions against you.
• Where there are in-game purchases, there may be further IPR ownership, licensing and infringement issues where the purchases of virtual goods/accessories are branded by the IPR owners or used without the owner’s permission.
• Another important area of IPR relates to design rights which may offer a route to protection of GUI and multiple visual elements.
• The use of open source in the creation process may undermine any claim to IPR protection by the game’s developers. Careful attention needs to be paid to governing open source licences such as the GNU family to see what impact the use of open source code might entail.
• Where the developers incorporate existing music or other audio or visual rights, permission or clearance will need to be sought/negotiated to clear any rights in the sounds recording and the musical composition (i.e. music and lyrics). Clearance will need to be sought from the record label and the publisher or collective right management organisation such as the PRS in the UK.

Terms and Conditions (T&C) and Data Protection
Not only do you need T&C which regulate use of your game and distribution agreements with your channel but also other sets of terms covering your use of gamers’ personal data and the cookies you or third parties place on their systems as well as an Acceptable Use Policy for in-game messaging. The privacy issue becomes exponentially more crucial next May when the new general data protection regulation (GDPR) enters force. Maximum fines for data breaches will rise from £500k to the higher of 4% of worldwide turnover or E20m. This means that it is paramount that you have in place appropriate, state of the art technology to prevent compromise or hacking of your subscribers’ personal details.

Gambling and Social Gaming
There has been considerable coverage of failures by gambling operators properly to demarcate between social gaming and gambling. The Sunday Times recently reported that some of Britain’s biggest gambling operators are targeting children with their favourite cartoon and storybook characters in online betting games, and that gambling operators are exploiting a legal loophole to promote games that appeal to children without breaching Gambling Commission rules. By way of example, they cited 888 website’s Jack and the Beanstalk game, which had a minimum bet of 20p and a maximum of £200, and Paddy Power’s Peter Pan game. Everyone involved in the gaming sector needs to be very careful not to overstep this mark.

Advertising
The video games industry has its own system of formal self-regulation to keep children safer offline and online: the PEGI (Pan-European Game Information) age rating system. In particular, publishers are required to follow PEGI’s Labelling and Advertising Guide (“the Guidelines”) to ensure the age rating icons and descriptors are displayed to consumers prior to purchase of both disc-based and online games. Game advertising is also subject to the CAP Guidance on advertisements for Video Games and Films as well as the CAP and BCAP Codes. When developing your game it is important to consider (if necessary) both age verification services and parental controls.

For further information please contact Simon Halberstam at [email protected], head of the technology law team at Simons Muirhead & Burton or Anne Rose, associate in the technology law team at [email protected]

Do what the F*** You Want? Not quite…

One of the myths surrounding open-source software (“OSS”) is that you can do whatever you like with it; there is even an OSS licence called Do What the F*** You Want To Public Licence (“WTFPL”). This could not be further from the truth.

In this article we explore some of the issues that companies should consider when using OSS.

What is OSS?

The basic concept common to all OSS licence agreements is that they seek to ensure that all downstream users have the freedom to use, modify and distribute the licensed OSS. “Permissive” OSS licence agreements such as MIT and Apache 2.0 impose minimal obligations on the licensee, such as obligations to maintain attribution and legal notices. Importantly, these licences often permit modifications of the OSS and allow such modification to be distributed under any licence (proprietary or open source) of the licensee’s choosing. On the other hand, “restrictive” OSS licence agreements (also referred to as “copyright” or “viral” licence agreements) impose obligations not only with respect to the licensed OSS but also with respect to any works derived from or combined with OSS. Failure to understand which type of licence you are subject to and the associated terms of use can entail huge risks for your business.

The risk involved with derivative works

Making available your source-code

Where proprietary software code is “mixed” with OSS, you may be creating a derivative work. If that OSS is subject to a restrictive licence, then when you license such software, you will have to make the sensitive source code you have created available to end users free of charge with the ability to modify and redistribute.

Copyright infringement

Many OSS licences are subject to United States copyright law, under which a derivative work is defined as:

“a work based upon one or more pre-existing works, such as…any other form in which a work may be recast, transformed or adapted. A work consisting of editorial revisions, annotations, elaborations, or other modifications which, as a whole, represent an original work of authorship, is a ‘derivative work’.”

Therefore, when dealing with OSS licences that rely on copyright law principles, a thorough investigation of how much and what part of the OSS code is copied or modified and/or how the OSS is used needs to be made in order to anticipate or predict how a court might rule on the legal implications for a “derivative work”. A key issue is understanding and knowing what may be classified as a “derivative” work, especially as many restrictive licences don’t even define the concept (e.g. Eclipse Public License, Version 1.0). In some cases, there is not necessarily an answer, particularly as there is little case law surrounding the issue. For example, what happens where you are linking to OSS or using Plug-ins?

Linking

Some OSS available is released as a library. Instead of incorporating it into your proprietary software you may want to create a link between your software and these (unmodified) libraries and to distribute them along with your software, either by compiling them together (“static linking”) or not (“dynamic linking”). There are instances where dynamic linking to OSS libraries is allowed while static linking is not. Much of this will depend on the terms of the OSS licence you use and so a case by case analysis is necessary.

Plug-ins

Plug-ins such as Adobe Flash Player are commonly used in web browsers to add video player functionality. Where your software application is configured with a programming interface to support the use of such plug in, a derivative work may be created when either the application or the plug-in is governed by a restrictive OSS licence.

In both these cases, it may well be difficult to determine whether the form of use envisaged might lead to a copyright infringement.

Warranties and limitations of liability

Generally speaking, OSS licences include a broad disclaimer of all representations and warranties or indemnities that might otherwise be expressly or impliedly provided by a commercial software licensor. Further, as there is often more than one contributor to OSS projects, it is impracticable to determine whether any contributor has contributed infringing code (knowingly or otherwise).

Unchecked use of OSS could have significant consequences and result in the need for time consuming remedial action. In a corporate transaction if in the course of due diligence, the prospective investor or purchaser alights upon an intellectual property ownership issue or other problem arising from the use of OSS and the issue cannot be remedied prior to closing, then the investor or acquirer may decide not to proceed or, more probably, seek additional contractual protection such as indemnities, or a cash escrow to cover the cost of any remediation efforts that may be necessary after closing.

How to manage the risk?

As a company, there are several things you can do to manage your risk:
• Establish a policy regarding the management and use of OSS.
• Carry out an OSS audit using a company such as ‘Black Duck’ and find out what OSS licence(s) your organisation is using/has used.
• Appoint someone within the organisation to be responsible for use of OSS.
• Create training programmes for employees.

For further information please contact:

Anne Rogers, Associate, Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2727

Simon Halberstam, Partner and Head of the Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2781

Technology Breakfast Seminar : How Tech Companies can ride the Autonomous Vehicle and Smart City Wave

Simons Muirhead & Burton LLP look at driverless cars and smart cities; and threats and opportunities for the tech industry. Click here to register for this event on 27 June 2017.

Click Here for more details.

Diving into the EC’s draft ePrivacy Regulation: steps for online gambling operators

Anne Rogers and Simon Halberstam dive into the EC’s draft e-Privacy Regulation and set out what it means for online gambling operators and crucially, what they need to do today in order to ensure that they comply. Click Here to read their latest article which first appeared in the March 2017 publication of the Online Gambling Lawyer magazine.

Contact Details: Anne Rogers, Associate, [email protected]; Simon Halberstam, Partner, [email protected]

Look, up in the sky! It’s a bird! It’s a plane! It’s a Drone!

From self-repairing cities to transforming cinematic and television experiences, drones are becoming increasingly prevalent. To ensure their safe and proper use in the UK, the Government launched its consultation on 21 December 2016, ‘Unlocking the UK’s high tech economy: consultation on the safe use of drones in the UK’ (Consultation). Those who wish to voice their opinion, should submit their response by 15 March 2017.

In this article, we explore some of the issues that drone users should consider when filming including: aviation law, copyright and privacy.

UK Aviation Regulations

In the UK, drones (otherwise known as “unmanned aircrafts”) are subject to a number of rules and regulations depending on their weight and proposed use. The principal piece of legislation governing drones is the Air Navigation Order 2016 (ANO) effected through the Civil Aviation Act 1982. The key points to note under ANO are as follows:

Overriding Principle. It is prohibited “to recklessly or negligently cause or permit an aircraft to endanger any person or property”.

Weight. To avoid falling within the remit of more extensive aviation regulations and be classified as a “small unmanned aircraft”, it is advisable not to exceed 20kg. Most aerial filming drones or camera drones weigh significantly less than 20kg.

Use. The most relevant Articles are 94 and 95 ANO. Article 94 ANO applies to all drones weighing less than 20kg. Article 95 ANO applies to drones weighing less than 20kg which are also used for surveillance (i.e. recording and filming).

There are two particular points of note:

1) If you wish to use a drone for “commercial operations” then you must apply to the Civil Aviation Authority (CAA) for permission. Unless you are using a drone for filming as a hobby, as Keith Bremner was when he caught Top Gear being filmed, then permission from the CAA will likely be required.

2) Drones may not fly: (a) over or within 150m of any congested area or open-air assembly of more than 1,000 people without permission from the CAA (e.g. over a major sports match); and (b) drones may not fly within 50m of any vehicle, building structure or person not under the control of the drone pilot without permission from the CAA.

Permission and Penalties. Applying for permission from the CAA can be rather complicated. Due to the complexities involved it may be advisable to seek a specialist contractor who has all the necessary insurance and CAA permissions to assist with any filming work, especially considering that failure to comply with the ANO is a criminal offence.

Copyright

Photographs. Under UK copyright law, the first owner of the copyright will be the photographer, unless the photographer was an employee. In that case, the employer will own the copyright in the photograph.

Films.  What about moving pictures (i.e. films)? Under the Copyright Designs and Patents Act 1988, a film has two legal owners: the producer and the principal director. Again, if the film is made during the course of employment, the employer will own the copyright in the film. In the case of drones, the owner will probably be the person who programmed the drone to make the film (i.e. the producer); and the person who has “creative control” (i.e. the principal director who decides what to film and how to film it).

Data Protection and Privacy

In the UK, there is no specific data protection legislation on the use of drones. A breach of privacy is likely to be dealt with under the established law on breach of confidence through the Human Rights Act 1998. The Information Commissioner’s Office (ICO) has however said that drones “can be highly privacy intrusive” as they may capture images of individuals “unnecessarily”. In light of this, the ICO has released some guidance which should be followed: In the picture: A data protection code of practice for surveillance cameras and personal information. It is advisable for anyone considering using drones in their next film or TV production, for instance, to read this, particularly considering the penalties.

Penalties. The ICO has the power to impose a fine of up to £500,000 where a drone operator seriously contravenes UK data protection law and the “contravention is of a kind likely to cause substantial damage or substantial distress, and is deliberate or likely and should have been prevented”. As previously noted, this will become more significant in May 2018 when the General Data Protection Regulation comes into force.

For further information please contact:

Anne Rogers, Associate, Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2727

Simon Halberstam, Partner and Head of the Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2781

The Legal Cost of Personalised Shopping

Drone deliveries, self-lacing sneakers, digital mirrors, shoes that help you feel the virtual reality world you’re walking in – welcome to 2017. These were some of the highlights at the Consumers Electronic Show (CES) 2017 in Las Vegas. Advances in consumer technology are transforming our lives. Many retail companies realising the importance of technology are now positioning themselves as ‘technology first companies’. The Chairman and CEO of Uniqlo, for example, has described the clothing brand as a “technology company”.

We look at some of the AI technology that retailers and brands are using and the importance of protecting consumer data.

AI Voice Assistance

“Alexa, please add salad dressing to my shopping list and order me a taxi”. Amazon Echo, Google Home and Apple’s Siri – voice activated smart home devices are transforming consumers’ lives. All of these devices use a voice recognition AI system. Amazon’s Echo, for instance, uses the Amazon-owned ‘Alexa’ online data analytics and voice recognition. This technology can learn from user behaviour and improve over time. If a user voices a question which is misunderstood by Alexa, the user can enter the app and edit the question. Alexa learns from this and applies the customised approach across its user interfaces. This technology has huge potential to transform the nature of omni-channel commerce by providing a new channel through which retailers can engage with consumers. Retailers who employ such technology will have to ensure (among other things) that they are transparent with consumers as to what data they are collecting and how such data is being used. Such information should be documented and made available on request – in the event of a data breach or a compliance complaint, for example. From May 2018, the General Data Protection Regulation (GDPR) will apply. Failure to document such information could result in a number of sanctions from the UK Data Protection Authority, the Information Commissioner’s Office (ICO), ranging from a warning to a fine of up to €20,000,000 or in the case of an undertaking, up to 4% of the worldwide annual turnover of the preceding financial year, whichever is higher.

Chatbots

“How would you describe your style?” “Classic”. “Perf! I’ve just created a customer style profile for you”. Chatbot technology is powered by artificial intelligence which is specifically designed to replicate human interaction. Consumers are able to use chatbots to make enquiries about delivery and returns, make product choices; and place and order. Throughout 2016, retail brands such as Tommy Hilfiger, Burberry and eBay all launched their own chatbot technology to promote sales and boost engagement. Other brands like H&M and Sephora are now using Kik’s new Bot Shop marketplace. Users who chat with the H&M bot can tell the bot a piece of clothing they like, and the bot will suggest an entire outfit and direct the user to buy the outfit through the messaging platform. Chatbots enable retailers and brands to engage with a younger generation and offer users a personalised customer experience. Retailers should inform consumers before they make an order that their statutory right to cancel within fourteen days of receiving a product does not apply to any products made to their specification or clearly personalised. Further, under the Consumer Contract Regulations 2014, retailers should also note that any payment order buttons in a chatbot message are clear and unambiguous as to the finality of the order thereby being made. ‘Order Now’ is not considered sufficient by the Directorate-General for Justice Guidance and could result in the consumer not being bound by the order. Wording such as ‘Pay Now’, ‘Buy Now’ and ‘Confirm Purchase’ on the other hand, would be sufficient.

Smart mirrors

“Does my bum look big in this?” Many brands have been experimenting with smart mirrors to enhance consumer experience. These mirrors use RFID technology to recognise the item the customer is wearing. The mirrors then take photographs of the consumer to provide recommendations on the fit and the colour. Ralph Lauren’s smart fitting room at its flagship on Fifth Avenue also suggests other products the consumer might like based on what it bought. In Uniqlo’s store in San Francisco you can see what your outfit looks like at all angles and text yourself side by side outfit comparisons which you can send to your friends on social media for their advice. This technology has resulted in an increase of sales and offers consumers a unique experience tailored to the brand.

How much data is being collected?

In 2013, Céline’s creative director and designer Pheobe Philo told UK Vogue: “The chicest thing is when you don’t exist on Google. God, I would love to be that person”. Privacy has become a luxury and consumers are becoming increasingly concerned about how their data is being used and the impact this may have on their privacy. From a consumer perspective, you may exchange your location settings in order to get a better service but it does not mean that you want the data to be seen by others.

From May 2018, brands which manufacture and develop these products will have an obligation to consider the concepts of privacy by ‘design’ and ‘default’ at the initial design stage as well as throughout the lifecycle of the relevant data processing. Brands will need to exercise caution and invest in their infrastructure to protect consumers’ data from data breaches and cyberattacks. It would be advisable to implement a privacy impact assessment to demonstrate that appropriate technical and organisational measures have been implemented; and that compliance is monitored. Any standard contracts with data processors should also be reviewed and revised to set out how liability is apportioned between the parties and that only personal data which are necessary for the specified purpose are processed. As stated above, failure to carry out such measures could result in significant fines.

For further information please contact:

Anne Rogers, Associate, Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2727

Simon Halberstam, Partner and Head of the Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2781

Skating On Thin Ice: penalties for website owners and keyboard warriors

The recent decision of the Grand Chamber of the European Court of Human Rights (ECHR), Delfi SA v. Estonia, Application no. 64569/09, 16 June 2015, is helpful in confirming the rules surrounding when and why website operators can be held liable for content posted on their websites by their users.

The area of liability for User Generated Content (or “UGC”) is largely governed by EU Regulations, which, in general, state that if website operator acts as a “mere conduit” and does not filter, or otherwise regulate content which appears on their website, then they have no responsibility for the content of those comments. The general EU regime that governs internet intermediaries is contained in the Electronic Commerce Directive 2000/31/EC. This states that EU Members States must ensure that their national laws provide intermediaries with immunity from all liability (subject to certain requirements outlined below) arising from hosting, transmitting or caching unlawful third party content. However, as noted above, this immunity is subject to the intermediary’s role being a passive one, with no knowledge or control over the content.

Furthermore, the intermediary must operate an effective ‘notice and take down’ procedure. That means that if the intermediary has actual or ‘constructive’ knowledge of the content (for example, if a website user makes a complaint, purporting a comment is defamatory or otherwise unlawful) but fails to remove or disable access to it, then immunity is not available to them.

Background to the claim

A popular Estonian online news service, Delfi, posted an article concerning ice bridges. This generated a large number of responses, including some particularly offensive comments towards an individual implicated in the story. Those comments remained on the website for 6 weeks until the individual requested both their removal and damages. Delfi removed these comments the same day, but refused to pay damages.

When the claim was dealt with by the national court, the individual was awarded damages – albeit an amount substantially less than originally claimed.

In response to the decision, Delfi proceeded to argue that the national court’s ruling of liability for defamatory comments posted by its readers was a breach of its right to freedom of expression, and consequently a violation of Article 10 of the European Convention on Human Rights. Claims that corporate entities (or “legal persons”) should have the same human rights as natural persons are not a new thing, with the most famous success to date being found in Citizens United v. Federal Election Commission (2010), a US Supreme Court case which held that corporations were entitled to the same constitutional right to freedom of expression as private citizens, leading to the unleashing of (now ubiquitous) ‘Super PACs’ into the field of US Politics.

Ignorance is not bliss

In spite of its arguments, it was held that Delfi was liable for the offending comments which had been posted on its website, due to its power to moderate such content.

It is particularly notable that this case highlights the fact that a website provider may be held liable for featuring offending material on its website before receiving express notification of a complaint from a user. Whilst Delfi did have terms of use prohibiting users from using threatening and abusive language, and an automatic filter to delete comments based on certain words, it appears this was ineffective and that its attempts to moderate its site were sufficient to make it liable for anything that slipped through the cracks. Consequentially, by a majority of fifteen votes to two, the ECHR upheld the rejection by the lower chamber of the ECHR of the news service’s claim, ultimately finding them culpable for the comments posted by its users.

Repercussions

This decision is neither strikingly novel nor revolutionary, and the position essentially remains the same as previously for Website operators.

The decision is not a huge blow to online freedom as many may argue. The decision paid particular attention to context, justified by the fact that Delfi is a professionally managed internet news portal, run on a commercial basis, and with active moderation of UGC. Therefore, social media sites and private bloggers need not worry about any new obligations being imposed upon them in the immediate future.

The decision does however serve as an important reminder to those who operate websites featuring UGC; if you take steps to monitor and moderate your content, then it is not sufficient to simply rely on user notifications before deleting potentially unlawful posts. While responding quickly and effectively to unlawful material remains crucially important for website operators, any moderation program which is operated must be robust and effective.

Should website operators try to skate around their obligations and fail to moderate their platforms in the necessary fashion then, as the Delfi case starkly illustrates, they may find themselves on a slippery slope towards paying substantial damages to the aggrieved subjects of their users’ posts.

 

For more information on the Delfi decision, or to discuss how the above issues might affect your online offering, please contact Raoul Lumb on 0203 206 2791 or at [email protected]

A Legal perspective on Open Source and IPR – Cost and Time Efficiencies or a Faustian Pact?

Well that depends! 

If the relevant governing licence is benign then it may be a “win-win” situation enabling you to save money and time on software development without having to comply with any disadvantageous conditions relating to Intellectual Property rights or otherwise. However, if the governing licence is less liberal, you may end up feeling that the deployment of the open source was a false economy. The common OS licences generally regarded as permissive are Apache, Berkeley Software Distribution (BSD) and MIT. There are no precise statistics but together these 3 are estimated to cover about 40 percent of open source projects whereas the more restrictive GNU General Public Licenses, notably GPL 2 and GPL 3 account for about 35 percent.

The main concerns re GPL can be traced to GPL 2 section 2(b) which stipulates that “You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work.. provided that you also meet all of these conditions….b) You must cause any work  that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License”

The attempt to interpret this wording definitively and without ambiguity is at the very least challenging. The dearth of relevant case law makes matters more complex. Many complex issues arise, notably:

  • what constitutes a “derivative work?”
  • does distribution within a company constitute “distribution or publication?”
  • do resultant executables “contain or derive from” GPL code?
  • what is the difference between “static” and “dynamic” linking?
  • can one hermetically “seal” GPL code from proprietary code to avoid contamination of the latter by the former?

The answers to those questions merit a dissertation not a mere article.  Suffice it to say, one has to tread very carefully in this area. It may well be that the benefits of using open source would be outweighed by the detriment to the existence and value of the company’s IPR. Where the development team sits in-house, then with proper analysis and relevant expert input one should be able to reach an informed decision. However, where development is outsourced, matters become more complicated as the interests of the developer and the company may well diverge. The developer can save a lot of time by deploying open source and if the project is fixed-price or time-bound, this will be an attractive option. However, the company may not be aware of the potential impact on its IPR or may be aware but unable to monitor the developer’s coding processes. In some cases, companies that think they have a valuable IPR repository are only disabused when a potential investor or acquirer runs its slide rule over the company in the context of due diligence and finds that some or all of the company’s key code is not proprietary to the company.Indeed, if the open source runes are negative, investors who saw the company’s IPR as a major reason for investing or acquiring may seek to renegotiate or be deterred completely.

IPR in Jeopardy? Dynamic v Static Linking

The major IPR risk stems from use of GPL2 or GPL3 code. Those licences are commonly referred to as “infectious” because they generally mandate publication of modifications to the GPL code.  This is so even in SAAS cases where the software supplier is executing on its own server.  Other OS licences may prescribe such publication but generally in less frequent circumstances e.g.  EPL i.e. Eclipse Public License. Whereas under EPL, pure execution of modified EPL code on one’s own server via SAAS would be unlikely to require disclosure of the modifications, the situation would be different if the modified code were distributed. The need to publish such modifications would probably depend on whether the modifications were “hermetically” sealed in separate modules or took the form of adaptations to the original EPL code modules.

Under GPL 3, the situation is more clear-cut as the distinction between separate modules and modified GPL modules seems to fall away with publication required of any modifications to the GPL 3 code. The risk of contamination under GPL 3 arises from the apparent requirement in certain circumstances to publish pre-existing proprietary code that is intermingled with GPL 3 code. However, the need to publish will depend on the extent of the “coupling” between the proprietary and GPL 3 modules. “Dynamic linking” mandates publication whereas “static linking” may not.  Guidance, albeit legally not definitive, is set out in more detail in the GNU FAQ at www.gnu.org/licenses/gpl-faq.html#MereAggregation

Turning back to GPL 2 which still accounts for about 25% of the Open Source market, it does not talk in terms of “dynamic linking”. However, the best view seems to be that linking of proprietary code to GPL 2 code would mandate that the former be published.

Simon Halberstam, Partner and Head of Technology Law Team, May 2015 – [email protected] 020 3206 2781