Bleeding Hearts for Open Source Advocates

avatar Posted on April 22nd, 2014 by Chris Eastham

Few technology practitioners will have missed the recent news that more than 60% of websites could be affected by a cryptographic library flaw known as “Heartbleed”, exploitable by criminal elements to steal information (including username and password data).  The flaw exists in any version of OpenSSL released between 14 March 2012 and 7 April 2014, and which has not been patched to OpenSSL 1.0.1g.

To date, it is not absolutely clear to what extent the bug has been used by hackers, but the potential is widespread due in no small part to the use of OpenSSL by Apache and other webservers, which service more than two-thirds of active websites on the internet.  The vulnerability also affects many e-mail servers.

To close this vulnerability, it is advisable to update to OpenSSL 1.0.1g immediately.  If this is not possible, developers are advised to recompile OpenSSL with the compile time option OPENSSL_NO_HEARTBEATS.  Operating system vendors and distribution, appliance vendors, independent software vendors should adopt the fix and notify their users.  Service providers and users will need to install the fix as it becomes available for the operating systems, networked appliances and software they use.

One of the key benefits of open source software, according to its advocates, is that because it is open to scrutiny, errors and bugs will be spotted much more rapidly than with proprietary software.  Some commentators may suggest that the fact that Heartbleed has been around for at least two years without detection weakens that argument, although of course we cannot say how long it would’ve taken to discover if the same flaw had existed in proprietary software, and so this is probably not a supportable argument.  In fact, the developer that inadvertently introduced the bug told The Guardian newspaper that the bug’s discovery demonstrates the value of publicly available source code.

The question now arises, as to what the open-source industry should be thinking in terms of ways to reduce the likelihood of similar occurrences in future.  Many corporate and governmental organizations use open source very widely, and perhaps these users are the ones who can now assist?  It has been suggested that as CIOs want to rely more and more on free open source software, they should be considering ways in which they can contribute back to the community that developed it.  On the basis that the more scrutiny the open source code is under, the more likely it is that bugs will be found, perhaps it is time for large organizations and the open source community to work ever more closely to everyone’s benefit.

Oh, and if you hadn’t considered it yet, after the bug has been fixed would be a good time to change your passwords!


Interception of communications data – overuse by the UK?

avatar Posted on April 10th, 2014 by John Brunning

A report published on 8th April by Sir Anthony May, the UK Interception of Communications Commissioner, has initiated an investigation into whether there is “significant institutional overuse” of the government’s powers to intercept communications data.   The commissioner has the statutory responsibility for ensuring that the interception of communications by public authorities is legal and to report his findings to the Prime Minister each year.
The power to intercept communications arises under Part I of the Regulation of Investigatory Powers Act (RIPA) 2000 and covers the interception of communications content (Chapter I) and the interception of communications data, such as the date and time of transmission (Chapter II).  While the report found that the interception of communications content, which requires a warrant issued by a Secretary of State, is almost always compliant and of a high quality, the number of authorisations and notices for the interception of communications data raised concerns.  
Authorisation for the interception of communications data is given by a senior designated person within the relevant public authority and, in total, the report found 514,608 such authorisations were granted in 2013.  This in the view of the commissioner had “the feel of being too many” and prompted him to ask his inspectors to critically examine these authorisations to ensure they fall within the powers granted.

ECJ declares EU Data Retention Directive invalid.

avatar Posted on April 9th, 2014 by Edward Bennett

The ECJ has declared invalid the EU Data Retention Directive, (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC) which requires telecoms companies to store citizens’ communications data for up to two years. The Directive requires that companies store data on individuals’ identity, the times of their communications, the place from which the communication took place and the frequency of their communications.

The ECJ ruled that the Directive is incompatible with Article 7 of the Charter of Fundamental Rights, stating that “By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data”.

Since its introduction in March 2006, the Directive has been widely criticised by journalists, privacy and human rights organisations, IT security companies, and legal professionals but the ECJ’s investigation and EU-wide ruling were prompted by the Constitutional Court of Austria and the High Court of Ireland asking the ECJ to decide whether or not the Directive complied with the EU Charter of Fundamental Rights.

Privacy or security?

While the ECJ acknowledged that data retention may be necessary to fight serious crime and for public security, the judges argued that the requirements under the Directive are disproportionate, stating that the collection and use of personal data without the owners’ knowledge “is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance”, adding that the Directive does not contain adequate safeguards against incorrect use of personal data.

Reactions to the ruling

A spokesman from HM Government has responded to the ruling, claiming that retention of communications data is essential to enabling law enforcement authorities to investigate crime and ensure national security: “We cannot be in a position where service providers are unable to retain this data”.

By contrast, campaigners from the technology world and human rights groups have welcomed the ECJ’s ruling: Joe McNamee, executive director of European Digital Rights Group called the law an affront to the fundamental rights of European citizens, adding that the decision marked the end of “eight years of abuses of personal data”, whilst Jim Killock from Open Rights Group in the UK hopes to see the ruling’s effects reach further: “Blanket data collection interferes with our privacy rights.  We must now see the repeal of national legislation that obliges telecoms companies to collect data about our personal phone calls, text messages, emails and internet usage.”


Osborne’s Games Tax Relief approved by the EC.

avatar Posted on April 3rd, 2014 by Edward Bennett

The Games Tax Relief, announced by George Osborne in the 2012 Autumn Statement, has been approved by the European Commission as compliant with EU rules on state aid.

The Games Tax Relief proposal was the result of a lobbying campaign led by British video games producers, who claimed that punitive tax levels were resulting in jobs and talent migrating abroad.

EC intervention

The Chancellor initially hoped to bring the relief into force on 1 April 2013, saving games developers 25% tax on 80% of their costs. However, the EC contested that the Chancellor’s plan to stimulate the domestic video games market was unnecessary and was likely to distort the market, claiming that there was no evident market failure in the sector, and that the industry was thriving without state aid.

However, following investigation into the matter, the EC has found its initial concerns groundless, concluding that the tax relief promotes culture without unduly distorting competition.

“Our initial doubts have been dispelled” said Commission Vice-President in charge of competition policy Joaquín Almunia. “The proposed aid for video games is indeed focusing on a small number of distinctive, culturally British games which have increasing difficulties to find private financing”.

Cultural Value

TIGA estimates the relief to be worth an additional £188 million of investment for the UK’s game developers over the next five years, capable of generating or safeguarding 4,660 jobs and generating £172 million in tax receipts to HM Treasury. Only games that are deemed to be of cultural value will be eligible for Games Tax Relief – currently around 25% of games produced in the UK.

Cultural tests are based on the test applied in film tax relief, requiring a production to score at least 16 points out of a maximum of 30 or 31 across a range of cultural attributes such as British locations, characters, English-language dialogue, British heritage or creativity, production activity taking place in Great Britain, by British cast and crew.

Effect for the Games Industry

Dr. Richard Wilson, chief executive of TIGA has hailed news as “a superb decision by the EU Commission and magnificent news for the UK video games industry. Games Tax Relief will create jobs, boost investment and enable the production of more British video games. TIGA built a compelling case which demonstrated that video games are cultural products and so merit support”.

“Tax breaks for games production will help the UK fight its way back to the forefront of video game development. It will also help to further rebalance the UK economy away from an over-reliance on financial services towards a highly skilled, high-tech, R&D intensive and global-export focused industry.”

It is also hoped that the new tax relief will entice foreign games producers to the UK, as they will also be entitled to the relief if hiring British developers.


G-Cloud spending nears £100 million

avatar Posted on March 19th, 2014 by Saman Harris

The public sector spent £11.15m through the G-Cloud platform in December bringing the total spent to £92.65m.

The G-Cloud is a government public procurement platform that is intended to level the playing field for smaller IT suppliers. Based on the latest figures it appears to be working. Of the total spent so far 56% has gone to small and medium sized IT businesses.

The challenge for the government now, as the G-Cloud enters its fifth iteration with a new framework, is to make sure all areas of the government understand the platform. This too seems to be working, as a consortium of G-Cloud suppliers and customers wrote an open letter in January 2014 praising the platform for changing the public sector’s thinking on IT procurement.

The letter was not entirely positive, suggesting a number of improvements to the G-Cloud, including recommending the removal of services which are not in fact cloud services. The Cabinet Office has already reacted to this letter and 100 services have since been removed from the G-Cloud platform.

Overall, as spending nears £100m, the G-Cloud platform is reacting to market concerns and seems to be successfully levelling the playing field for smaller businesses looking to gain public sector work.


US Privacy groups have challenged Facebook’s £11 billion purchase of WhatsApp.

avatar Posted on March 14th, 2014 by Saman Harris

The reason for the concern centres on the contrasting privacy policies of Facebook and WhatsApp.

WhatsApp, which deals with private messages between family and friends, does not currently collect personal user data for advertising purposes. On the other hand Facebook’s major source of revenue is collecting user information to allow for targeted adverts to its users, based on gender, age and other determining factors.

Facebook has assured the public that WhatsApp will continue to operate as a separate company and that existing privacy arrangements will be honoured. However Facebook has, in the past, changed the privacy policy of companies it has acquired. The most notable example is Instagram, the photo-sharing social network, which Facebook purchased in 2012.

This has led to the Electronic Privacy Information Center and the Center for Digital Democracy filing a complaint with the US Federal Trade Commission (FTC). The complaint claims that Facebook’s purchase of WhatsApp will “violate WhatsApp users’ understanding of their exposure to online advertising and constitutes an unfair and deceptive trade practice“.

The complaint, dated 6 March 2014, asks the FTC to investigate the matter and ultimately to “insulate” WhatsApp user information from access by data collection practices.

It is now for the FTC to decide whether or not the acquisition can proceed and if any conditions protecting the data of WhatsApps’ 450 million users should be imposed.


UK Government pledges £45m funding increase for the ‘Internet of Things’

avatar Posted on March 11th, 2014 by Christopher Perrin

Speaking at the CeBIT technology trade fair in Hannover, Germany, David Cameron has pledged an extra £45 million from the UK Government to develop technology for the so-called ‘Internet of Things’. This extra funding will take the UK’s total funding to £73 million, which clearly underlines the UK Government’s desire to make the UK a world leader in digital technology. In his speech, David Cameron suggested that combining British ingenuity with German engineering could propel both the UK and Germany to the forefront of a new industrial revolution:

“I see the Internet of Things as a huge transformative development – a way of boosting productivity, of keeping us healthier, making transport more efficient, reducing energy needs, tackling climate change… Take British ingenuity in software, services and design, add German excellence in engineering and industrial manufacturing and together we can lead in this new revolution.”

The Internet of Things refers broadly to a future where everyday physical objects are connected to the Internet and can identify themselves and other devices. This is significant, as it means the Internet will no longer just be a place we access via our electronic devices but a means of connecting the various aspects of our daily lives to one another.

Research firm Gartner predicts that by the year 2020 there will be in excess of 26 billion electronic devices connected to the Internet of Things, whilst analysts IDC put this figure closer to 30 billion, with an industry value of around $8.9 trillion. It is hardly surprising, therefore, that some of the biggest names in technology have already sought to cash in on this potential goldmine. Think Google Glass, iBeacons and Nike+ FuelBand to name just a few examples of wearable technology that is connected to the Internet with a view to enhancing our everyday lives. Even though each of these are still in their relative infancy, a study last summer by Rackspace titled ‘The Human Cloud: Wearable Technology from Novelty to Productivity’, found that 18 percent of the population in the United States and United Kingdom were already using some form of wearable technology and that the majority of those users claimed these devices are making their lives better. Taking things a step further, think electricity meters that talk to the national grid to get you the best deals, health monitors that keep a watchful eye and automatically warn you of any potential problems and water pipes that alert you of a fall in pressure. The possibilities really are endless.

Needless to say, with such vast amounts of data being collected, concerns have been expressed about the use of connected technology. The main issue is that policy makers and regulators are still figuring out to what extent regulatory intervention is needed to ensure that: (i) the Internet of Things delivers the full potential of societal and economic benefits; and (ii) the privacy rights of individuals are protected – for example, in terms of privacy breaches, automated decision making and consumer consent. Industry and privacy advocates take very different stances, with privacy groups arguing that special regulatory measures are needed to address such concerns and the industry arguing that the market is in its infancy and should be allowed more time to develop. It remains to be seen, however, whether suppliers to the industry will be seen to do enough to educate and protect consumers and, if not, what the respective national authorities will do about it.


CJEU rules that posting hyperlinks to freely accessible content does not infringe copyright

avatar Posted on February 27th, 2014 by Olivia Woolston

In Svensson and Others v Retriever Sverige AB (C466/12), the CJEU ruled earlier this month that posting hyperlinks online to redirect users to copyright protected works, which are already freely accessible on another website, does not constitute an infringement.

The Claimants in this case are all journalists for the Göteborgs-Posten newspaper. Their articles were published both in the newspaper and online on the newspaper’s website, where they were freely available. Retriever Sverige, a Swedish company, posted hyperlinks to the articles on the Göteborgs-Posten website without obtaining consent.

The CJEU was asked by the referring court to consider four questions. The first three questions asked in essence whether Article 3(1) of Directive 2001/29/EC (the “InfoSoc Directive”) “must be interpreted as meaning that the provision, on a website, of clickable links to protected works available on another website constitutes an act of communication to the public as referred to in that provision, where, on that other site, the works concerned are freely accessible”.

Article 3(1) of the InfoSoc Directive states that:

“Member States shall provide authors with the exclusive right to authorise or prohibit any communication to the public of their works, by wire or wireless means, including the making available to the public of their works in such a way that members of the public may access them from a place and at a time individually chosen by them”.

In summary, the CJEU concluded that:

• Article 3(1) includes two criteria – namely, an “act of communication” of a work and the communication of that work to a “public”;

• A work that is posted on a website is communicated to the public because it is made available to the public;

• A hyperlink to a work may make it available to the public, irrespective of whether such public chooses to click on the hyperlink to access such work;

• However, in order to be covered by the concept of “communication to the public” within the meaning of Article 3(1), a communication concerning the same works as those covered by the initial communication and made by the same technical means as the initial communication must also be directed at a new public i.e. at a public that was not taken into account by the copyright holders when they authorised the initial communication to the public.”

The CJEU held in this case that making available works, which are already freely available on another website, by means of a clickable link to such website does not lead to the works in question being communicated to a new public. As such, there is no infringement of the copyright holder’s exclusive right as provided for by Article 3(1)). The CJEU noted that the position would be different if a hyperlink to a work circumvented restrictions put in place to limit access to a protected work to, for example, paying subscribers. Such hyperlink would, then, constitute communication to a new public not taken into account by the copyright holders when they authorised the initial communication.

Lastly, the CJEU ruled that Member States are not permitted to give wider protection to authors’ exclusive right by enabling “communication to the public” to cover a wider range of acts than provided for under Article 3(1). To permit this would undermine the very objective of the InfoSoc Directive which aims to create harmonisation of copyright and related rights at Community level.

The full judgment can be found at the following here.


Roamers aren’t roaming…

avatar Posted on February 25th, 2014 by Tim Rickard

A recent survey conducted by the European Commission has revealed that more than a quarter of European visitors turn their mobile phones off to avoid incurring roaming charges whilst abroad.  The Commission calculates that telecoms companies are missing out on a market of around 300 million phone users because of current pricing strategies, with negative effects for other businesses such as app makers.

Whilst it’s clear that Europe’s app economy is thriving, barriers like roaming charges are slowing down parts of this new sector.  For example, app makers that create tourist travel guides and maps are especially affected when consumers switch their roaming off, to avoid incurring hefty charges, ahead of exploring the very places that these apps have been designed to cater for.

At the same time, there has been an astonishing 1500% increase in data roaming across the EU since 2008.  This figure is largely attributed to the fact that there has been a vast uptake of mobile data services at home.

The Commission’s Connected Continent legislative proposal (Memo/13/779) asks the EU to achieve a Single Market when making a phone call or browsing the internet.  The overall aim is to create a series of regulatory obligations and market incentives which will induce mobile operators to extend their domestic plans so that by 2016, customers throughout the EU will be able to use their phones at domestic rates while travelling throughout the EU and avoiding the need to switch off.


Anti-piracy measures must be proportionate, says top EU Court

avatar Posted on February 13th, 2014 by David Lewis

In a dispute between Nintendo and Italian company PC Box, the Court of Justice of the European Union has ruled that a manufacturer of a games console is protected against circumvention of its technological protection measures (“TPMs”) only where those measures proportionately seek to prevent use of illegal copies of video games.


TPMs are commonly used in the videogames industry to protect consoles from uses other than those permitted by the manufacturer. Nintendo’s “lock and key” TPMs (comprising a recognition system in its consoles and an encrypted code on the physical housing system of its videogames) prevent the use of illegal copies of Nintendo videogames (which do not carry the relevant code). Aside from blocking illegal copies, Nintendo’s TPMs also prevent the use of non-Nintendo programs, games and multimedia content on Nintendo consoles.

PC Box markets software and equipment for installation on Nintendo consoles which work around and deactivate Nintendo’s TPMs (the “Circumvention Devices“), thereby enabling use of illegal copies of video games. The Circumvention Devices also enable third party content that does not infringe Nintendo’s copyright to be played on Nintendo consoles.

Nintendo first brought proceedings against PC Box in the Milan Court regarding the Circumvention Devices. The Milan Court asked the CJEU to clarify the scope of legal protection against circumvention of TPMs which is afforded by the Directive on the harmonisation of copyright (2001/29/EC) (the “Directive”).

The CJEU’s ruling

In its ruling, the CJEU clarified that only those TPMs intended to prevent or eliminate unauthorised acts of reproduction, communication, public offer or distribution, for which authorisation from the copyright holder is required, are protected under the Directive. Nintendo will be pleased that the CJEU did not find its “lock and key” TPMs to be unlawful on the basis that they block non-infringing third party games as well as illegal copies of Nintendo games. However, the court made clear that the legal protection afforded to TPMs under the Directive should be proportionate and should not prohibit devices or activities which have a commercially significant purpose or use other than to circumvent the TPMs for unlawful purposes.

In addition, the scope of legal protection for TPMs must not be assessed according to the use of consoles as envisaged by the holder of copyright. Instead, it is necessary to examine the purpose of the relevant circumvention device, and to consider the actual use made of it by third parties.

The CJEU has referred this dispute back to the Milan Court and has called on the Milan Court to determine whether other effective TPMs could be put in place by Nintendo which would provide comparable protection of its rights and cause less interference with third party activities, such as use of non-Nintendo content, which do not require authorisation by Nintendo. The CJEU has indicated that it is appropriate for the Milan Court to consider the relative cost and practicalities of using other TPMs and the purposes for which the PC Box Circumvention Devices are used (i.e. how often they are used to read unauthorised copies of Nintendo or Nintendo-licensed games and how often they are used for purposes not infringing Nintendo’s copyright).

Practical impact

The Milan court in this case will now need to decide whether Nintendo’s TPMs are suitable for achieving the objective of preventing or eliminating infringing acts without going beyond what is necessary for this purpose. The wider implication on game device manufacturers fighting anti-piracy cases is that there is now a clear onus on the console manufacturer to demonstrate (ideally through objective statistical evidence) that its TPMs are proportionate and that any circumvention device with which it is faced is primarily intended and used to circumvent the TPMs for unlawful purposes.


(Written by Emma Kingstone and David Lewis)