11th copyright law & practice symposium, november 2003 privacy & copyright: an uneasy...
Post on 19-Dec-2015
218 views
TRANSCRIPT
11th Copyright Law & Practice Symposium, November 2003
Privacy & Copyright: An uneasy relationship
Professor Graham GreenleafBaker & McKenzie Cyberlaw Centre
University of New South Wales<http://www2.austlii.edu.au/~graham>
Please note:Details of many of the points raised in these slides are in G Greenleaf 'IP, Phone Home: Privacy as Part of Copyright's Digital Commons, in Hong Kong and Australian law' in Lessig L Hochelaga Lectures 2002: The Innovation Commons Sweet & Maxwell Asia, Hong Kong, 2003However, that article was written before the decision of the Full Federal Court in Kabushiki Kaisha Sony Computer Entertainment v Stevens [2003] FCAFC 157 ('Sony v Stevens') and many of its conclusions must now be revised.
Property versus privacy? Where does privacy fit?
Is privacy a traditional part of copyright? Is privacy part of the public domain?
Privacy dangers of DRMS Areas of potential legal conflict
Privacy invasion as ‘technological protection’ Privacy invasion as RMI Privacy laws as protection against copyright Litigation and investigation (not covered)
Privacy - a traditional IP right? Most sales of © artifacts were by cash and
anonymous DRMS: typically identified - licences; access
codes; purchases via Internet Users did not enter contracts with © owners
DRMS: disintermediation is typical; subscriptions are directly with © owner
Artifacts had no surveillance capacity DRMS: digital artifacts are inherently capable of
surveillance (recording, reporting, logging)
Privacy - a traditional IP right? (2) © law did not give general control of uses (‘first
sale doctrine): by whom, how often, when and where a work was used DRMS: contracts and technology enable control of
whatever uses are desired Loans of artifacts generally beyond knowledge
and control of © owner DRMS: potentially knowable and controllable
Enforcement of © not a by-product of routine surveillance, but selective and ex post facto DRMS: detection and even enforcement built-in
Privacy - a traditional IP right? (3) ‘Fair dealings’ did not require a licence to be
sought - therefore private DRMS: Can prohibit fair dealing uses, or if they are
allowed, make them known Some infringements only occurred ‘in public’ - a
narrow ‘private use’ exception No longer important due to narrow scope
Conclusion: © law balanced owners rights and the rights of users to experience works anonymously and privately DRMS endangers this valuable limitation
Privacy as part of the public domain? US theorists (Boyle, Litman) argue that the
concept of ‘public domain’ should include all aspects of works that © does not protect ‘public domain’ takes on a normative element
Copyright Law Review Committee argues (similarly) that the exceptions to © are ‘fundamental to defining the copyright interest’
Limitations of copyright law which serve to protect privacy can be considered as part of this expanded notion of the public domain.
Privacy and public domain (2) What justifies privacy as ‘public
domain’? Surveillance diminishes the justification for
© of increasing circulation of knowledge Surveillance is inimical to creativity - you
can’t “stand on the shoulders of giants” under spotlights
Privacy is a feature, not a bug, of ©
Privacy and public domain (3) Legitimate expectations re privacy:
To maintain anonymity in obtaining © works, except where identification is justified;
To experience works free from surveillance; That owner’s rights to control or monitor uses will be
limited to statutory rights; To exercise fair use rights free from monitoring
These expectations are consistent with a theory of ‘public domain’ no longer limited only to works that are ‘free’ Some are also supported by privacy laws
Privacy invasion as ‘technological protection’ s116A - © owner has various rights of action
against dealings in devices that circumvent a ‘technological protection measure’ (TPM)
A TPM (s10) is designed, in the ordinary course of its operation, to prevent or inhibit infringement of © by either (a) an access ‘code or process’; or (b) a copy control mechanism
A circumvention device must have ‘only a limited commercially significant use … other than the circumvention’
The privacy issue in s116A Does s116A require people to submit to
invasions of privacy by DRMS? Are these invasions of privacy justified?
Does s116A protect these privacy-invasive technologies?
n Spider Collecting society web spider • ISP blocks all spiders from indexing web sites it hosts • ISP only blocks spiders of collecting societies
n I-dongle Digital works that won’t work unless they are online, and receive continuous authorisation signals from the © owner
n IP-phone-home Digital work, when used online, send reports back to the © owner - breaches monitored for possible enforcement action
n Disconnect As above, + © owner disables the work (‘updates’) if breaches are detected
n In the last 3, what if all usage is monitored?
Sony v Stevens [2003] FCAFC 157
PlayStation CD-ROMs contain an access code which cannot be copied (TPM)
PlayStation games can still be copied and sold BootRom of PlayStation hardware reads the
access code and will not play game unless it is present (and region-specific)
Stevens’ ‘mod chips’ allowed pirate and non-regional games to be played (circumvention device)
Sony v Stevens (2)
Issue relevant to surveillance Must a TPM be designed to prevent or inhibit post-
access infringment? Is it sufficient for a TPM (access code protection)
to deter or inhibit infringment (pirate copying and/or sales) which occurs prior to access (or use of the circumvention device)?
More generally: how broad is ‘inhibit’? Is an increased likelihood of detection sufficient?
Sony v Stevens (3)
Sackville J (at first instance): Definition of TPM did not cover devices which
‘merely have a general deterrent or discouraging effect on those who might be contemplating infringing copyright’
‘only prevents or inhibits the infringement of copyright by discouraging infringements of copyright which predate the attempt at circumvention through access or copying’
‘Inhibit’ still covers processes which (for example) allow copying but degrade its quality
This would have given narrow protection to surveillance devices, limited to those that can result in direct prevention of infringements
Sony v Stevens (4) Full Court (French, Lindgren & Finkelstein JJ)
Devices are TPMs ‘even though the inhibition is indirect and operates prior to the hypothetical attempt at access and the hypothetical operation of the circumvention device’ (per Lindgren J)
'prevent or inhibit’ are wide enough to cover ‘deterring or discouraging infringement by rendering the infringing copy useless for the purpose for which it was made’ (per French J)
Sony says nothing direct about TPMs that only operate after the infringement of copyright is complete (though causing a prior ‘inhibition’)
Privacy-invasive TPMs after Sony Spider Collecting society web spider
• Could be a copy control device (TPM) - inhibits copying or sale by making detection more likely
• But the TPM only operates after the infringement• (1) blocks all spiders - legitimate purpose defence • (2) only blocks collecting society spiders - no defence
• I-dongle • Prevents access - clearly a TPM
• IP-phone-home • Same issues as with web spider - possible TPM
• Disconnect • Access control device (ex post facto) - is a TPM
What if all usage is monitored?
All forms of online surveillance may be TPMs What if the device also records all usage
information, but this cannot be prevented without disabling the TPM?
If secondary purpose of the device is to collect marketing information, it is still a TPM
Potential abuse of TPMs - users are forced to submit to marketing surveillance
Privacy invasion in RMI s116B - actionable where “a person removes
or alters any electronic rights management information attached to a copy” of copyright subject matter
RMI (s10) means information ‘attached to a copy of a work’ that: (i) identifies the work, and its author or © owner;
and (ii) indicates terms and conditions on which the
work may be used, or indicates that its use is subject to terms or conditions; and
Privacy invasion in RMI (2) The limited scope of RMI
Information about users can be RMI only if it is a necessary part of a licensing agreement (contra US which seems to exclude all user information);
Information transmitted is not RMI because it is not 'attached' to the work;
RMI does not include information about actual usage, but only its "conditions" of use
s116B does not protect this ‘pseudo-RMI’ What if this ‘pseudo-RMI’ is still inserted in or
collected from works?
Privacy invasion as RMI (2) No express self-help 'right to remove' such
'pseudo-RMI' if it is collected This may be a problem if removal involves
(a) the need to obtain an unobtainable circumvention device; or
(b) copyright breaches; or (c) removal of real RMI in the course of removing
pseudo-RMI.
Privacy laws as protection against copyright abuses
Privacy Act 1988 - private sector amendments Issues - National Privacy Principles (NPPs)
Is DRMS data "personal information"? The anonymity right and DRMS design Limits on data collection by DRMS
EU recommendations Limits on use and disclosure Data export limitations
Extra-territorial reach
Is DRMS data "personal information"? Law only applies to ‘personal information’
Can a person be identified from the information, and other available info?
Capacity to interact with a person is not enough IP addresses and some email addresses may
enable interaction (enforcement, marketing), but not be ‘personal information’
Privacy laws may apply haphazardly to DRMS
The anonymity/pseudonymity right and DRMS design NPP 8 requires that “[w]herever it is lawful
and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation”
May mean that DRMS must be designed to allow anonymity / pseudonymity if a practicable economic model exists
Similar recommendation by International Working Group on Data Protection in Telecommunications (2000)
Limits on data collection by DRMS Collection must be by “fair means and not in an
unreasonably intrusive way” (NPP 1.2) Also applies to collection from 3rd parties
Notice of collection, use and disclosure practices required “at or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual” (NPP 1.3) Is collection by surveillance ‘from’ the person?
EU A29 Committee recommendations
Limits on use and disclosure Personal information collected by DRMS
cannot be used / disclosed for any secondary purpose (NPP 2) unless it is a directly related use within reasonable expectations with consent, or (where impractical) is for marketing purposes, with “opt out”
DRMS are protected against circumvention even if data collected is being used for marketing purposes
The NPP’s limits on this are also weak
Data export limits on DRMS DRMS will often involve international personal
data flows NPP 9 prohibits personal data exports
numerous exceptions including consent Mainly a problem where no contract exists
Extra-territorial reach - s5A Australian privacy law applies to DRMS operated
overseas if the operator (a) has an organisational link with Australia; or (b) carries on business, and collected the personal information, in Australia
Where does a DRMS ‘collect’ data online?
Restoring the balance As yet, most concerns about DRMS are
hypothetical - business models are fluid However, their potential dangers to privacy - and
creativity - are real © law traditionally maintained a reasonable
balance between privacy and property © reforms need to maintain this balance, seeing
privacy as one of the values reflected in copyright laws (part of ‘public domain’?)
In the long run, successful DRMS will be those that respect privacy