The latest case brought by rightsholders under the Copyright Designs and Patents Act 1988 has found that bittorrent tracker site The Pirate Bay does infringe copyright according to the Act. Following this decision it seems likely that rightsholders will seek injunctions under s97A of the Act requiring ISPs to “block” access to the site, as they have already done for Newzbin.

Perhaps the more interesting aspect of the judgment is the report it gives of injunctions that have been granted since the widely reported case involving BT and Newzbin. BT were ordered last year to use URL blocking (implemented on their existing system for blocking IWF-listed material) to obstruct users’ access to Newzbin. This should ensure that only URLs associated with the Newzbin site were blocked. However subsequent injunctions against Sky and TalkTalk appear to have added blocking at the IP level (commonly known as blackholing). According to paragraph 3 of the judgment Sky were ordered to implement

(i) IP blocking in respect of each and every IP address from which the said website operates and which is:

(a) notified in writing to the [ISP] by the [Rightsholders] or their agents; and

(b) in respect of which the [Rightsholders] or their agents notify the [ISP] that the server with the notified IP address blocking does not also host a site that is not part of the Newzbin2 website.

While in TalkTalk (paragraph 4) the restriction that a notified IP address must only host the Newzbin2 site appears to have been relaxed to include “any IP address the sole or predominant purpose of which is to enable or facilitate access to the Newzbin2 website” though the rightsholder is still required to notify that the server hosts that no other website will be affected.

IP address blocking has been widely recognised (for example in Ofcom’s report on website blocking) as carrying a significant risk of unintentionally blocking access to lawful material. Blocking access to an IP address means, at least in principle, that all services using that IP address will become inacessible, so not just web, but e-mail, FTP and anything else. What makes this worse is that it is relatively common for many, completely unrelated, sites and services to be operated on the same hardware: companies that provide external web-hosting services are unlikely to operate a single machine for each of their customers. In both the Scarlet and Netlog cases in the European Court the risk of overblocking (and the resulting infringement of users’ right to receive and communicate information) has been a significant factor in refusing an order. In the Sky and TalkTalk injunctions it appears that the UK judges were satisfied that the Applicant rightsholders could determine that the IP addresses they sought blocks for were not being used in this way.

However as far as I know, there’s no way (other than asking the operator of the equipment) to take an IP address and find all the websites that run on it. The daily operation of the Internet requires the conversion in the other direction – if you know you want to access www.ja.net then your computer has to be able to discover that that has the IP address 212.219.98.101. But there’s no way to start from 212.219.98.101 and discover that it is also the host for www.nhs-he.org.uk, a name in a completely different top-level domain.

I’ve not been able to find a report of either of the original cases to see whether this issue was discussed. But unless the rightsholders have spotted something I haven’t, an assertion that a particular IP address “does not also host a site that is not part of the Newzbin2 website” seems quite a courageous statement to make.

[UPDATE: I've been pointed at http://www.domaintools.com/research/reverse-ip/, which seems to do what I thought was impossible. Currently trying to work out how it does it, and whether that approach guarantees complete coverage]

The Information Commissioner’s latest guidance on cookies contains some good news for anyone trying to work out how to make a host of internal websites compliant:

How do these rules apply to intranets?

In our view the rules do not apply in the same way to intranets.

(Note however that if Intranet cookies represent personal data then their use does still need to comply with the Data Protection Act 1998).

It therefore seems reasonable to ask what counts as an Intranet. The ICO’s legal argument seems to be that the cookie regulations only apply when the cookie crosses a public electronic communications service, and where the website and its users are on the same private network that doesn’t happen. In the original sense of the word, an Intranet server was only accessible from computers within the physical premises of the organisation it served (hence Intra-, as opposed to Inter- and later Extra- nets), so provided that organisation’s local area network wasn’t accessible to the public (the definition of a public electronic communications service) then, indeed, there was no public network involved. Nowadays it’s relatively common for things like finance systems, confidential filestore, etc. to also be accessible to staff working remotely but using Virtual Private Network (VPN) technologies to create an extension of the private local area network to a remote office or wherever else they may be working. It seems to me that it’s not too big a stretch to argue that that VPN is still a private electronic communications service (even if it may be carried on an underlying public communications network), so using a VPN shouldn’t bring the internal servers into the scope of the cookie requirements.

However I suspect that just requiring a username and password on a website that’s accessible directly from the Internet isn’t enough to make it an Intranet server. Cookies set by that server are still carried on the public communications network, so the cookie regulations would seem to apply. So webmail services, virtual learning environments, etc. do need to be made compliant if they are accessible over the Internet. However there are a couple of mitigating factors that may make compliance a bit easier. First, the Information Commissioner also points out that both the point where accounts are issued and the login page where credentials are entered provide opportunities to inform users about the cookies that are required to provide the service and (if necessary) to obtain their consent:

Where users open an online account or sign in to use the services you offer, they will be giving their consent to allow you to operate the account and offer the service. There is no reason why consent for the cookies cannot be gained in the same way. (Page 17)

Second, services such as webmail and VLEs already process a lot of personal data about their users, so you should already be informing users about that under the Data Protection Act 1998. Adding first-party cookies to such a server seems to add relatively little to the privacy risk that already exists (if you want to invade the user’s privacy you already have lots of opportunities to do so!). Since the ICO has said that cookies should be prioritised according to the privacy risk they represent, perhaps these cookies aren’t the most urgent to deal with?

PS For any technically-minded readers: yes, I do know that webmail etc. servers use SSL, which looks quite like a VPN. However if you want to split that particular hair, I’ll reply that when I use a VPN I can only send packets over it and the internal network: when I use an SSL-protected website I can also simultaneously send packets to other locations directly over the public Internet. So I claim there is a technology difference that supports the legal difference I’m proposing.

I’ve had three discussions in two days about whether Government CERTs are different from others, which makes it a FAQ! It seems to me that legislation may be heading that way, and that that could create a potential problem for sharing information.

Most CERTs act in the interests of a particular, reasonably well-defined, constituency. However a Government CERT may also add a “national interests” role to its constituency role. That role may require them to share information and act in ways that other CERTs wouldn’t; it may also give them powers that other CERTs don’t have. Perhaps the clearest example of that is the Danish Government CERT, which is established and has powers assigned by the state through a special law that contains both powers and safeguards. There’s also a hint of a difference in the proposed European Data Protection Regulation, which states in Article 6(1) that “public authorities” – a category that might cover some government CERTs – cannot use the general “legitimate interests” justification that allows other CERTs to process personal data but must have those interests defined by law. There’s even a possibility that a Government CERT that also had powers to investigate criminal offences might fall outside the proposed Regulation and instead be covered by the proposed new Directive on Data Processing for Judicial Purposes instead.

If two CERTs are covered by different legislation (or even different parts of the same legislation) then that could hinder information sharing between them. If I have obtained information under one justification for one purpose and you want to use it for a different purpose and under a different justification then the law may prevent me releasing it to you (see, for example, Art 6(6) of the draft Regulation). Even if the law allows me to disclose the information, I may have concerns about any resulting change in how it may be used, or the safeguards that will protect it, from what I advertise to my users. Increasing the powers of a Government CERT could, paradoxically, reduce the amount of information that other CERTs are able to share with it. Ultimately “what I would like to share” may be reduced to “what I am required to share”.

Interestingly, this problem has occurred before. When the UK’s National High-Tech Crime Unit was created, they were aware that businesses might not be willing to share private information if they thought there was a risk of it being used as evidence in a criminal case, in which case both the information and its source would be likely to become public. The NHTCU addressed this by a formal confidentiality charter (the original website is long gone, but an unofficial copy still exists) that they would only used shared information as intelligence and would neither disclose it nor use it as evidence unless the source explicitly agreed to this. Perhaps this might be a way to address the Government CERT issue – effectively to separate the “CERT” and “Government” functions of the team and use information only as a “normal” CERT unless the source specifically agreed to allow it to be used for the “Government” role?

However the problem is resolved, it’s important that we don’t allow a split to develop within the Incident Response community between those who are empowered to deal with criminal and national security issues and those who aren’t. As was highlighted by both CERTs and law enforcement at the FIRST/TF-CSIRT meeting last month, we need more cooperation to deal with crime on the Internet, not less.

After ruling last year on the balance between the rights of copyright holders, users and network providers, the European Court of Justice has now ruled on the same question applied to the case of a hosting provider, the social network Netlog. As in the earlier Scarlett case, the copyright collecting society (SABAM) had asked the Belgian court to order Netlog to actively prevent the infringing use (in this case publication) of copyright materials by its users. Since this appeared to constitute a general duty to monitor content, prohibited by Article 15 of the E-Commerce Directive (2000/31/EC), the Belgian court asked the European Court whether it could lawfully make the order.

In reaching its decision, the Court closely and explicitly followed its approach in Scarlett. It first considered what the order would require Netlog to do, concluding that

[the] filtering system would require the hosting service provider to identify, within all of the files stored on its servers by all its service users, the files which are likely to contain works in respect of which holders of intellectual-property rights claim to hold rights. Next, the hosting service provider would have to determine which of those files are being stored and made available to the public unlawfully, and, lastly, it would have to prevent files that it considers to be unlawful from being made available.

The Court felt this “would result in a serious infringement of Netlog’s freedom to conduct its business” by requiring it “to install a complicated, costly, permanent computer system at its own expense”. It would also infringe the rights of users “to protection of their personal data and their freedom to receive or impart information” since the system “could lead to the blocking of lawful communications”. As in Scarlett, the court concluded that an order involving such interference with the rights of the provider and users

would not be respecting the requirement that a fair balance be struck between the right to intellectual property, on the one hand, and the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information, on the other.

This confirms that key questions in any blocking order are the cost and disruption to the service provider and the level of privacy breach and overblocking for users.

The House of Commons Science and Technology Committee has published a report on Malware, which recommends increased awareness among Internet users as the best way to deal with the problem. There’s a welcome recognition that “it is clear that there is no easy technological answer to cyber crime… hardware solutions are likely to unduly restrict computer users in their activities while software solutions require constant updating and a more advanced understanding of the technology to be truly effective”, and that “80% of protection against cyber-attack is routine IT hygiene”.

Helping Internet users adopt that good practice should be in the interests of both Government and industry since both want to increase the use of communications technology, which will not happen if users are afraid of cybercrime. There’s even a mention of something I’ve been suggesting for a long time: that users who feel in control of what they are doing and know that their actions can make a difference are much more likely to be confident and less likely to panic – the reason why plane and train crashes get many more headlines than road accidents, even though far more people are killed on the road. Or, as the MPs put it “Knowledge is the best defence against fear”.

What’s missing, the MPs think, is “clear identification of trusted information sources and relevant authorities and clear guidelines on how to help themselves stay free of infection”. They therefore recommend that “the Government invest in the Get Safe Online site … to provide a single authoritative source on which computer users could rely”. They also recommend “a prolonged public awareness campaign” including television, a pointer to Get Safe Online on every Government website and at the point of sale of “every device capable of accessing the internet”. Basic advice should also be available from the police with “every single police officer in this country being as equipped to give a member of the public a piece of advice around cyber-security as they are, for example, for their windows and their doors—their general house issues”, according to Janet Williams of ACPO.

There’s also a call for ISPs to do more to help their users. The report cites the Australian Internet Security Initiative, but the suggestion of “an online database where users can determine whether their machine has been infected with botware and gain information on how to clean the infection from their machine” sounds more like the German ISP Association scheme. This, too, would also be available through Get Safe Online.

Finally there’s good news that police forces are getting better at dealing with the international nature of cybercrime, though cooperation with Interpol, Europol and the on-line industry. However there is the same tension on-line as off-line between arresting small-scale criminals or using them as leads to the larger, and increasingly organised, groups who are mainly responsible for the development and use of malware.