Legal risks on the Internet
A programme of seminars, organised by TALiSMAN (Teaching And Learning in Scottish Metropolitan Area Networks), and held at the University of Strathclyde and Northern College (Aberdeen), 21 January 1998.
Video-conferencing facilities were employed to make simultaneous presentations at Strathclyde and Northern College, with some speakers (and audience) at each location. The Powerpoint presentation screens were shown in parallel with a live picture link.
The speakers chosen were all well-versed in their respective fields, and were also able to make lively and clear expositions of what might have otherwise been rather dry legal terminology. The whole area of copyright is strewn with popular misconceptions and traps for the unwary, so that authoritative clarification within the new field of Internet material is particularly welcome.
The full programme of events, together with links to abstracts, presentation slides for the talks, etc, was originally available via the URL:
http://www.talisman.hw.ac.uk/tman-events/legal-risks/joe/legal/prog/prog.html
Protecting intellectual property: copyright
Charlotte Waelde came from the Department of Private Law at Edinburgh University and had previously advised extensively within a private practice in the field of intellectual property. She started with a definition of copyright (the right to prevent others copying what you have created) and where it applies (to original work in arts, books, paintings, etc) - ideas have to be incorporated into media to qualify for protection. Copyright is automatic (you don't have to register the work), and undoubtedly applies also to material on the Internet: recent cases, involving the Shetland Times, the Washington Post and even the BBC's Teletubbies, were instanced. "Unfortunately" the dispute over the Shetland News links to the Shetland Times was settled by agreement, so the situation has yet to be tested in court, and the arguments may arise again. Total News had a Web page 'frame' which could include other news sources; for instance Web pages from theWashington Post could appear in this way (this was a case of passing-off rather than of direct copyright infringement).
Literary works comprised original written material, including e-mail messages, articles, computer facility instructions and slogans. Musical/dramatic works had copyright protection as regards writing rather than performance. Artistic works included logos, photographs, graphics etc. Sound recordings and films could also now appear on the Internet. The creator was the first owner of copyright; but if the creator had acted as an employee, the copyright belonged to the employer (eg, works created by academics, such as lecture notes; so permission was required from the institution in order to put such material on the Internet!). Joint authorship meant joint ownership. Copyright lasted for 70 years after the death of the author.
The situation regarding written articles was changing, and advice should be sought about posting already published articles on the Internet, as the copyright might have been assigned to the publisher. Articles written in 'your own time' could be safely posted on the Internet.
Infringement of copyright occurred either when other people infringed your work, or you infringed other people's work. This could be by photocopying or copying to a Web page - even surfing the Internet strictly speaking infringed copyright, because of the transient downloaded copies; by public showing, by adaptation (for instance a picture converted to digital format). Infringement related to copying a 'substantial' part of a work (depending on quality rather than just quantity of the excerpt) and its liability was strict: lack of knowledge was insufficient defence, and authorisation of infringement constituted actual infringement.
The liability of individuals was straightforward, but the liability of institutions was more complicated: if it supplied equipment access to the Internet, could it be said to authorise infringement? But a commercial library renting sound recordings 'said to lead to copying' was not held to be liable; and twin-cassette deck manufacturers were not held to authorise infringement, because (a) lawful activity was possible and (b) express warnings about copyright were given. On the other hand, a university was held liable when its library omitted to display warnings or take steps to prevent unlawful photocopying. An Internet service provider could be held liable if it knew or ought to have known of infringement (an example of illegal downloading of video games was cited, where the ISP even gave instructions and sold equipment for infringement of copyright). The lesson here was to have clear instructions and procedures regarding copyright.
Provisions for 'fair dealing' generally applied to copying for the purposes of criticism/review, for research or private study, or for reporting of current affairs. No particular 'amount' was specified to be 'fair'. ("If it was my material being copied, would I consider the amount to be fair?" was a reasonable question here.) Your moral rights as author could not be assigned to anyone else: your right to be acknowledged as the author of the work; the right not to have your name put to something not created by you; the right not to have your work subject to derogatory treatment. In the case of a Web page, problems might arise from links to articles by other people - if the authors' names do not ever appear.
International copyright depended on international treaties (eg the Berne Convention), leading to protection in over 100 signatory states.
Overall advice so far would be that: information on the Internet is protected by copyright, so you shouldn't make your own copies; you should make sure that material you post on the Internet is your own copyright (you may add © and the year or "all rights reserved" to draw attention to your copyright). If you have already published an item in a journal, you need to check on the copyright situation. On Web pages, don't use other people's graphics etc; make it clear if any material you publish is not your own; and avoid ambiguous "framing" of other people's pages. Overall, you should treat other people's material as you would have others treat your own.
The University of Edinburgh's own legal guidelines were (then) on-line at: http://www.ed.ac.uk/about/legal
Trademarks and domain names
John MacKenzie, a solicitor (at Bird Semple in Edinburgh) who advises clients on Web site matters, presented this talk on behalf of his colleague John Salmon who was unavailable. He described a trademark as protection of what material is called, and was about branding and identifying products: it was important to prevent others from using your chosen name. A trademark provided exclusive rights and prevented others from using your brand - and this could include a chosen Internet domain name (eg, birdsemple.co.uk). A domain name (which had to be unique) could be registered only once, but a trademark might be owned by different entities in different countries. There existed 'cyber-squatters' who registered likely names and then sold them on (to the trademark owner, or a third party) or even blocked the use of the name. Many companies have not registered their domain names. But what were the legal remedies?
Trademark infringement occurred when the same name was used for similar goods/products/services: tests for infringement involved problems about what is 'similar'. Passing-off was misrepresentation, leading the public to believe that goods or services were those of someone else (for instance, the 'framing' problem with the Washington Post). Recent cases in England involved M&S, Ladbrokes, Sainsbury's, Virgin and BT all against One in a Million (which registered names and sold them to potential users); injunctions were granted to all five companies on the basis of trademark infringement and passing off due to deliberate registration of others' domain names.
There operated a practice of first-come-first-served; the case of 'Pitman' was cited, where three companies all had the right to the name; and of 'Prince', where a UK and a US company (with different goods and services) both had right to the name - this showed the international nature of the Internet as against the territorial nature of trademarks.
Proposals for reform were to create more top level domains (favoured by the Internet Society), a registration procedure and a mechanism for resolving disputes; or, to use IP numbers, with an on-line directory (not a user-friendly solution!). More top level domains would be created in February 1998 to reflect types of activity: .firm, .store, .web, .arts, .rec, .info, .nom. More could be created as the need arose, although some would argue that the same problems would re-emerge. The registration procedure would require applicants to disclose details of their business, with statements that they intended to use domain names for bona fide purposes and that the intended use would not infringe the rights of any other party. Resolution of disputes would be supported by the creation of panels to administer a policy on identical second-level names etc.
It was concluded that famous trademark owners should register their domain names without delay, be aware of possible infringement, and seek legal advice.
Technical threats to copyright and intellectual property rights
Brian Kelly is well-known as a central UK repository of all information to do with the World Wide Web, and he monitors Web developments on behalf of Higher Education, within the UK Web Focus team. He started his talk by freely admitting his own breach of copyright - every time he forwarded e-mail without permission!
So what was desired? A quicker, more reliable Web; protection for our intellectual property (without delays and bureaucracy), sensible ways of including resources, sensible copyright statements on Web pages, and clarification of responsibilities. The current CLA (Copyright Licensing Agency) copyright statement did not permit users to view HTML source, or to download a page for a period exceeding 30 days, or to alter the page. As an example of a legal threat, he cited a student Web page containing images of the Teletubbies scanned from Radio Times, with comments and a reference to 'unoffical Teletubbies site' (thus found by search engines). As an example of theft using images, he instanced finding a Web site containing a logo which you had created yourself; and, using frames, the Total News site had contained pointers to pages on various other news sites (which then appeared within the Total News frame) and carried advertising, paid to Total News.
However, the idea of a Virtual Document would mean the desirability of altering the contents of a page (for instance via a CGI script to retrieve and format it or add advertisements etc); bookmarking tools could also be part of a document. If you are visually impaired, you might want to change settings for colours etc, which might also be regarded as alteration of the document. From August, there would be a charge to institutions for traffic from the USA. Caching would store remote resources locally: if the CLA's '30-day maximum' was exceeded, whose problem would it be: the owner's, the user's, the computer service's?
Solutions to these problems would depend first on applications: Java could prevent images being stolen, and linking to images elsewhere might be controlled by a server configuration. Detection of plagiarism could be aided by search engines (eg, using image:domain.ac.uk in Alta Vista), by spotting trademark misuse and digital signatures in multimedia objects. The World Wide Web Consortium (W3C) was working to address the issues, such as whether technology necessitates a change in copyright legislation. Another method was to express rights declarations in 'metadata' fields: this would need to reflect business models. Rights management could be included in the existing PICS (Platform for Internet Content Selection) scheme or in a copyright scheme with 'values' (eg, 'disallowed', 'conditionally allowed') enforced by the browser. Lastly the W3C Platform for Privacy Preferences project would enable users to be informed and to make choices about the collection, use and disclosure of personal information (see: http://www.w3.org/P3P/P3FAQ.html).
Acceptable Use policies were important, and should be made known to the users; such policies were necessary to enforce internal disciplinary measures, and invaluable if legal measures were entailed. These would cover non-academic use, and include publishing policies (for information providers) and policies for service providers (eg, privacy of use of log files). The UK Web Focus team was to produce a resource of Acceptable Use policies.
Liability for user misuse
Professor Ian Lloyd (Centre for Law, Computers and Technology at the University of Strathclyde http://law-www-server.law.strath.ac.uk/) went into some detail about third-party liability for the acts of students and staff at academic sites, in breach of criminal law, by copyright infringement or defamation, and breach of the Data Protection Act. He established at the outset that in all cases the user would be liable, but a key issue would be whether some or all of the liability would be transferred to the employer and what steps might be taken to minimise the element of risk.
In most cases, criminal liability (with imprisonment a possibility) would be personal to the user and would not extend to the employer (eg, breach of the Computer Misuse Act 1990); three areas might give cause for concern: pornographic material, copyright and data protection. In civil cases (with financial consequences), vicarious liability made an employer liable for acts of employees carried out in the course of their employment; direct liability might arise if the organisation could be seen as acting as a publisher of material.
The law relating to obscene publications held that, except where child pornography was involved, an offence was committed by dealing in obscene material (including acts of importing, publishing, distributing). Where child pornography was involved, the act of possession was sufficient to constitute an offence. A recent case in England had suggested that placing an HTML link to a site containing obscene material constituted publishing. There was no doubt that placing such material on a Web site (or on a computer hard disk) would be sufficient to establish liability. Liability was likely to begin and end with the individual(s) involved unless it could be shown that publication occurred with the knowledge and consent of the owner of the equipment used. Employees and other users must be made aware of Acceptable Use policies and be required to observe them. Reasonable attempts should be made to monitor contents of any Internet sites, and speedy action must be taken in the event of complaints received regarding content.
Placing material created by third parties on a web site was likely to constitute a breach of copyright; infringement would be a civil and even a criminal liability. The main danger of criminal liability for non-commercial distribution might be from staff placing infringing material in the network. Liability would arise only where the person accused knew or had reason to believe that infringement had occurred. Again, the procedure for management of the risk would be to remove the material. Dissemination of information about the provisions of copyright law might help to dispel some popular myths. Civil liability for copyright infringement, on the other hand, did not allow ignorance as a defence; education provided a clear limitation of the risk: with usage policies (demonstrably accepted by users), disciplinary sanctions and indemnification statements (which might not be worth the paper they were written on, but gave users pause for thought!).
Defamatory statements could be made in e-mail messages or Internet postings (and many were); e-mail was equated with written work (books, letters etc). A recent example was cited, where Norwich Union had used internal e-mail to post messages casting doubts on the financial stability of a competitor, and had had to pay £450,000 damages. A slight comfort in this area was that the Defamation Act (1996) provided for a defence of 'innocent dissemination', although this was not very well defined, and had not been tested in the courts. The defence would be of no assistance where employees were involved (for work-related comments), but might apply in respect of student postings. In this area, management of the risk would be by education regarding the nature of defamation, and again by publishing terms of use. Consideration should be given to whether users be required to include a statement that their postings did not reflect the opinions of the institution; and again a policy and procedures should be developed to remove messages immediately upon receipt of complaints.
The Data Protection Act (1984) had not been rigorously enforced, and a new Bill (published on 14 January), following a European Directive, was due to be passed on 24 October 1998. Its nature would change Data Protection significantly, regarding duties and liabilities. If an employee acting in the course of employment acted outside the terms of the institution's register entry, the institution might commit an offence. The institution might also be liable for unauthorised access to, or destruction or disclosure of, personal data, where this causes damage and distress to an individual. This risk could be managed by education (again) and by controls over access to (and use of) personal data.
In summary: there were risks to institutions, associated with the Internet; these risks were not all legal ones, and not all novel ones (eg, software 'theft'); educating users might prevent liability arising and might provide a defence; in any case, 'turning a blind eye' was not an option.
Jurisdiction and enforcement
An unexpected problem (at least for the layperson) was that of jurisdiction: if a copyright infringement to a Web page hosted in Spain occurred in the UK, and the copyright was owned by someone in the USA, whose judicial system might (or should) deal with any ensuing court case? John MacKenzie (from Bird Semple) explained that jurisdiction was of vital importance, as it embodied the right of the court to hear the particular case. The function of the courts in a country was to preserve law and order in that country, in relation to interdict actions. Litigation in another country was not desired! Within the EC, attempts to clarify rules had been made with the Brussels Convention and the Civil Jurisdiction and Judgments Act (1982); in addition there was Common Law. In a copyright infringement, material might be disseminated in several jurisdictions instantly. The notion of Special Jurisdictions covered the 'place of performance', registration of trademarks and patents, and the 'wrongful, harmful event' (delict). The 'harmful event' consisted of a harmful act and a place of damage.
The American approach was one of personal jurisdiction - either with 'connection' or with 'no connection' (eg, a lawsuit in the USA because a hotel in Italy had a 'misleading' website, classed as an advertisement). A useful concept over here was that of forum non conveniens, which encompassed what was the most appropriate court, placed onus on the defendant, and raised the question of justice above convenience; relevant factors included the location of assets, the multiplicity of proceedings and the possibility of inconsistent verdicts. The Brussels Convention should enforce consistency, which was important for 'cyber-law'. On this matter there was certainly substantial debate ahead.
Electronic copyright management system
The 3-year IMPRIMATUR (Intellectual Multimedia Property RIghts Model And Terminology for Universal Reference!) project addresses the issues of managing copyright by consensus betweeen IT, telecomms and IPRs (Intellectual Property Rights); a Business Model for trading has been developed. Janet Hurrell (from IMPRIMATUR) has been active in the field of licensing intellectual property in education and closely involved with Public Lending Rights and the Copright Licensing Agency. She took the line that risks could be turned into opportunities for easier access and dissemination. Trading on the Internet was so far mainly of 'product' - creators and businesses do not yet have the confidence to trade electronically. The IMPRIMATUR consensus for managing copyright was built via special interest groups, major international fora (examining legal issues in purchasing and liability). Account was taken of other major initiatives, such as the Digital Object Identifier (DOI, within American publishing), Common Information System (CIS, amongst collecting societies for musicians, writers etc), VISA and MasterCard on SET.
IMPRIMATUR was technology-centred, and could deal with products such as CopySmart, ACORN (library project) and IBM's Cryptolope. The technological development of the project had led to demonstration software, and a mixture of proprietary solutions; software specifically developed was for various interfaces and some watermarking technology. The current Business Model (v2.0) was backed by a paper document, with a formal specification document being developed.
Ms Hurrell then described the concept of the Business Model architecture: ten roles were defined, covering creator (and provider), rights holder, unique number issuer, IPR database, media distributor, purchaser, certification authority (checking bona fide user, authentic object), monitoring service provider, and last (but not least) the Bank (currently using 'e-cash', although other models might work better). Watermarking was associated with the identifier. She showed part of a CD animated demo which went through the ten roles: this CD is available to institutions. Trials of the Business Model included: a watermarking system used by an Italian picture archive; 'byline' (for acquisition of rights from journalists); a combined British Library and Danish project planned for coursework; and the possibility of audio work (with interest shown by an American company).
See http://www.imprimatur.alcs.co.uk
Panel session
The final session gave audience members (at both locations) the chance to raise quite a number of questions. Organisations including universities were recommended to register Internet domain names required for research projects etc, but initial (and renewal) fees had to be considered. To the suggestion that all transactions in dollars should have US jurisdiction, it was pointed out that this was only one aspect of the topic to consider.
The forthcoming EC Database Directive prompted a query about what would be protected: there was the problem of a compilation being viewed as a database (or vice versa!). National caching of Web pages was raised, with pages going 'stale' - HTTP version 1.1 would deal with out-of-date pages. There was a feeling amongst librarians that the laws about defamation (for instance in the Norwich Union case against free speech within internal e-mail) were too draconian: did the legal world think that might be so? In the NU case, it was considered that the result (and the financial penalties) might have been the same if paper copies of the same comments had been circulated: a distinction should not be made between e-mail and paper. However the laws might have been drafted too hastily: the WWW Consortium (see http://www.w3c.org) was looking at this. IMPRIMATUR had applied for funding to investigate caching and 'transient' copies of copyright material.
The movement of Law into the Internet arena was worrying - the copyrighting of hyperlinks especially jeopardised the whole Web ethos. However, the Law did tend to 'get into' everything: but should the Internet be regulated or self-regulating? The control of access to learning materials on the Internet (by password or domain restriction) would reduce the potential for copyright liability (by extra copying); some publishing companies did accept authentication controls (such as the ATHENS national scheme). A related topic was the Data Protection implication of using 'cookies' for the tracking of server usage: it was agreed that this would be a problem with the new legislation: users might not be aware of the recording of their usage. Here the Computer Misuse Act might also apply, as 'cookies' involved a change to the users' computers. Server administrations should anyway have policies about what they do with the information gathered.
The ownership of an 'outsourced' database needed to be assigned in writing as part of any contract. If the work was commissioned, care had to be taken to retain copyright - for instance, for software for which you had paid a lot of money, and which might end up sold elsewhere!
The use of electronic 'watermarks' for protecting copyright was questioned, as giving a false sense of security: if a picture was converted out of the digital domain and rescanned, or a sound-clip was converted to analogue, could the watermark survive? It was admitted that the several systems of watermarking for sound had all been cracked, and systems for text were not developed: the original digital form would indeed retain the watermark, however.
Lastly, it was asked if there were time limits for claiming against copyright infringements; five years was the rule - but starting when? The timing of acts of copying might be different from the timing of any loss to a third party (who might not have even been aware of the loss). The timing might in practice run from when the breach was discovered.
During the panel session, two particular points arose which applied to the whole topic of legal risks on the Internet: the Law was intended both to protect individuals' rights and to facilitate business; and there would always be infringers of copyright - some climate of trust was required.
Peter Adamson,
IT Services.
February 1998
Postcript: a local question
It has been suggested that the question be raised: does the University of St Andrews do enough to tell students about copyright?
IT Services has further information, covering Electronic Copyright and the issues relating to use on Web pages of copyright materials (either one's own or other people's).