March 6, 2008

IT law has been proper news for more than a month. The HMRC data debacle has been shown to be far from unique as government departments and commercial organisations have competed for top spot on the shame lists that the press have compiled. Every minor breach merited some sort of coverage, although one suspects that the media appetite has now been sated. Then we had the much more complicated issue of Internet Service Provider’s liability for illegal file-sharing and downloading

Data Security

Most of the breaches arise from the most basic human error in security terms – not doing what you know you were supposed to do because you forget, can’t be bothered or believe that it won’t happen to you. My personal view is that any system that relies on humans bearing in mind serious risks on a day-to-day basis is seriously flawed. I speak as one who forgets to pick up the money from the cash machine, watches people walk off with a debit card and rarely locks the door at home. I can watch for threats on the streets of Johannesburg to the point of paranoia but that is just a few days a year; I cannot maintain that level of distrust and suspicion in my daily life.

So, while of course human error is present in these breaches, most stem from very poor management but all stem from a poor technical strategy. What is needed to protect data is not just encryption but a broad strategy that just does not allow the operator to override the security controls that are good practice – the equivalent of my bank’s ATM being equipped with an automatic message that cuts in and shouts at me when I attempt to leave the lobby without my £200.

ISP Liability

I am afraid I was not able to take Andy Burnham’s plans to force ISPs to take steps to outlaw illegal file-sharing and downloading too seriously: ‘People want to access music and other downloadable content cheaply, easily and legally – and it’s up to providers to respond to the market and solve the problems. But if they don’t we will, with legislation by April next year on illegal file sharing’.

I would like to take it seriously because I do believe that ISPs and all manner of other conduits have had an easy ride. Legislation or a real threat of legislation is probably the only way that could alter a mindset that too often turns a blind eye to known infringement. Strangely, criminal law hasa more stringent test for liability in parallel areas than the relevant civil law does here – and that is very strange and unhealthy. But the  Internet Service Providers Association are right when they say ‘Neither the Internet Services Providers’ Association nor our members support abuses of copyright and intellectual property theft.  This is reflected in our commitment to finding a practical solution to address rights-holders’ desire for a workable approach to issuing notices on individual infringers. ISPs bear no legal liability for illegal file sharing as the content is not hosted on their servers.  ISPs are ‘mere conduits’ of information, as per the E-Commerce Regulations 2002’. Yes – they must surely be right – smug perhaps but right.

So how can plans for legislation in April 2009 be taken seriously when it will take years longer than that to alter the governing Directives? If the EU authorities can be persuaded to move at all on this (and I am not convinced that they can), they will move more slowly than a sloth in a bath of treacle.

Laurence Eastham