11th Copyright Law & Practice Symposium, November 2003

Privacy & Copyright: An uneasy relationship

Professor Graham GreenleafBaker & McKenzie Cyberlaw Centre

University of New South Wales<http://www2.austlii.edu.au/~graham>

Please note:Details of many of the points raised in these slides are in G Greenleaf 'IP, Phone Home: Privacy as Part of Copyright's Digital Commons, in Hong Kong and Australian law' in Lessig L Hochelaga Lectures 2002: The Innovation Commons Sweet & Maxwell Asia, Hong Kong, 2003However, that article was written before the decision of the Full Federal Court in Kabushiki Kaisha Sony Computer Entertainment v Stevens [2003] FCAFC 157 ('Sony v Stevens') and many of its conclusions must now be revised.

Property versus privacy? Where does privacy fit?

Is privacy a traditional part of copyright? Is privacy part of the public domain?

Privacy dangers of DRMS Areas of potential legal conflict

Privacy invasion as ‘technological protection’ Privacy invasion as RMI Privacy laws as protection against copyright Litigation and investigation (not covered)

Privacy - a traditional IP right? Most sales of © artifacts were by cash and

anonymous DRMS: typically identified - licences; access

codes; purchases via Internet Users did not enter contracts with © owners

DRMS: disintermediation is typical; subscriptions are directly with © owner

Artifacts had no surveillance capacity DRMS: digital artifacts are inherently capable of

surveillance (recording, reporting, logging)

Privacy - a traditional IP right? (2) © law did not give general control of uses (‘first

sale doctrine): by whom, how often, when and where a work was used DRMS: contracts and technology enable control of

whatever uses are desired Loans of artifacts generally beyond knowledge

and control of © owner DRMS: potentially knowable and controllable

Enforcement of © not a by-product of routine surveillance, but selective and ex post facto DRMS: detection and even enforcement built-in

Privacy - a traditional IP right? (3) ‘Fair dealings’ did not require a licence to be

sought - therefore private DRMS: Can prohibit fair dealing uses, or if they are

allowed, make them known Some infringements only occurred ‘in public’ - a

narrow ‘private use’ exception No longer important due to narrow scope

Conclusion: © law balanced owners rights and the rights of users to experience works anonymously and privately DRMS endangers this valuable limitation

Privacy as part of the public domain? US theorists (Boyle, Litman) argue that the

concept of ‘public domain’ should include all aspects of works that © does not protect ‘public domain’ takes on a normative element

Copyright Law Review Committee argues (similarly) that the exceptions to © are ‘fundamental to defining the copyright interest’

Limitations of copyright law which serve to protect privacy can be considered as part of this expanded notion of the public domain.

Privacy and public domain (2) What justifies privacy as ‘public

domain’? Surveillance diminishes the justification for

© of increasing circulation of knowledge Surveillance is inimical to creativity - you

can’t “stand on the shoulders of giants” under spotlights

Privacy is a feature, not a bug, of ©

Privacy and public domain (3) Legitimate expectations re privacy:

To maintain anonymity in obtaining © works, except where identification is justified;

To experience works free from surveillance; That owner’s rights to control or monitor uses will be

limited to statutory rights; To exercise fair use rights free from monitoring

These expectations are consistent with a theory of ‘public domain’ no longer limited only to works that are ‘free’ Some are also supported by privacy laws

Privacy invasion as ‘technological protection’ s116A - © owner has various rights of action

against dealings in devices that circumvent a ‘technological protection measure’ (TPM)

A TPM (s10) is designed, in the ordinary course of its operation, to prevent or inhibit infringement of © by either (a) an access ‘code or process’; or (b) a copy control mechanism

A circumvention device must have ‘only a limited commercially significant use … other than the circumvention’

The privacy issue in s116A Does s116A require people to submit to

invasions of privacy by DRMS? Are these invasions of privacy justified?

Does s116A protect these privacy-invasive technologies?

n Spider Collecting society web spider • ISP blocks all spiders from indexing web sites it hosts • ISP only blocks spiders of collecting societies

n I-dongle Digital works that won’t work unless they are online, and receive continuous authorisation signals from the © owner

n IP-phone-home Digital work, when used online, send reports back to the © owner - breaches monitored for possible enforcement action

n Disconnect As above, + © owner disables the work (‘updates’) if breaches are detected

n In the last 3, what if all usage is monitored?

Sony v Stevens [2003] FCAFC 157

PlayStation CD-ROMs contain an access code which cannot be copied (TPM)

PlayStation games can still be copied and sold BootRom of PlayStation hardware reads the

access code and will not play game unless it is present (and region-specific)

Stevens’ ‘mod chips’ allowed pirate and non-regional games to be played (circumvention device)

Sony v Stevens (2)

Issue relevant to surveillance Must a TPM be designed to prevent or inhibit post-

access infringment? Is it sufficient for a TPM (access code protection)

to deter or inhibit infringment (pirate copying and/or sales) which occurs prior to access (or use of the circumvention device)?

More generally: how broad is ‘inhibit’? Is an increased likelihood of detection sufficient?

Sony v Stevens (3)

Sackville J (at first instance): Definition of TPM did not cover devices which

‘merely have a general deterrent or discouraging effect on those who might be contemplating infringing copyright’

‘only prevents or inhibits the infringement of copyright by discouraging infringements of copyright which predate the attempt at circumvention through access or copying’

‘Inhibit’ still covers processes which (for example) allow copying but degrade its quality

This would have given narrow protection to surveillance devices, limited to those that can result in direct prevention of infringements

Sony v Stevens (4) Full Court (French, Lindgren & Finkelstein JJ)

Devices are TPMs ‘even though the inhibition is indirect and operates prior to the hypothetical attempt at access and the hypothetical operation of the circumvention device’ (per Lindgren J)

'prevent or inhibit’ are wide enough to cover ‘deterring or discouraging infringement by rendering the infringing copy useless for the purpose for which it was made’ (per French J)

Sony says nothing direct about TPMs that only operate after the infringement of copyright is complete (though causing a prior ‘inhibition’)

Privacy-invasive TPMs after Sony Spider Collecting society web spider

• Could be a copy control device (TPM) - inhibits copying or sale by making detection more likely

• But the TPM only operates after the infringement• (1) blocks all spiders - legitimate purpose defence • (2) only blocks collecting society spiders - no defence

• I-dongle • Prevents access - clearly a TPM

• IP-phone-home • Same issues as with web spider - possible TPM

• Disconnect • Access control device (ex post facto) - is a TPM

What if all usage is monitored?

All forms of online surveillance may be TPMs What if the device also records all usage

information, but this cannot be prevented without disabling the TPM?

If secondary purpose of the device is to collect marketing information, it is still a TPM

Potential abuse of TPMs - users are forced to submit to marketing surveillance

Privacy invasion in RMI s116B - actionable where “a person removes

or alters any electronic rights management information attached to a copy” of copyright subject matter

RMI (s10) means information ‘attached to a copy of a work’ that: (i) identifies the work, and its author or © owner;

and (ii) indicates terms and conditions on which the

work may be used, or indicates that its use is subject to terms or conditions; and

Privacy invasion in RMI (2) The limited scope of RMI

Information about users can be RMI only if it is a necessary part of a licensing agreement (contra US which seems to exclude all user information);

Information transmitted is not RMI because it is not 'attached' to the work;

RMI does not include information about actual usage, but only its "conditions" of use

s116B does not protect this ‘pseudo-RMI’ What if this ‘pseudo-RMI’ is still inserted in or

collected from works?

Privacy invasion as RMI (2) No express self-help 'right to remove' such

'pseudo-RMI' if it is collected This may be a problem if removal involves

(a) the need to obtain an unobtainable circumvention device; or

(b) copyright breaches; or (c) removal of real RMI in the course of removing

pseudo-RMI.

Privacy laws as protection against copyright abuses

Privacy Act 1988 - private sector amendments Issues - National Privacy Principles (NPPs)

Is DRMS data "personal information"? The anonymity right and DRMS design Limits on data collection by DRMS

EU recommendations Limits on use and disclosure Data export limitations

Extra-territorial reach

Is DRMS data "personal information"? Law only applies to ‘personal information’

Can a person be identified from the information, and other available info?

Capacity to interact with a person is not enough IP addresses and some email addresses may

enable interaction (enforcement, marketing), but not be ‘personal information’

Privacy laws may apply haphazardly to DRMS

The anonymity/pseudonymity right and DRMS design NPP 8 requires that “[w]herever it is lawful

and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation”

May mean that DRMS must be designed to allow anonymity / pseudonymity if a practicable economic model exists

Similar recommendation by International Working Group on Data Protection in Telecommunications (2000)

Limits on data collection by DRMS Collection must be by “fair means and not in an

unreasonably intrusive way” (NPP 1.2) Also applies to collection from 3rd parties

Notice of collection, use and disclosure practices required “at or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual” (NPP 1.3) Is collection by surveillance ‘from’ the person?

EU A29 Committee recommendations

Limits on use and disclosure Personal information collected by DRMS

cannot be used / disclosed for any secondary purpose (NPP 2) unless it is a directly related use within reasonable expectations with consent, or (where impractical) is for marketing purposes, with “opt out”

DRMS are protected against circumvention even if data collected is being used for marketing purposes

The NPP’s limits on this are also weak

Data export limits on DRMS DRMS will often involve international personal

data flows NPP 9 prohibits personal data exports

numerous exceptions including consent Mainly a problem where no contract exists

Extra-territorial reach - s5A Australian privacy law applies to DRMS operated

overseas if the operator (a) has an organisational link with Australia; or (b) carries on business, and collected the personal information, in Australia

Where does a DRMS ‘collect’ data online?

Restoring the balance As yet, most concerns about DRMS are

hypothetical - business models are fluid However, their potential dangers to privacy - and

creativity - are real © law traditionally maintained a reasonable

balance between privacy and property © reforms need to maintain this balance, seeing

privacy as one of the values reflected in copyright laws (part of ‘public domain’?)

In the long run, successful DRMS will be those that respect privacy