There are some among my acquaintance who maintain that it is ironic – in the pre-Alanis Morrisette sense – that the legal profession has been called upon to write law governing that which they do not understand, given their historic resistance to anything new. This is unfair. For example, the emergence of legal databases provided a gigantic incentive to come to grips with The Dreaded Machines, and indeed there are many who have overcome that barrier. But an analysis of the relevant law appears to suggest that, at least in Ireland, there were and are fundamental misunderstandings about computers, networks, and how they are actually done today which has informed the law, and not to good effect.

However, I’m not in much position to talk, because my exposure to IT and the law was limited to the speculative purchase of Kelleher and Murray’s “IT Law in Ireland”, which I started but never finished.Published in 1997, and very cutting edge at the time, but quite out of date now in many ways – for example, data protection gets a grand total of 34 pages, and would deserve a whole book of it’s own now. – TJ TJ McIntyre, my interviewee, took over what was probably the first Information Technology Law course, initially given in UCD by Professor Bob Clark, in 2003.

TJ,A list of relevant articles authored by TJ, for when you have time: Computer Crime in Ireland: A Critical Assessment of the Substantive Law, Data Retention in Ireland: Privacy, Policy and Proportionality, Judicial Oversight of Surveillance: The Case of Ireland in Comparative Perspective, Online Anonymity: Some Legal Issues, and Implementing Information Privacy Rights in Ireland. one of the few Irish people with a claim to understanding these things in the first place,A side note about this. TJ’s father had a TRS-80, and that sparked his interest in IT and the law: “I always had an interest. It was something that increasingly the niche opened up. There was a need for somebody to work in this area. There was nobody focusing on it. Or there were very few people focusing specifically on IT law issues. So naturally I moved into teaching fulltime and that was something that I actually took on as an interest.” So again we see the wave of 1980s computing dictating the careers of people 20 years on. has recently achieved even greater notoriety for his, and Digital Rights Ireland’s, historic victory in the ECJ over the Irish government’s data retention policy.This interview was conducted prior to that victory, but is nonetheless illustrative of his thinking. In brief, the Irish government, as is its wont, secretly told every technical service provider (mobile operator, ISP, etc) to keep the data that they had about each customer for at least a period of two years. Although some people care more than others about this kind of thing, it is not something that I, as a private citizen, either expected or wanted from the companies doing business with me. Is there anything we can do to protect our privacy?

A topical issue today, privacy law is primarily governed by data protection law and that in turn is overwhelmingly a matter for data protection law and that’s in turn overwhelmingly governed by international instruments. Data protection is not home-grown. It was always a European development. At first it was governed by the Council of Europe bench on Data Protection. More recently, the European Union has largely taken over and you’ve had a series of Directives on data protection. They started off quite general, but more recently you’ve got sector-specific data protection, like the telecoms area, including regulation of things like cookies,Not, I’m afraid to say, om nom nom cookies. These, I’m afraid, are pieces of information passed back and forth between your web browser and the sites that you browse, which are universally used for a) identifying you and b) storing references to things you’ve put in your online shopping cart on a site, for example. It’s currently not easily possible to have one of those and not the other. for example.

The European origin of this is very interesting. When I was coming of age on the 1990s Internet, it was overwhelmingly an American Internet. This is not quite the case anymore, although American cultural hegemony for English speakers still largely applies.) At that time, however, the cultural expectations of things like the protection of free speech osmosed into people’s heads before they really understood why Ireland (or indeed any non-America country) was different. Indeed, they tend to be adopted without analysis by people who aren’t aware that the Irish Constitution gives you much more limited range for your freedom of expression.

Like the Irish government’s behaviour with regard to European Referendums – if you don’t get the answer you want, ask again – there is also an element of jurisdictional shopping that goes on in the domain of the Internet. Generally we see this play out in two specific ways: the behaviour of the elephants, and the behaviour of the mice.This nice analogy due to Peter Swire in his paper Elephants and mice revisited: law and choice of law on the Internet. In this analogy, the mice are the individual users: hard to track down, and you can spend a lot of money and time in order to target an individual, which typically ends up not making economic sense, although there are some cases where it clearly has made ideological sense for organisations. Furthermore, the mice can go elsewhere, particularly in the matter of (for example) hosting content: it is essentially trivial for anyone with a credit card to change the hosting location of initially Irish-served content to anywhere else in the world, removing a large part of the effectiveness of going after such content with an Irish court may well have attempted to do this at some stage; see for example this blog post. However, this arbitrage is not completely effective as a protection mechanism. To quote TJ:

It doesn’t necessarily insulate you from liability, the fact that you host something in the States. If is hosted in the States, which it is, that doesn’t necessarily protect me. I’m still here[, in Ireland]. I’m still liable for defamation personally. That’s because my name is on it. If I was an anonymous individual and I set up a site in the States and simply VPN-ed out to it so that it couldn’t be linked to me, then we escape local laws.

The most interesting effect of this is to essentially make the U.S. constitution’s First Amendment:

… as much of a universal ordinance as it is a local law, because anybody can avail of it. You don’t have to be physically located in the US to avail of it.(In the current parlous state of the nation we also see this play out with bankruptcy laws, and when I go bankrupt I for one am planning to do it in the U.K.)

But there is also a countervailing force, delightfully known as “libel tourism”, where material published online can be, depending on circumstances, deemed to be published everywhere that has access, which means you as a plaintiff can choose your forum, which is why you have so many Russian billionaires suing for defamation in London to get a plaintiff-friendly situation as opposed to other jurisdictions, such as the US, which are very plaintiff-hostile.{

Now, that on the other hand only applies on a certain subset of activities, because data protection law is overwhelmingly premised on the existence of some sort of business of commercial interaction. It doesn’t really apply in the context of purely personal or domestic activities. And it also only applies in the context of data meaning information which is stored in a certain way. It doesn’t apply to, for example, my blurting out orally certain information that you have confided to me orally. It doesn’t apply, necessarily, to the kiss-and-tell interview that is broadcast on the radio. When you think about that line of privacy law applying online, you have to look to different sources. You’re looking to the Irish constitution. And this kind of plays out more generally. What you have is a real patchwork quilt of laws here, where you can’t really say that there is a single source of law for the Internet. Instead, you could either look at a particular area and you could say, “This is the source of law in this area” or you can step back a bit and try to identify the bigger chunks of the patchwork quilt. Overwhelmingly, they are European: data protection directives, e-commerce directives, they are the two big sources. And those are specific to the IT realm. And then you have those laws that aren’t specific to IT as such, but are still overwhelmingly important. The most important of these, as far as I’m concerned, is the huge body of European law on copyright and trademarks which translate into Irish law into the Copyright and Related Rights Act in particular, which then goes on to govern things such as ownership of database and the laws regulating ownership of domain names and so on. Here’s where things get even more confusing, because you are not necessarily looking at traditional legal sources for a lot of these areas. You are not necessarily looking at some- thing that lawyers meeting can identify as law. You’re not necessarily going to get statutes or case-law because very often you are looking at self-regulatory systems and you are looking at international systems that are parallel to the legal system. The classic example is UDRP in the case of domain names, where the domain name disputes in respective .coms are governed by this parallel dispute-resolution procedure. Domain name disputes in the ie domain space are governed by the .ie dispute-resolution procedure, which is essentially a local copy of the UDRP with certain, to my mind, undesirable features added that make it even more trademark-owner friendly. But lawyers would tend to look at that and say, “This isn’t a convention. This isn’t what we’re used to. It’s not quite the District Court. It’s not quite the Circuit Court. It’s a new peculiar, parallel sort of arbitral proceedings.” Sometimes people can be not entirely sure about what to make of that.

Does this result, I guess it must result, in complexity in terms of resolution of disputes? If it’s not clear what to do, that’s obviously a delay in resolving some matter.

It’s not necessarily something that causes delay. Very often, you can fast-track your internet disputes, if they involve intellectual property issues, through a commercial court. This is being done at the moment with the attempt to block thepiratebay and other file-sharing sites. But it is something that is immensely complex, particularly for students grappling with it for the first time, because so many areas impinge on each other. In particular, as well, because you’ve got parallel sets of issues going on governing whether certain claims to substantial rights exist, governing the jurisdictions and governing the entities against whom you can assert those rights. So if you think, for example, about the individual who claims to have been defamed or had something printed about them which is untrue, or had a photograph printed of them which they say is private – a compromising photo of them in the stage of undress – what have you. Immediately you’ve got several different sets of substantive law governing their rights. The defamation claim that they might have is a matter for national law. Defamation online is governed for the most part by national law. It differs greatly between individual jurisdictions. Then, immediately you have a jurisdictional question because you have to wonder, what courts have the power to deal with cases where an individual in Ireland publishes information using a server hosted in the US about another Irish individual, let’s say, or about an English individual, where the bulk of the people reading that information are located in France. Immediately you’ve got several related jurisdictional issues. You’ve got jurisdictional issues in the sense of the courts which had jurisdiction to hear the matter in the first place. You also have jurisdiction issues in the sense of issues as to what national law is it that applies. Is it US law, which is very defendant friendly? Is it Irish law, which is very defendant hostile? Is it French law, which in some ways goes much further in favour of the plaintiff in privacy matters? You then have further complicating factors because once you have considered the substantive rights this individual might have and once you consider the jurisdictional issues and the law which might apply, you also have to ask yourself, what particular defendant are we targeting? Because plaintiffs don’t necessarily just sue the individual bad actor. They tend to go after the deeper pockets and that means they tend to go after the host, the ISP, generally speaking they tend to go after the aggregator, and so on. So the question is, what is the intermediary liability in these contexts? Again you get some further complicating issues arising.

In Google’s case, for example, the question of whether displaying the snippets of sites in search results implies it should be treated as a publisher has led to a fairly messy case in Italy, although, as TJ says, “courts in different jurisdictions disagree on this issue.”The UK courts have taken a view that Google is not a publisher, for example. In this case, in Ireland, there is in fact some reason to believe that there is a defence for organisations who are merely passing on information that they did not themselves originate, or alter in any way:

If you are a publisher, let’s say, if you would otherwise be liable as a matter of national law for defaming Individual X, can you rely on the Electronic Commerce Directive? Because the Electronic Commerce Directive gives very extensive protection to intermediaries and in particular, to, if you are a mere conduit, which for the most part means you are the ISP, you are the person providing the pipe and nothing else. If you are a mere conduit, you are essentially exempt from immunity, whereas if you are a host, which isn’t limited simply to providing hosting space and bandwidth – it can also include certain content intermediaries, possibly the likes of eBay or even Google in the context of the sale of AdWords – if you are a host you have a qualified exemption which limits your immunity as long as you are not aware of certain material that you are hosting and are not aware of how the material was defamatory, for example. So at that point, you then apply that immunity to see does that protect the intermediary in this case. And of course, going back to the question of how is the individual that is aggrieved and who are they suing. Problem: you don’t necessarily know who is behind the particular defamation. Perhaps you need to identify the person which creates its own line of problems. Or you know who they are but that’s no good to you. They’re not a target. They’re not a mark for damages because they don’t have any money, there’s no point bringing an expensive High Court action against them. Or, like Max Mosely, you might say that “It’s pointless going after a number of individuals who are repeating this material about me or publishing this material about me. I want to try to head it off and I want to deploy the people who can head it off. I want to insist that the intermediaries, these search engines and these aggregators or these other intermediaries, that they start filtering these results, that they stop people from uploading this video which defames me or in which I’m seen cavorting with prostitutes,” as it was in the Max Mosley case, or that this particular bulletin board starts preventing users from repeating certain comments or this particular ISP block access to thepiratebay or what have you. So you have these much wider claims going on as to whether or not you can corral intermediaries and compel them to take on a role to enforce your legal rights. And the extent that you can do that is very much governed by, again, European law.

Don’t make the mistake of thinking that this sounds more like a matter of practicality rather than principle though:

I think the issue of principle is very important in two dimensions. You’ve an issue of principle at the centre of the view I’d had that if you want to protect freedom of expression online, it is very important that intermediaries be able to act without fear of liability. Otherwise you get a chilling effect on speech. You get intermediaries that are very worried about their own liability and they start acting as a privatized censorship mechanism and unlike a public censorship mechanism, you don’t have any judicial recourse against that. So that’s problem 1. That’s one reason why many people are so with the US as a freedom of expression jurisdiction because under US law you’ve got very extensive immunities for intermediaries.

(A think called common carrier defence.)

Yeah. Section 230 in the Communications Decency Act gives very, very wide-ranging immunities. It’s only qualified somewhat in the case of copyright in particular by the Digital Millennium Copyright Act. But even that is much more favourable for the intermediaries than the e-Commerce Directive would be. So, in short, it’s very much easier to get your message out in a US context than in an Irish context because Irish intermediaries are so worried about their own liability.

The liability issue for Irish intermediaries basically results from the fact that our protections all come from the e-Commerce Directive, which says in effect, that there are three categories of intermediaries that individual member states must protect. A mere conduit, the traditional ISP, DSL or whatever, and the host. (A host? What’s a host?)

In this case, a host is somebody who stores information for others. Of course they interpreted that to include, for example, say Google. If you were supplying certain text and an AdWord triggers it, then you must be a host. Likewise, eBay, in relation to the ads that they serve up, they’re possibly a host of that material for the customer. Then you’ve got the defence for caching.To those of a technical bent, having to have a legal defence to allow caching is the kind of thing that tends to induce nervous twitching and duvet clutching. But that’s a very limited set of defences because it doesn’t protect a search engine as such. It doesn’t protect the content aggregator as such. Some member states go further and they give protections to these additional types of intermediaries. So that’s problem number 1. We don’t go any further than the Directive requires and other member states do. Problem number 2 is that when we do havethe protections, we don’t necessarily implement them in a way that is very intermediary-friendly. I give you an example: when you talk about copyright you have to ask yourself, okay, I’m a host. The user puts up files. The company says, ‘Hang on, those files are my copyright. I want you to take them down.’ Bulletin board user puts up material and company says to bulletin board, ‘Operator: we want you to take down that material.’ We know in theory that the hosting defence applies here and we know in theory that the hosting defence is lost when you are on notice that material is infringing. So, isn’t that enough? It’s not really, no, because in practical terms you don’t really know that the material is infringing. All you really have is an email from someone claiming to act on behalf of the company. And saying, possibly there is material somewhere on this thread that may be infringing, you’re left looking…

Woah, infringing – what does that mean? Well, it’s when the copyrights associated with a particular work are violated. In other words, when your mum and dad used to tape songs off the radio. Or films off the telly. A thing which happened without so much as a peep in the press for about a decade until the practical implications of digital content - i.e., wide-spread violation of copyrights - became more clear. Basically, after we moved from the position of having to afford a tape duplicator and a distribution network before you could engage in wide-scale copying, to having to have a computer and an Internet connection. The situation is unfortunately poorly defined here:

Well, in US law, for example, you have the DMCA, the Digital Millennium Copyright Act. It sets out very detailed requirements for notices to be valid. So if you want to have certain material taken down, you have to specify on pain of perjury that you own the rights in question or that you’re authorised to act on behalf of the person in question. You have to specify the particular work over which you are claiming the rights. You have to specify the exact location of the material that you are seeking to have taken down. That’s a procedural requirement but it acts as a great protection for intermediaries. We don’t have an equivalent here. Intermediaries here end up getting these vague notices and having to consult lawyers at great expense. And you get the same problems in other contexts. Defamation is another context where you can get very vague threatening letters in the door and it can be quite difficult to know exactly what to do, sometimes, when that happens.

Indeed, this is mostly a problem for small entities, and a real problem for domestic Irish start-ups: they are exposed to much more in the way of defamation risk, if they happen to have a user-generated content service, than the equivalent startup in the US would. And multinationals have an inherent advantage here:

I know on the defamation front, certainly Google claim that Blogger is run and administered from California because that’s what they’ve said in a series of response to suits brought against them. I don’t know on the privacy front, because I haven’t seen it. But my assumption always has been that the Gmail services, the various logs etc. are kept in the States where you have at least some legal framework governing access to them, not locally. This is probably not as much an issue for multi-nationals because you can divvy up the work. You can channel the money through here. You can engage in the Double-Irish and all the other strategies that maximise your tax avoidance and you can put the marketing function in the Bangkok office and this function here and what have you and keep the potentially problematic functions in California or wherever.

Soshall Meeja

Whatever the specifics of TJ McIntyre’s accusations, government’s relationship with the Internet has (as we’ve discussed) certainly been mixed. The painful and incomprehensible suicide of Shane McEntee was interpreted by government as an example of how the rise of social media was now striking closer to home, indeed, inside the home. Unlike many other horrible tragedies surrounding reactions to online bullying, this was a member of the elite who had been known and respected by many. Accordingly, a committee of the Communications Act was formed, which invited Facebook, Twitter, and Google to talk about their plans for controlling this kind of thing, now that it had affected someone important. But despite the great empathy the Irish people feel for people in this situation, TJ (and myself) would caution the nation to resist supporting authoritarian impulses relating to controlling communications, even motivated by the best of intentions. Indeed, TJ is substantially dismissive of this impulse:

It’s the government coupled with the worst sort of ignorance because it’s a very righteous and dogmatic ignorance where there’s no genuine interest in, for the most part, informing themselves. There are exceptions, a couple of members of the Committee who I have had personal contact with who have a genuine interest in the areas. There’s an awful lot of ignorance. I think the starting point here was the death of Shane McEntee and the absurd blaming of that death on social media, for which we had no particular evidence. It was irresponsible of the media to latch on to that narrative without fact-checking it. And it’s a very convenient pretext for politicians because politicians feel very threatened by the new medium, which for the most part they don’t understand and which they correctly see as undermining their authority. One of the greatest ways you can retain power is by being a privileged controller of communications and when they can no longer necessarily set the agenda or control what is said or how it is said, they are understandably threatened by that. They do much better dealing with centralised media, particularly the broadcast media, where they can threaten to regulate, to do things to RTE.National broadcaster of Ireland. They have greater ability to lean on the newspapers; to withdraw access to newspaper correspondents who insist on asking awkward questions and so on. They don’t have any of those controls over bloggers and the like. That worries them. Also, it’s the first time that you see equality of arms, here, in the examination of what governments do. Very often, you have bloggers who know an awful lot more about any given subject than the politician, certainly, and very often the briefer. That means that a lot of the old spoofing is no longer effective. It becomes very easy to aggregate together people with expertise in a certain area to ad-hoc, I won’t say crowd-source because it’s not such a good word, but ad-hoc form a coalition to oppose what it is the government is intent on doing. Electronic voting was probably the first modern example of that, but we’ve seen quite a few examples of it since. The Stop SOPA Ireland campaign, even though it ultimately didn’t succeed is a great example of that. So I think politicians are rightly threatened by that.

There isn’t really much in the way of Internet freedom in Ireland, certainly not relating to fundamental protections provided by the state. More the other way round; indeed, given other legal intercept programmes, the Irish situation looked comparatively quite bad:

It’s far worse than any legal intercept provision because it’s not something that’s used on a one-off basis or in response to a particular warrant or in response to a particular case. It monitors everyone at all times. It’s something that we know has been abused and has been very appallingly abusedSee e.g. this independent article. and we know that the Garda Sergeant responsible for the abuse was moved to the Special Branch and was given nothing more than a slap on the wrist. It is a disturbing principle in a democracy. It is a very disturbing principle in a democracy to say that all citizens should be subject to monitoring at all times just in case they might do something wrong. And that’s what this is. It is pre-emptive surveillance of the entire population and that can’t, ever, be legitimate in principle.

Happily, he managed to get it struck down by the ECJ; reflecting on this possibility, TJ opined that it might well represent the turning of the tide:

Nonetheless, once you take out the European Directive, that’s the beginning of the end. The political climate has turned against it as well. You’ve got much stronger coalitions of digital rights groups now. Much greater public awareness of the issues than you did back when it was being adopted. You’ve got countries like Germany where domestic opposition to it is very, very strong. You’ve got lots of Supreme Courts in different states, Germany, Romania, Bulgaria and others, finding that their local implementations are unconstitutional. All of these factors together, I think, means that once that we can get rid of it at European level, I think we can kill it off at a national level right throughout Europe.

That might be a little optimistic post-Paris, but we can hope.

In the meantime, let’s look at a highly successful model of self-governance by the Internet community in Ireland - the INEX, our local “exchange point”.

Lawyercats - January 1, 2015 - Niall Richard Murphy