This is a draft version of an article to appear in [2002] Hong Kong Law Journal. The published version of the article should be referred to and cited.
The development of content-protection technologies ('CPT') and digital rights management systems ('DRMS'), despite their benefits to rights-holders, pose many dangers to the protection of privacy, which some have said could mean an end to the privacy of reading. Hong Kong and Australia are two of the earliest jurisdictions in the world with laws implementing the anti-circumvention and rights management information (RMI) protection provisions arising from the WIPO Copyright Treaty 1996. They are also two of the few jurisdictions outside Europe with privacy (data protection) laws applying to the privacy sector. These two jurisdictions therefore give two of the best illustrations of the tensions now arising between copyright and privacy: property vs privacy. In this article the author explores how CPT and DRMS affect privacy, how existing data protection and privacy laws affect the operation of CPT and DRMS, and whether laws against copyright circumvention devices and interference with RMI prevent privacy protection. The author concludes that privacy could now be unduly prejudiced in favour of property, and suggests reforms which may help restore the balance.
The reverse process is now underway: technical protections of intellectual property in cyberspace (ie over networks) may protect property interests in digital works[4] more comprehensively than has ever been possible in physical space, and destroy many public interest elements in intellectual property law in the process. In the worst scenarios, the surveillance mechanisms being developed to do this may also bring about the end of the anonymity of reading. Privacy is one of the interests threatened.
In criticising Barlow, Lessig observed that infinite copies could only be made if "the code permits such copying", and questioned why the code (software and other aspects of the technical architecture of cyberspace) could not be changed to make such copying impossible[5]. For intellectual property, this architecture involves content-protecting technologies (hereinafter 'CPT')[6] and digital rights management systems (hereinafter 'DRMS')[7]. Intellectual property has become one of the areas where cyberspace architecture is said to be replacing law as the most effective method of protecting interests. However, the new adjuncts to intellectual property law discussed in this paper (laws against circumvention devices and laws protecting rights management information (RMI)) are part of this change. Contract law is also a vital part of the new paradigm for protection of digital content. The process is one of law being partly replaced by technology, but with new and different forms of law supporting the protection by technology and vice-versa.
DRMS and CPT have many legal implications, but this paper only focuses on their affect on privacy and their relationship to privacy laws. It explores what protections are found in information privacy laws against surveillance by digital works, their interaction with these new adjuncts to intellectual property laws, and the extent to which privacy laws may need to be strengthened to help provide a reasonable balance between privacy and the protection of intellectual property.
These tensions between property and privacy are illustrated by the laws of Hong Kong and Australia, because they are two of the earliest jurisdictions in the world to implement the anti-circumvention and rights management information (RMI) protection provisions arising from the WIPO Copyright Treaty 1996, and because they are also two of the few jurisdictions outside Europe with privacy (data protection) laws applying to their privacy sectors. Their laws illustrate the tensions now arising between copyright protection and the protection of privacy: property vs privacy.
Perhaps we have only received a fragment of Brand's aphorism[8]: is it really `Information wants to be free ... but it wants to keep you under surveillance' ?
It is possible to argue[13] from an economic analysis of copyright law that such limitations on exploitation of copyright as those outlined above that support respect for privacy are merely a result of previously high transaction costs which DRMS can eliminate. However, they can also be seen as a means of reconciling the loss to the public welfare caused by the monopoly involved in copyright. At least because there is not yet 'any well-functioning competition between different DRM systems', and for other reasons, many argue that the law has to limit the extent of protection that DRMS can provide[14]. I agree, and take the same approach to the need for law to balance protection of privacy against the protection of digital content.
As we implant a billion specks of our thought into everything we make, we are also connecting them up. Stationary objects are wired together. The nonstationary rest - that is, most manufactured objects - will be linked by infrared and radio, creating a wireless web vastly larger than the wired web. It is not necessary that each connected object transmit much data. A tiny chip plastered inside a water tank on an Australian ranch transmits only the telegraphic message of whether it is full or not. A chip on the horn of each steer beams out his pure location, nothing more: "I'm here, I'm here." The chip in the gate at the end of the road communicates only when it was last opened: "Tuesday."Pervasive networking enables a trend toward artefacts that report back through these digital networks to some central monitoring point about their location, current state, or prior usage, often in a way which allows that information to be correlated, more or less reliably, with the actions of individual people. Artefacts are often built with surveillance capacities enabled in default, sometimes with 'opt out' capability.
To see that many digital artefacts do live in a networked world is simple enough. Many people now have Internet connections active whenever they are using their computers. Every program, document or other file on their computer is then (in theory) capable of communicating with anywhere else on the Internet, such as the computer system of its copyright owner or of an intermediary in a DRMS. Furthermore, many digital artefacts have their full utility only when their users are online. An obvious example is that word processing documents are now created routinely with live hypertext links, so that the document is interactive if opened when the user's PC is online, but not otherwise. Another example is software for playing recorded music which, when a music CD is inserted in a PC, automatically checks an Internet database to obtain title and other details of all the tracks on the CD[16]. The telecommunications infrastructure for digital artefacts to exercise surveillance is therefore an increasingly pervasive part of our computer use.
Many hardware devices used to present digital content are not yet networked (at least not so as to allow two-way communication), including most CD and DVD players, and televisions. However, the range of hardware devices used for presenting content with wired or wireless communications capacities is growing rapidly, including mobile phones and personal digital assistants (PDAs). This article concentrates on digital content which is already part of the increasing pervasive networking, because that is where the privacy issues are most acute.
Online surveillance through the use of cookies and 'web bugs' (single pixel gifs) has already become contentious privacy issues, but these examples relate more to marketing uses of our browsing habits and than to conditions of use of intellectual property.
Our rights to limit surveillance via artefacts will become one of the key privacy issues for the start of this century, with surveillance by digital works likely to be one of the most contentious and common examples.
The three types of parties are:
In order to obtain the protection that content owners want in relation to digital content, they are relying on complex combinations of at least four different forms of protection (possibly six, if different types of contracts are distinguished)[17]. These are:
The same paradigm is being used to protect content which is not protected by copyright law, including the items of content in a database, and works which are in the public domain.
Most aspects of the very complex legal issues raised by the combinations of these various protective measures are beyond the scope of this article, which focuses only on the relationship between privacy protection and two of these elements (technological measures and technology protection laws).
These CPT can be categorised in various ways. Koelman and Helberger distinguish those that control access, those that control certain uses, those that protect the integrity of a work, and those that enable metering of access and/or use[22].
For the purposes of this article, some of the more important of the variety of CPT[23] can be ranked in approximate order of their implications for privacy (less to more):
Digital Rights Management Systems (DRMS) may take many forms, depending in part on which combination of CPTs are employed. In addition, the business models which will become commercially successful are still emerging.
The 'ideal aims' of a DRMS have been described (in a formulation more sympathetic to consumer and privacy rights than most product descriptions)[31] as follows:
The potential for privacy intrusions is apparent from the third, fourth and fifth aims, even in this 'ideal' description.
* provide copyright-protected material to users upon request;
* provide a means for remuneration (or a facility to grant or refuse a licence) to flow to the owner;
* track usage of material (which documents, how often, used by whom and so on) without interfering with the privacy of the user;
* prevent unlawful appropriation of the copyright material by people who are outside the system;
* prevent unlawful use of the copyright material by users who obtain the material legitimately in the first instance;
* ensure the integrity of the intellectual property;
* allow for a reasonable flow of information between owners to users (owners are often also users and vice versa) in the public interest (that is, a DRMS should not unreasonably tie up the community's information and cultural resources); and
* allow for the effective operation of fair dealing within the DRMS.
A description of one of the best-known early DRMS models, the European Imprimatur Project[32], illustrates how some fundamental changes to the way in which copyright currently operates would follow from the implementation of such a DRMS:
One of the key standards is for identification of digital works. Gervais[34] described eleven competing standards, including a variety of media-specific identifiers, and more general proposals such as the Digital Object Identifier (DOI)[35] and Persistent Uniform Resource Locators (PURLs)[36]. He also describes five standards for metadata[37] that (in the absence of one global identification system for digital works emerging) might provide a basis for interoperability between DRMS based around different numbering systems. DOI and PURL also have potential for unifying differing numbering systems without replacing them.
This Babel of IDs for digital works is as yet slowing down the development of networked DRMS, and this slow development buys a limited amount of time for privacy protection to be developed.
Monitoring of reading and viewing habits poses the threat of a 'chilling effect' on freedom to read, think and speak. Cohen describes it as 'a giant leap ... toward monitoring human thought'[38]. Bygrave and Koelman argue that 'The attendant, long-term implications of this for the vitality of pluralist, democratic society are obvious'[39].
The collection of information on reading and viewing habits creates risks of the misuse of personal information for secondary purposes, particularly but not only marketing purposes. These risks are amplified if those collecting personal information can aggregate data from our reading/viewing different sources, so as to construct profiles. The use of reading/viewing information for marketing purposes is obvious. Non-marketing examples of unacceptable secondary uses are that researchers or lawyers do not want anyone to know what digital works they are consulting, and an author wanting permission to include an extract in an anthology or other collection does not want her publishing plans indirectly disclosed to rival publishers.
Minimising unnecessary identification is a significant issue. There is a need to maximise the use of CPT which allow anonymous transactions involving digital works, provided that in doing so we don't create worse problems of unfair contract enforcement (see below). Otherwise, when it is necessary for transactions to be potentially identifiable, pseudonymity needs to be used wherever possible[40], to prevent the misuse of personal information for secondary purposes, and also to prevent a 'chilling effect' on freedom to read, think and speak.
Intermediaries between users and rights owners will play a crucial role in safeguarding and administering pseudonymity, and in aggregating usage information for publishers/authors without interfering with user privacy[41]. Many CPT can be and will be used without any intermediaries between the end-user of a digital work and the rights-holder. 'Disintermediation' was one of the buzzwords of Internet business models. In its positive incarnations we think of recording artists or authors being able to sell directly to their publics. Just as likely, publishing houses of various sorts (still the rights-holders) will do a far greater percentage of direct selling to the public without the use of intermediaries such as booksellers. Online booksellers could also develop into intermediaries for digital works in a DRMS model. The result is likely to be a mixture of delivery models, but the point is that a lot of CPT and DRMS will be run directly by publishing houses with lots of different products to shift and a strong interest in secondary use of identified consumption data, or by booksellers with a similar combination of interests. We will not always be 'lucky' enough either to have some central industry-based monitoring body standing between consumers and publishers trying to act as an 'honest broker', or to be dealing direct with the author who has only her own product to sell. Which business models succeed will have a significant effect on privacy.
The enforcement of such contracts is also unlike real space contracts, Lessig points out[43], because whereas the law always takes into account various public and private interests in determining the extent and means by which contracts will be enforced, when contracts are self-enforced by code (for example, by the work suddenly becoming unusable) these public values are not likely to be taken into account. We might add that when the law enforces a contract there is an independent assessment of whether there has been a breach of the contract, whereas here the enforcement is automated and unilateral, built into the architecture. If `code contracts' replace law, these are not necessarily the same as `law contracts', and may not be in the public interest. There is also likely to be an overlap with privacy interests here, because of the surveillance involved in determining where there has been a breach.
Although often phrased in terms of protecting copyright, they are of broader significance as one of means by which authors can protect an expanded set of rights beyond copyright through a combination of contracts, technology and surveillance.
`Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restricts acts, in respect of their works, which are not authorised by the authors concerned or permitted by law.'Article 12 of the WCT provides, in relation to 'rights management information':
(1) Contracting Parties shall provide adequate and effective legal remedies against any person knowingly performing any of the following acts knowing, or with respect to civil remedies having reasonable grounds to know, that it will induce, enable, facilitate or conceal an infringement of any right covered by this Treaty or the Berne Convention: (i) to remove or alter any electronic rights management information without authority; (ii) to distribute, import for distribution, broadcast or communicate to the public, without authority, works or copies of works knowing that electronic rights management information has been removed or altered without authority. (2) As used in this Article, `rights management information' means information which identifies the work, the author of the work, the owner of any right in the work, or information about the terms and conditions of use of the work, and any numbers or codes that represent such information, when any of these items of information is attached to a copy of a work or appears in connection with the communication of a work to the public.From the perspective of privacy protection, some of the questions we need to ask are whether these provisions and their national legislative implementations allow persons to:
In 1998 the Australian Government announced its plans to ban commercial dealings in circumvention devices and to ban removal of rights management information[47]. The proposed amendments drew heavily on what was then the proposed EC Directive[48]. The amendments to the Copyright Act 1968 (Cth) by the Copyright Amendment (Digital Agenda) Act 2000 have been in force since March 2001.
The Hong Kong SAR has provisions with the same intent in ss273-274 of the Copyright Ordinance (Cap 528) which was enacted in 1997, shortly after finalisation of the WCT.
The United States Digital Millennium Copyright Act (DMCA) of 1998 has amended Title 17 of the US Code (dealing with copyright) to implement the WCT. The EC Directive on Copyright in the Information Society, which deals with anti-circumvention and RMI issues primarily in Articles 6 and 7, was passed in May 2001[49] . Both are only mentioned briefly by way of comparison, particularly when they take a different approach to privacy-related issues.
A 'technological protection measure' means (s10):
'... a device or product, or a component incorporated into a process, that is designed, in the ordinary course of its operation, to prevent or inhibit the infringement of copyright in a work or other subject-matter by either or both of the following means: (a) by ensuring that access to the work or other subject matter is available solely by use of an access code or process (including decryption, unscrambling or other transformation of the work or other subject-matter) with the authority of the owner or licensee of the copyright; (b) through a copy control mechanism. 'Where s116A applies, the copyright owner may obtain an injunction, damages (including additional damages) or an account of profits (s116D). There are also criminal offence where the same conditions as in s116A are satisfied, but with a higher burden of proof ('reckless' rather than 'ought reasonably to have known') and with the onus of proof on the Crown (ss132(5A)-(5B)). A similar offence is created in relation to the operation of a 'circumvention service (ss132(5C)-(5D)).
In contrast, both the DCMA and the European copyright Directive prohibit the act of circumvention (with some exceptions).
However, it is misleading to think that users in Hong Kong and Australia will not usually be liable for acts of circumvention. The use of a circumvention device will involve liability for breach of copyright by the user, if it involves the making of an infringing reproduction ('copies' in Hong Kong terminology). This may occur in two ways.
First, many if not most digital works cannot be used without a transient copy of the work being made by the hardware device used to display the work. However, in Australia, in some cases such as playing movies embodied in DVDs, these transient copies will not constitute a 'copy' under s10: Australian Video Retailers v Warner[54]. In addition, s43A provides that, even where the transient copying of a work (literary, dramatic, musical or artistic) which occurs during use is a reproduction, it is not an infringement if it is made 'as part of the technical process of making or receiving a communication' (unless 'the making of the communication is an infringement of copyright'). While this means that web browsing does not infringe copyright, it does not assist a user who is using a circumvention device which results in a reproduction (even if temporary) being made of a copyright work. The user would be liable for a copyright infringement unless a defence applied (such as one of the fair use defences), or unless the work was in the public domain, or unless an implied licence still applied[55]. The Australian situation is therefore complex.
In Hong Kong, s65 provides that transient copies of every type of subject matter are not infringing if 'technically required for the viewing or listening of the work by a member of the public to whom a copy of the work is made available', despite s23 providing that such copies are infringements. This implies that, provided a user has legitimately obtained a copy of a work, making a temporary copy of it for purposes of viewing or listening, in the course of use of a circumvention device, would not constitute infringement. Even where s65 does not apply, their might be no infringement by playing DVDs, despite s23(6)[56] , because no 'making of copies' is involved: Australian Video Retailers v Warner.
Second, it is quite possible that the use of a circumvention device will require the copying and/or adaptation of software or data comprised in the CPT/DRMS which is protected by copyright. Such copying will probably fall outside the protection for transient copies (s65 and s43A discussed above) because it is not for 'receiving a communication' or 'viewing or listening'. It does not come within the exceptions for copying software for such purposes as error correction in either the Hong Kong or Australian legislation[57]. However, some uses of circumvention could arguably iinvolve copying programs in ways which are 'for the purposes for which the program was designed' (Australia, s47B) or 'necessary for the lawful use of the program' (Hong Kong, s61). In both jurisdictions, use of the circumvention device could result in an infringing copy of software, but it is difficult to generalise.
Furthermore, a question remains as to whether a person who writes his or her own small piece of software in order to prevent some surveillance device operating as it is intended might be regarded as 'making' a device.
An additional risk is that, where a digital work is provided online by someone else, use of a circumvention device or service to obtain unauthorised access to a computer system could also involve criminal offences[58].
We can conclude that, although use of circumvention devices is not explicitly prohibited, in both Australia and Hong Kong, users need (but do not have) a positive statutory 'right to circumvent' in order to be able to safely access a digital work for purposes which would provide a defence to an action for infringement. Such a right should be provided by law.
However, as Koelman argues in the European context, 'too broad a prohibition on preparatory activities would render the permission to circumvent meaningless'[59] ('preparatory activities' means the making of and dealing with circumvention devices, the 'upstream' activities). The discussion following supports this hypothesis in relation to Australia and Hong Kong.
First, in the definition of 'technological protection measure', provided that an 'access control' or 'copy control' measure does have some effect in 'inhibiting' copyright infringements, it is not necessary that this should be its primary purpose. Many access control or copy control mechanisms would at least 'inhibit' copyright infringement unless it was nearly or totally ineffective. 'Inhibit' must include something less than 'stop', otherwise 'prevent' would have no meaning in the section. However, if a CPT is only aimed at preventing something which is not a breach of copyright (such as playing DVDs: Australian Video Retailers v Warner) then it will not constititute a 'technological protection measure'[60]. So the scope of 'technological protection measure' is very broad but with very large holes.
Similarly, it does not matter that a 'copy control mechanism' also stops the copying of content that is not protected by copyright (eg public domain material, or individual items in a database) or stops copying in circumstances which would not be a breach of copyright because defences apply.
The use of 'designed' in that definition implies that a device must be intended by its designer to protect copyrights, and not merely inadvertently do so (as any computer security device might do). It must have some effectiveness[61].
Second, knowledge or belief that infringement of copyright will take place is not required by s116A, only knowledge or belief that a technological protection measure will be circumvented. If it was believed that the circumvention device was only going to be used in relation to public domain works, or data items in a database, this would not be an excuse.
Third, although only a copyright owner or exclusive licensee can take action (s116A(5), it is sufficient if they have one copyright work protected by the relevant device being circumvented, even if no one intends to use the device to circumvent protection in that work. Copyright owners can therefore commence actions which are really intended to protect technologically protected content which does not have copyright protection.
In Hong Kong the defendant is only liable if he deals with or possesses the circumvention device 'knowing or having reason to believe that it will be used to make infringing copies or infringing fixations'. If a particular defendant (for example a library) possesses a device only for the purpose of allowing 'fair dealings' with works (ss 38 and 39), then this is not a breach. If a defendant has a reasonable belief that a device in which he is dealing (or possesses) will only be used for circumventions in relation to works in the public domain (including those in which copyright has expired), or database items in which there is no copyright, or any content in relation to which a defence applies, then there will be no breach in the making or dealing. In addition, uses of circumvention devices which do not involve any copies being made, but (for example), merely prevent the collection of personal information for privacy-protection purposes, will not be a breach.
The Hong Kong provisions are a more careful and cautious implementation of the WCT requirements, and are tied much more closely to the protection of copyright-protected content and actions than are the Australian provisions.
There are various provisions allowing supply of circumvention devices for some purposes to libraries, archives, educational institutions, the Crown, law enforcement agencies etc[62]. These exemptions involve the approved type of institution making a declaration to the provider of the circumvention device identifying the category of exemption and stating that 'a work ... to which the person proposes to use the device ... is not readily available to the person in a form that is not protected by a technological protection measure'.
However, these exemptions do not include the 'fair dealing' defences (ss40-43), of use for research or study, criticism and review, reporting news or providing professional advice. Fair uses, and the privacy of fair use are not recognised by this legislation[63]. In order to preserve the effective exercise of 'fair dealing' rights, the 'right to circumvent' suggested above is needed.
As discussed above, in Hong Kong, dealing in a circumvention device without reason to believe it would be used for infringing users would not be a breach, and nor would possessing it in the course of a business. Use of a device for a non-infringing purpose is not a breach, because use does not cause liability The Hong Kong The Hong Kong legislation is therefore better than the Australian legislation on this point. However, in practice, the lack of availability of circumvention devices may mean that most users of digital works who would be theoretically entitled to take advantage of fair use exemptions will be unable to do so[64].
Another problem would be a web site which provides links to overseas web sites where circumvention devices may be downloaded. In the USA, eight motion picture companies have brought a case against 2600 Magazine to enjoin it from publishing or linking to DeCSS, a computer program used to circumvent the encryption used in DVDs, and other similar cases have been commenced, but none concluded[65]. The case is being defended on the grounds that the anti-trafficking provisions of the Digital Millennium Copyright Act (DMCA) are unconstitutional because they infringe First Amendment freedom of speech rights. Similar to the USA, consideration needs to be given to whether s273(2)(b) is inconsistent with the protection of freedom of expression in the Hong Kong Bill of Rights Ordinance (Cap 383), on the basis that it goes beyond what is 'necessary' to protect the rights of others[66]. It would also be necessary to take into account Article 34 of the Basic Law providing that 'Hong Kong residents shall have freedom to engage in academic research, literary and artistic creation, and other cultural activities'. At the least, these provisions should lead to a narrow reading of s273(2)(b).
In Australia there are prohibitions on anyone who 'by way of trade ... otherwise promotes, advertises or markets, such a circumvention device' (s116A(1)(ii)) or 'makes such a circumvention device available online to an extent that will affect prejudicially the owner of the copyright' (s116A(1)(vi)), or provides or promotes a circumvention service, if 'the person knew, or ought reasonably to have known, that the device or service would be used' for circumvention. A person who merely provides information about circumvention devices on a non-commercial basis (eg an academic or technical paper) is unlikely to fall within these provisions. Whether a hypertext link to a circumvention device 'makes [it] ... available online' under s116A(1)(vi) is similar to the more general question of whether providing hypertext links to any work constitutes an infringement of the new right of 'making available to the public' under both the Australian and Hong Kong legislation. This is a broader question than can be pursued here, but there is some opinion that links may constitute 'making available'[67]. Unlike the USA or Hong Kong, there are in Australia no entrenched rights of freedom of speech (outside political matters) which could be used to attack these provisions.
'Copy control mechanism' is undefined, and its possible meaning is most uncertain. It would, for example, include any technology which limits printing from web pages or databases in any way. However, would it include ex post facto technological means of detecting copyright infringements, such as the use of web spiders to search for unauthorised copies of digital works? These are not access controls, but could well be considered 'a copy control mechanism'. The inclusion of surveillance devices as protected technology could have significant privacy implications. Similarly, a digital watermark or similar device of steganography, does not prevent access, but it may well be regarded as 'a copy control mechanism' in that it both inhibits copying and allows its detection. Such devices would include a code that a word processor or HTML editor could put into documents to identify if it was created by a licensed copy of software. The question Courts will have to resolve is whether 'copy control' includes deterrence or detection. The reference to 'inhibit' in the Australian definition supports such an interpretation.
If web spiders are copy control mechanisms, it then becomes a question of whether a web site operator can circumvent them without 'making' a circumvention device, or obtaining one from someone else who will then be dealing in a circumvention device. At what point will writing a few lines of software to configure a web server differently become 'making' a circumvention device?
In Hong Kong, works are protected if they are made available 'in any form which is copy-protected' (s273(1)(b)). Copy-protection 'include(s) any device or means specifically intended to prevent or restrict copying of a work or fixation of a performance or to impair the quality of copies or fixations made' (s273(4)). This will not cover access control mechanisms, except where circumvention of access control does involve the making of copies of a work. The Hong Kong definition only refers to 'prevent or restrict', and it is possible that `restrict' might be interpreted as broadly as `inhibit'. Alternatively, `prevent' could be interpreted as only meaning `stop copying occurring under some circumstances' in which case it is narrower than "inhibit". If so it seems unlikely that this would include web spiders or steganography, which merely deter copying by increasing the likelihood of detection.
As an example of a possible copy control mechanism, works may be issued on DVDs including a region control coding, and selling DVD players allowing the playing of DVDs from all regions circumvents that control. In situations like this, where works are merely viewed, the question arises of whether the viewing involves the generation of something sufficiently permanent to constitute a 'copy' (for example, the caching[68] of a web page). Although s23(6) says that 'copying' includes making copies which are transient or incidental to other uses of the work, s65 provides that '[n]otwithstanding s23, copyright in a work is not infringed by the making of a transient or incidental copy which is technically required for the viewing or listening of the work by a member of the public to whom a copy of the work is made available'.
The Hong Kong prohibition on dealing with devices is limited to 'any device or means specifically designed or adapted to circumvent the form of copy-protection employed' (s273(2)(a)). This limitation to devices 'specifically designed' to circumvent will serve to exempt devices which have more general purposes but incidentally defeat a form of copy protection.
One of the most far-reaching forms of surveillance by and of digital works is therefore protected against circumvention - it will be illegal to assist users to circumvent such surveillance. The EC copyright Directive provisions on anti-circumvention raise similar problems of interpretation[70].
Such collection may be in breach of privacy laws, though this is not certain (see the next section). As a matter of policy, anti-circumvention provisions should not provide protection for any technological measures that do not meet privacy protection standards required by legislation. The US Digital Millennium Copyright Act provides an explicit defence against its anti-circumvention provisions where circumvention is only for the purpose of protection of personally identifying information, but the protection can be defeated by 'conspicuous notice'[71].
Other variants of online surveillance of users might be less clearly within the definition of 'technological protection measures'. For example, a digital artefact that recorded its own usage even when offline, and then (once it went online) sent this information 'home' so that users could be charged for usage, or for detection of breaches of licence conditions (such as copying or printing), probably would not be regarded as an access control mechanism, but could still be argued to be a copy control mechanism, if 'control' is interpreted to include deterrence or detection.
Under the Hong Kong provisions it is less clear whether digital artefacts on a user's PC that send information 'home' when they are online are protected against circumvention. As discussed above, it seems that many devices attempting to prevent unauthorised access to any online or CD-ROM access to works will be covered, because of the wide definition of 'copy-protection'. However, as with Australia, protection of the recording of usage details and ex post facto reporting of them when the artefact goes online will depend on whether 'copy-protection' is interpreted to include deterrence and detection, but this is less likely in Hong Kong. Also, in Hong Kong a circumvention device must be used to make infringing copies, and devices that block surveillance are unlikely to do this.
If (despite the above argument) online surveillance of usage is regarded as a copy protection device in Hong Kong, any protection for users against secondary usage of the information (such as marketing uses) will depend on Hong Kong's privacy laws, as the Copyright Ordinance does not itself impose any limits on use of the information collected.
Additional actions in relation to commercial dealings with copyright subject-matter from which RMI has been removed are provided in s116C, where the relevant knowledge is that the person knew, or ought reasonably to have known, that the removal of the RMI 'would induce, enable, facilitate or conceal an infringement of the copyright in the work or other subject-matter' (which knowledge is presumed by s116C(3)).
Criminal offences equivalent to the actions in s116B and s116C are provided in s132(5D) which makes it a criminal offence to 'remove or alter any electronic rights management information attached to a copy of a work', provided there is the required intent[72], and in s132(5D) which provides related offences concerning distributing, importing and communicating artefacts where such information has been removed or altered.
'Electronic rights management information' is defined in s10 in terms very similar[73] to those in the WCT Article 12(2) and the WPPT[74] Article 19:
electronic rights management information means: (a) information attached to a copy of a work or other subject-matter that: (i) identifies the work or subject-matter, and its author or copyright owner; and (ii) identifies or indicates some or all of the terms and conditions on which the work or subject-matter may be used, or indicates that the use of the work or subject-matter is subject to terms or conditions; and (b) any numbers or codes that represent such information in electronic form.
This might not seem to matter if (as argued above) RMI does not include personal information (except perhaps the identity of a licensee where this is a necessary part of the conditions of use of a work), so removal of such information is not a breach of the RMI provisions.
Nevertheless, removal of such 'pseudo-RMI' might require the use of an (unobtainable) circumvention device, or if the user attempts to modify the work to prevent the collection of this 'pseudo-RMI' this may be a breach of copyright, so the pseudo-RMI may be protected. The user still needs some positive right similar to that found in the USA's DCMA, at least in Australia. In Hong Kong, devices to remove RMI are less likely to be circumvention devices because circumvention devices must make infringing copies (as discussed above).
Hong Kong and Australia are two of the few jurisdictions outside Europe with data protection (or 'personal information protection') laws which cover the private sector[80]. Hong Kong's Personal Data (Privacy) Ordinance (Cap 486) has been in force since 1995, and Australia's Privacy Act 1988 (Cth) applies to significant parts of the private sector since December 2001.
Since the implementation of the EC copyright Directive in May 2001, European countries must implement both anti-circumvention/RMI laws and data protection laws[81]. Bygrave and Koelman have each made a number of studies of the interrelationship between European privacy laws and anti-circumvention/RMI laws[82].
The experience of the United States is of limited relevance here. The USA is unlikely to enact comprehensive data protection laws, partly for constitutional reasons[83]. The Digital Millennium Copyright Act contains explicit provisions limiting the operation of the anti-circumvention and RMI-protection provisions where they would infringe privacy, as mentioned above. Arguments that laws prohibiting copyright circumvention devices diminish 'the right to read anonymously'[84] and may breach the guarantees of freedom of speech and privacy in the US Constitution are of limited relevance as legal arguments in countries such as Australia which do not have such constitutional guarantees. These arguments, which are still unresolved in the USA, have some potential relevance in Hong Kong, due to the limited protection of freedom of speech in the Hong Kong Bill of Rights Ordinance and the entrenchment of the International Covenant on Civil and Political Rights by the Basic Law. Most European and some other countries are more willing than the USA[85] to protect privacy by general information privacy legislation, and do not have the same constitution constraints in doing so[86].
In many cyberspace transactions, what will constitute 'personal information' is uncertain, and this may have a severe effect on the applicability of data protection laws to those transactions. In Australian law, whether machine addresses and email addresses would constitute personal information would usually be a question of fact in a particular case[88]. Bygrave and Koelman also though this was uncertain[89].
In the DRMS context, there may be many doubtful situations. For example, if a web spider merely collects the ID number of a licensed digital work, but it is possible for that ID number to be subsequently correlated (perhaps via a number of steps) with the identity of the individual who holds the licence, has the web spider been involved in the collection of personal information? Questions may also arise whether, if part of the information is accessible to the public on a web page, the combined information can still be 'personal information', but this will depend on the wording of particular legislative provisions[90].
However, these types of definitions may miss the real point of many cyberspace interactions. If a DRMS can determine that a copy of a digital work it has located on the net (or which has reported to it) is an infringing copy, or is being used in breach of its licence, and it can initiate enforcement action without knowing the identity of the person who is responsible, it has acted against an individual and with serious consequences. For example, if a digital work merely sends 'back to base' information about the PC on which it is located, or the internet sub-domain on which it resides, but there is no record in the rights-owner's database of a licence in relation to those locations, so that the work automatically ceases to be useable, where is the collection or use of personal information? Similarly, if information about the reading habits of a pseudonymous licensee can be aggregated so that it is commercially valuable to market other digital works to that individual, and there is access to an email address which makes this possible, the publisher has no need to know the identity of the individual marketed to.
This weakness in definitions of personal information may place a significant limit on the capacity of data protection laws to protect privacy in relation to surveillance systems used for copyright protection.
In Australia's privacy law, National Privacy Principle 8 'Anonymity' (NPP 8) requires 'Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.' This 'anonymity principle' is unusual in data protection laws[92], but does have a precedent in Germany[93]. It is not explicitly required by the European data protection Directive[94]. Although the title of NPP 8 only refers to anonymity and not pseudonymity, the words 'not identifying themselves' are broad enough to encompass systems which allow pseudonymity, with actual identification only being permitted under certain conditions.
There is no explicit equivalent in the Hong Kong privacy Ordinance. It would be difficult to read a requirement of pseudonymity or anonymity into the scattered words of Data Protection Principle (DPP) 1[95] requiring that data collected is 'necessary for', 'directly related to' or 'adequate but not excessive in relation to' the purpose of collection. Similarly, it is unlikely that the words 'unless the information is necessary for one or more of its functions or activities' in Australia's NPP 1 would be interpreted to require pseudonymity or anonymity.
One of the few other examples is Germany's Teleservices Data Protection Act (Article 2 of the Information and Communications Services Act of 1997), which requires the objective of minimising or eliminating the collection and use of personal information to be built into the `design and selection of technical devices' (hardware and software):
`s3(4) The design and selection of technical devices to be used for teleservices shall be oriented to the goal of collecting, processing and using either no personal data at all or as few data as possible.'This design requirement makes meaningful the specific requirement on service providers to provide anonymous and pseudonymous uses of teleservices 'to the extent technically feasible and reasonable'[96], because it removes the excuse that systems have not been designed to allow for anonymous or pseudonymous transactions. Here, the control of architecture by law is both a serious, though general, limitation on the types of Internet systems that may be built, and a necessary precondition for legal sanctions aimed directly at the behaviour of service providers.
One of the main differences between this Australian formulation and that in the German law is that it does not have the explicit legislative requirement for systems to be designed to allow anonymity and pseudonymity. The Australian provision might therefore be interpreted to allow the excuse that it is not `practicable' because the system design makes it technically impossible. However, the strong wording of 'must have the option' may be interpreted to at least require any systems designed after the legislation commences to provide anonymity and pseudonymity options wherever 'practicable'.
Data protection Commissioners are increasingly aware of the importance of this issue. The Article 29 Working Party of European Data Protection Commissioners made recommendations in 1997 concerning anonymity on the Internet[97] which show a clear preference for maximising anonymity in Internet transactions, subject to balancing this with other rights. In 1999 the International Working Group on Data Protection in Telecommunications, drawn from data protection agencies worldwide, specifically recommended the development of DRMS 'which allow for anonymous or pseudonymous transactions'[98].
Collection must be by 'fair means and not in an unreasonably intrusive way' (NPP 1.2) or 'fair in the circumstances of the case' (DPP 1(2)(b)). Surreptitious use of cookies, web bugs, or web spiders could potentially infringe these provisions. Personal data can only be collected if it is 'necessary for one or more of [the collector's] functions or activities' (NPP 1) or 'necessary for', 'directly related to' or 'adequate but not excessive in relation to' the purpose of collection (DPP 1).
An important protection of privacy in DRMS systems will be if individuals must be given notice when information is collected about them. In Australia, notice of collection, use and disclosure practices must be given to the individual 'at or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual' (NPP 1.3), and 'reasonable steps' must be taken to give such notice to the individual even where the information is collected from third parties ('from someone else': NPP 1.5). Hong Kong's DPP 1 has similar provisions, but notice is only required in relation to collection directly from the data subject. In both Australia and Hong Kong , it is questionable whether, when information is collected about a person from a web site, or even from the individual's computer, it is collected from 'the individual' (Australia) or from 'the data subject' (Hong Kong). If it is not so collected, but instead classified as collected from observation/surveillance, no notice is required. The correct interpretation is unresolved, but the better view is that observation of a person, or extraction of information from that person's private computer files (as distinct from pages on a publicly accessible website) should be regarded as collection from the person[99].
Many aspects of data collection by DRMS will be with the consent of the data subject, or pursuant to a contract with the data subject. They will therefore have to comply with the normal requirements of disclosure of purpose, and limitations on excessive collection (as discussed above)[100].
More contentious forms of collection of personal information are likely to arise because of the surveillance aspects of DRMS. If a monitoring service provider (MSP) uses a web spider solely for the purpose of collecting rights management information (RMI), or if the digital work sends reports back to the MSP, it may be collecting 'personal information' (see discussion above). The MSP may be in a contractual relationship with the person concerned (a licensee), but questions may arise as to whether the collection is with consent, or (in EU Directive terms) the collection is necessary for the performance of the contract or for the purpose of the legitimate interests of the MSP or its client. Disclosure of surveillance practices at the time of contract will probably be necessary, as it may be impossible at the time of collection (for example, collection by web spiders).
If the person whose personal information is collected has no relevant contractual relationships (for example, a person whose machine address is disclosed as the location of a digital work) then there will be no consent to collection and no contract, so justification for collection may be more difficult to provide.
Secondary uses, particularly marketing uses, are analysed by Bygrave and Koelman[104], who note a number of European provisions which could have a significant effect on DRMS operations.
In relation to automated processing A15(1) of the EU privacy Directive gives persons the right not to be subject to decisions based on automated processing which evaluates information about the personality of the data subject for the purpose of decisions which may have a significant effect on the person[105]. If a CPT terminated the useability of a digital work because of automated processing of information about breaches or expiry of a licence, it could be caught if the information processed included personal information. The processing would have to be shown to be done pursuant to a contract, and even then would have to be within the data subject's reasonable expectations. There is no equivalent protection against automated processing in the Australian or Hong Kong legislation.
Germany's Teleservices Data Protection Act prevents the aggregation in an identifiable form of personal information relating to the use of several teleservices by one user (s4). Such a restriction would significantly limit the secondary uses of DRMS information. There is no direct equivalent in the Australian or Hong Kong legislation, but it could be questioned whether such aggregation is in itself a legitimate purpose of collection.
Issues arising from this include the effect of data export prohibition requirements, the possible extra-territorial operation of data protection laws, and questions of conflict of laws. Only the first is discussed here.
As is well known, the EU data protection Directive[106] requires European privacy laws to include data export prohibitions. In many instances the exceptions in Article 26 of the EU privacy Directive will apply[107], but there are likely exceptions such as collection by web spiders and other situations where CPT may operate outside contractual relationships.
NPP 9 in the Australian Act prohibits personal data exports to recipients in foreign countries unless one or more exceptions apply. Exceptions are made where the transferor 'reasonably believes' the recipient is 'subject to a law, binding scheme or contract' which effectively upholds principles substantially similar to the NPPs, where 'the individual consents to the transfer', where the transfer is pursuant to certain contract or pre-contractual negotiation, where the transfer is for the individual's presumed benefit (and it is impractical to obtain consent), and where the exporter has taken 'reasonable steps' to ensure that the information will not be 'held, used or disclosed' contrary to the NPPs.
The data export prohibition in the Hong Kong Ordinance (s33) is the only section not yet in operation[108]. Its provisions are similar to the Australian NPP 9, but stricter in many respects. The Hong Kong provision only recognises foreign laws, not schemes or contracts. This is particularly important given that the United States (the likely home of many DRMS) does not have privacy legislation but relies upon a voluntary 'Safe Harbor' scheme[109]. It only exempts consent 'in writing', therefore excluding arguments that consent might be implied by conduct. It does not exempt various types of contracts and negotiations (except insofar as they involve written consent). It requires the exporter to take not only 'reasonable precautions' but also to exercise due diligence to ensure that the data will not be 'collected, held, processed or used' (not only 'held, used or disclosed' as in Australia) in ways that would be contrary to the Ordinance. The Australian provision is a 'watered down' version of the Hong Kong provision, but it is in force.
In those situations where personal information is transferred to another jurisdiction via Internet as part of a DRMS, data export provisions could be breached (only in Australia as yet).However, as discussed above (under 'Is DRMS data "personal information"?') there may be situations where the transfer of DRMS data does not constitute 'personal information' or 'personal data' and therefore falls outside the scope of data protection laws, even though the transfer is effective to facilitate the DRMS to react to the situation on an individual basis.
Several factors could serve to hinder the large-scale implementation of privacy-invasive DRMS. Such systems might be marginalised by market mechanisms - for example, strong consumer preferences for privacy, combined with competition between copyright-holders to satisfy these preferences. The take-up of privacy-invasive DRMS might also be hindered by difficulties in achieving standardisation and compatibility of technological measures.It is therefore difficult to determine what privacy protections are needed. At the same time, legislation is now giving pro-active protection to CPT and DRMS, through anti-circumvention and RMI laws, so it is too late to do nothing. We need to make the best effort we can to ensure that a balance is maintained (or more likely, restored) between the protection of property and the protection of privacy.
To restore this balance, some of the changes need to be considered in Australia and (to a lesser extent) in Hong Kong are as follows:
[1] Almost always attributed (without any source) to Stewart Brand, Electronic Frontier Foundation Board member, and founder of the Whole Earth Catalog and the WELL. See later concerning the full quote.
[2] See Part II of Greenleaf 1998.
[3] Barlow 1993
[4] 'Digital works' is used loosely in this article to refer to any digital artefact that could embody copyright subedit matter.
[5] `Code Replacing Law: Intellectual Property' in Lessig 1998
[6] There is no widely-accepted terminology for individual technologies that protect digital content. I use 'CPT' to refer to 'content protecting technologies' rather than 'copyright-protecting', because they protect content which copyright does not protect.
[7] DRMS were also known as electronic copyright management systems ('ECMS')., but DRMS is the more current terminology.
[8] One list of famous quotes adds `Among others. No telling who really said this first.' - <http://world.std.com/~tob/quotes.htm>. However, John Perry Barlow insists (though he still doesn't give a source) that the full version of Brand's quote is: 'Information wants to be free -- because it is now so easy to copy and distribute casually -- and information wants to be expensive -- because in an Information Age, nothing is so valuable as the right information at the right time.' (Barlow, in an Atlantic Monthly Roundtable - at <http://www.theatlantic.com/unbound/forum/copyright/barlow2.htm>). I'll stick to my imaginary version.
[9] The following description was largely true in relation to the 'end users' of copyright artefacts, consumers, but was less true of various categories of intermediaries who licensed the uses of copyright works.
[10] See Bygrave and Koelman 1998 [5.2] for examples.
[11] Bygrave and Koelman 1998 Chapter 5 stresses this reason, giving too little weight to the factors mentioned earlier.
[12] As Bygrave 2001 notes, part of the function of privacy laws is to protect 'the incentive to participate in a democratic, pluralist society by securing the privacy, autonomy and integrity of individuals'.
[13] The summary o f these arguments on which this is based are from Bechtold 2001, part 6.1.1
[14] The conclusion reached by Bechtold 2001.
[15] Kelly 1997
[16] Apple's iMusic software and its use of the CDDB database is one example.
[17] The following analysis is influenced most strongly by Bechtold 2001, though many other authors have argued similarly. Bechtold adds the emphasis on technology licensing of hardware manufacturers to previous analyses. I have generalised the approach he takes at a number of points.
[18] A contract entered into by the consumer being required to agree to contractual terms, by clicking an 'I agree' button with a mouse, before the consumer can access the digital work.; see ProCD, Inc v Zeidenberg, 86 F.3d 1447 (7th Cir. 1996) for the most significant US decision.
[19] See Bechtold 2001, part 3 and part 5.1.2 for a summary of this argument.
[20] Bechtold 2001, part 4
[21] Bechtold 2001, part 8
[22] Koelman and Helberger 1998, part 2
[23] This summary draws on discussions in from the following articles: Koelman and Helberger 1998; Clarke and Dempsey 1999; Stefik 1997; Cohen 1997a; IFRRO
[24] For example, works protected by Softlock are freely copyable and partially readable 'demos', but become full-featured once a password is purchased. They automatically revert to demos when copied to another machine. Softlock's advertisement says: 'turn pirates into distributors.' (Was on <http://www.softlock.com/> June 1998, now deleted.)
[25] See Cox 1994.
[26] See Stefik 1997, Stefik 1999
[27] Mann 1998
[28] "A cookie is information that a Web site puts on your hard disk so that it can remember something about you at a later time." (from Whatis?com definition) - see <http://searchSecurity.techtarget.com/sDefinition/0,,sid14_gci211838,00.html>.
[29] "A Web bug is a file object, usually a graphic image such as a transparent one pixel-by-one pixel GIF, that is placed on a Web page or in an e-mail message to monitor user behavior, functioning as a kind of spyware. Unlike a cookie, which can be accepted or declined by a browser user, a Web bug arrives as just another GIF on the Web page. A Web bug is typically invisible to the user because it is transparent (matches the color of the page background) and takes up only a tiny amount of space." - (from Whatis?com definition) - see <http://searchWebManagement.techtarget.com/sDefinition/0,,sid27_gci341290,00.html>.
[30] International Federation of Reproduction Rights Organisations (IFRRO) - see <http://www.ifrro.org/>.
[31] Was on Australia's Cultural Network site at <http://www.acn.net.au/resources/ip/ecms.htm>, but now deleted.
[32] In Europe the Imprimatur project, sponsored by the European Commission, developed the Imprimatur Business Model. Bygrave and Koelman describe the actors and inter-relationships in the model (Bygrave and Koelman 1998, p3):
In brief, the role of the creation provider (CP) is analogous to that of a publisher; ie, he/she/it packages the original work into a marketable product. The role of the media distributor (MD) is that of a retailer; ie, he/she/it vends various kinds of rights with respect to usage of the product. The role of the unique number issuer (UNI) is analogous to the role of the issuer of ISBN codes; ie, it provides the CP with a unique number to insert in the product as microcode so that the product and its rights-holders can be subsequently identified for the purposes of royalty payments. The role of the IPR database provider is to store basic data on the legal status of the products marketed by the MD. These data concern the identity of each product and its current rights-holder. The main purpose of the database is to provide verification of a product's legal status to potential purchasers of a right with respect to usage of the product. As such, the IPR database is somewhat similar in content and function to a land title register. The role of the monitoring service provider (MSP) is to monitor, on behalf of creators/copyright-holders, what purchasers acquire from MDs. Finally, the certification authority (CA) is intended to assure any party to an ECMS operation of the authenticity of the other parties whom he/she/it deals. Thus, the CA fulfils the role of trusted third party (TTP).[33]Bygrave and Koelman 1998 at p7.
[34] Gervais 1998
[35] "A DOI (digital object identifier) is a permanent identifier given to a Web file or other Internet document so that if its Internet address changes, users will be redirected to its new address. You submit a DOI to a centrally-managed directory and then use the address of that directory plus the DOI instead of a regular Internet address. The DOI system was conceived by the Association of American Publishers in partnership with the Corporation for National Research Initiatives and is now administered by the International DOI Foundation. Essentially, the DOI system is a scheme for Web page redirection by a central manager. " -(from Whatis?com definition) - see <http://whatis.techtarget.com/definition/0,,sid9_gci213897,00.html>
[36] "Functionally, a PURL is a URL. However, instead of pointing directly to the location of an Internet resource, a PURL points to an intermediate resolution service. The PURL resolution service associates the PURL with the actual URL and returns that URL to the client. The client can then complete the URL transaction in the normal fashion. In Web parlance, this is a standard HTTP redirect." (from PURL Home Page) - see <http://www.purl.org/>
[37] Dublin Core, US MARC, INDECS Project, Stanford Digital Library Metadata Architecture, BIBLINK/NEDLIB
[38] Julie Cohen, speaking mainly of the IFRRO's notion of an ideal DRMS, concludes (Cohen, 1996):
These capabilities, if realized, threaten individual privacy to an unprecedented degree. Although credit-reporting agencies and credit card providers capture various facets of one's commercial life, CMS raise the possibility that someone might capture a fairly complete picture of one's intellectual life.Bygrave and Koelman, 1998, while not opposed to DRMS, stress that the surveillance dangers are one of the most significant obstacles to their acceptable operation:Reading, listening, and viewing habits reveal an enormous amount about individual opinions, beliefs, and tastes, and may also reveal an individual's association with particular causes and organizations. Equally important, reading, listening, and viewing contribute to an ongoing process of intellectual evolution. Individuals do not arrive in the world with their beliefs and opinions fully-formed; rather, beliefs and opinions are formed and modified over time, through exposure to information and other external stimuli. Thus, technologies that monitor reading, listening, and viewing habits represent a giant leap--whether forward or backward the reader may decide--toward monitoring human thought. The closest analogue, the library check-out record, is primitive by comparison. (And library check-out records are subject to stringent privacy laws in most states. (footnotes omitted) [39]
... such systems could facilitate the monitoring of what people privately read, listen to, or view, in a manner that is both more fine-grained and automated than previously practised. This surveillance potential may not only weaken the privacy of information consumers but also function as a form for thought control, weighing down citizens with "the subtle, imponderable pressures of the orthodox", and thereby inhibiting the expression of non-conformist opinions and preferences. In short, an ECMS could function as a kind of digital Panopticon. The attendant, long-term implications of this for the vitality of pluralist, democratic society are obvious.[40]Gervais 1998 describes the role of pseudonymity in the proper operation of DRMS:
A related issue is how to identify individual digital copies (which presumably have been sold to a specific user), without creating a risk to privacy or confidentiality. If indeed individual copies are identified, using a watermark containing a transaction code for instance, a viable solution could be to number individual copies, without including data identifying the user who "ordered" the copy in question. Copy numbers could be linked, in a secure database, to the individual users. Should there be a good reason to make the link between the copy number and the user -- for instance, under court order -- that link could be made. The role of trusted third parties acting as aggregators of usage data might be especially important to users. An aggregator or collective management organization using an electronic copyright-management system could thus maintain the confidentiality of the link (if any) between a given copy delivered on-line and a specific user. The content owner would receive with the payment for use of his works a report on the number of uses, possibly with an indication of the type of users concerned, but no information about individual users. Without this type of confidentiality guarantee, it may be very difficult for electronic copyright commerce to prosper. In other words, properly tuned electronic copyright-management systems that aggregate data so as to protect privacy and confidentiality are probably essential ingredients of the success of electronic copyright commerce.[41]Gervais, 1998, a proponent of DRMS, emphasises the crucial role that DRMS intermediaries (such as MSPs and CAs in the Imprimatur model) will have in the protection of privacy:
An electronic copyright-management system does not in and by itself protect privacy, but it is probably the best tool to do so. If the rules under which the electronic copyright-management system operates are correctly designed, the system would return to rights holders aggregated information on use of his/her works. For example, the system could say that clearance was granted to use "Scientific Article X" to "11 pharmaceutical companies in the last month", or that "2,345 users in this part of Chicago" downloaded a given musical work. The rights holder thus gets market data without violating anyone's confidentiality or privacy. Even now the Copyright Clearance Center in the U.S. does not report to rights holders which articles from medical or scientific journals are used by individual users (eg., pharmaceutical companies). It only tells rights holders how often a work was used by, say, the pharmaceutical industry as a whole. Most collective management organizations aggregate information in this way and this is perhaps a function whose value has thus far been underestimated by users. [42]Lessig 1998, at `Code Replacing Law: Intellectual Property'. Lessig also notes extensive argument in the USA as to whether "the fair use exceptions to copyright protection are not affirmative rights against the copyright holder, but instead the consequence of not being able to efficiently meter usage. Once that technical limitation is erased, then so to would the fair use rights be erased".
[43] Lessig 1998, at `Code Replacing Law: Contracts'.
[44] They are also an instance of laws facilitating surveillance which we can describe as 'data surveillance law'.
[45] Koelman and Helberger 1998, part 3.1 note a number of US, UK and EU provisions which deal only with some types of circumvention, or specific types of works.
[46] The WIPO Performances and Phonograms Treaty A 18 is a very similar provision, but the discussion in this paper will only refer to the WCT A 11.
[47] See Commonwealth Attorney-General's Discussion Paper The Digital Agenda (1998) `Part 5 - Proposed scheme for new technological measures and rights management information provisions' - <http://law.gov.au/publications/digital.htm#anchor1565870>. See also Speech by Attorney-General D Williams 'Copyright and the Internet: New Government reforms' para 35, 30 April 1998, Murdoch University - <http://law.gov.au/articles/copyright_internet.html>.
[48] Proposed European Commission (EC) Directive on the harmonisation of certain aspects of copyright and related rights in the Information Society - see Articles 6 and 7 - now Directive 2001/29/EC
[49] Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (O.J. L 167, 22.6.2001, p. 10 et seq.); for analysis, see Bygrave 2001 and Koelman 2000.
[50] Section 116A(1) sets out the scope of the right: s116A(1) Subject to subsections (2), (3) and (4), this section applies if:
(a) a work or other subject-matter is protected by a technological protection measure; and
(b) a person does any of the following acts without the permission of the owner or exclusive licensee of the copyright in the work or other subject-matter:
(i) makes a circumvention device capable of circumventing, or facilitating the
circumvention of, the technological protection measure;
(ii) sells, lets for hire, or by way of trade offers or exposes for sale or hire
or otherwise promotes, advertises or markets, such a circumvention device;
(iii) distributes such a circumvention device for the purpose of trade, or for any
other purpose that will affect prejudicially the owner of the copyright;
(iv) exhibits such a circumvention device in public by way of trade;
(v) imports such a circumvention device into Australia for the purpose of: [OMITTED];
(vi) makes such a circumvention device available online to an extent that will affect
prejudicially the owner of the copyright;
(vii) provides, or by way of trade promotes, advertises or markets, a circumvention
service capable of circumventing, or facilitating the circumvention of, the
technological protection measure; and
(c) the person knew, or ought reasonably to have known, that the device or service would be
used to circumvent, or facilitate the circumvention of, the technological protection
measure.
[51] s10 defines 'circumvention device':
circumvention device means a device having only a limited commercially significant purpose or use, or no such purpose or use, other than the circumvention, or facilitating the circumvention, of an effective technological protection measure.[52]Section 10 defines 'circumvention service':
circumvention service means a service, the performance of which has only a limited commercially significant purpose, or no such purpose or use, other than the circumvention, or facilitating the circumvention, of an effective technological protection measure.
[53] References following are to the Copyright Ordinance Cap 528.
[54]Australian Video Retailers Association Ltd v Warner Home Video Pty Ltd [2001] FCA 1719
[55] It seems unlikely that an implied licence would still operate under circumstances of attempted circumvention.
[56] Section 23(6) 'Copying in relation to any description of work includes the making of copies which are transient or are incidental to some other use of the work.'
[57] Sections 60-61 Hong Kong and ss47AB - 47H Australia
[58] The scope of the 'computer crime' laws of Australia and Hong Kong is not covered in this article.
[59] Koelman 2000
[60] I am indebted to John McPhail on this point: perso.nal communication on file with author.
[61] If a device is intended to protect copyright works, but is in fact quite ineffective to do so, is it still a 'technological protection measure'? This does not matter because, following the WTO Treaty, there is only a 'circumvention device if it has the purpose of circumventing an 'effective technological protection measure' (s10 definition of 'circumvention device').
[62] See s116A(3)-(4A) and (7)-(9). There is a separate national security exemption in s116A(2).
[63] Compare Cohen 1996 Part V 'The First Amendment Case Against the Proposed Anti-Tampering Law'
[64] cf Koelman 2000, 'Preparatory activities'
[65] For a review and current status of all of the 'DeCSS cases' see the 'OpenLaw: Open DVD' forum at <http://eon.law.harvard.edu/openlaw/DVD/> (Berkman Centre, Harvard Law School).
[66] A16(3), s8 Hong Kong Bill of Rights, Bill of Rights Ordinance (Cap 383)
[67] McLean and Flahvin 2001
[68] "The files you automatically request by looking at a Web page are stored on your hard disk in a cache subdirectory under the directory for your browser (for example, Internet Explorer). When you return to a page you've recently looked at, the browser can get it from the cache rather than the original server, saving you time and the network the burden of some additional traffic." (from Whatis?com definition of 'cache') - see <http://searchWebManagement.techtarget.com/sDefinition/0,,sid27_gci211728,00.html>
[69] The Robot Exclusion Protocol is observed voluntarily by most commercial web spiders - see A Standard for Robot Exclusion - <http://www.robotstxt.org/wc/norobots.html>, and `A Method for Web Robots Control' (an `Internet Draft', a working documents of the Internet Engineering Task Force, 1996, expired June 1997) - <http://www.robotstxt.org/wc/norobots-rfc.html>. Site administrators have the technical capacity to exclude specific robots from their site compulsorily if they do not obey the Protocol.
[70] Bygrave 2001 says the Directive 'provides no obvious answer'.
[71] See US Code Title 17Sec 1201 (i) Protection of Personally Identifying Information, providing that it is not a breach to circumvent 'the capability of collecting or disseminating personally identifying information reflecting the online activities of a natural person' if the following conditions are satisfied:
"(a) the access controls collect or disseminate information about the online activities of a person; (b) conspicuous notice about this information processing is not given; (c) the data subject is not provided the ability to prevent the information being gathered and disseminated; and (d) the disabling of the controls has the sole effect, and is solely for the purpose, of preventing the collection and dissemination. "[72]s132(5D) provides:
(5C) A person must not remove or alter any electronic rights management information attached to a copy of a work or other subject-matter in which copyright subsists, except with the permission of the owner or exclusive licensee of the copyright, if the person knows, or is reckless as to whether, the removal or alteration will induce, enable, facilitate or conceal an infringement of the copyright in the work or other subject-matter.[73]Though the Australian provision conjoins (a)(i) and (a) (ii) with 'and', not 'or'.
[74] WIPO Performances and Phonograms Treaty
[75] s274(3) References in this section to rights management information means-
(a) information which identifies the work, the author of the work, the owner of any right in the work, the performer, or the performance of the performer; (b) information about the terms and conditions of use of the work, the person having fixation rights in relation to the performance, or the performance; or (c) any numbers or codes that represent such information, when any of these items of information is attached to a copy of a work or a fixed performance or appears in connection with the making available of a work or a fixed performance to the public.[76]Bygrave and Koelman 1998 at p53
[77] cf Bygrave and Koelman1998 at p53
[78] See US Code Sec 1202 Integrity of copyright management information, providing that 'copyright management information' includes 'terms and conditions for use of the work' and 'such other information as the Registrar of Copyrights may prescribe by regulation, except that the Registrar of Copyrights may not require the provision of any information concerning the user of a copyright work'.
[79] Bygrave and Koelman 1998 at p53; see also Koelman 2000
[80] New Zealand and Canada are the other significant examples.
[81] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. L 281, 23.11.1995, p. 31 et seq.)
[82] See Bygrave and Koelman, 1998, particularly Chapter 2; Koelman, 2000; and Bygrave 2001.
[83] Froomkin 1999
[84] Cohen 1996
[85] In many other countries, there is likely to be less reluctance to interfere in 'private orderings' of transactional relationships concerning intellectual property by legislation, for example by compulsory licensing schemes. Even in the USA, compulsory terms in such contractual relationships are not so unusual. William W Fisher stresses that compulsory terms in contracts are not at all unusual in the USA., and proposes a set of such compulsory contractual terms for contracts concerning intellectual property rights: see Fisher 1998
[86] Froomkin 1999
[87] Section 2 defines 'personal data':
'"personal data" means any data- (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable ' (s2)[88]Greenleaf 1996
[89] Bygrave and Koelman at p14
[90] See Greenleaf 1998, Part F 'Stopping Searching - Robot Exclusion Standards' for discussion.
[91] See for example Greenleaf 1999a; Weinberg 2000,
[92] Its Australian origins lie in Principle 10 of the Australian Privacy Charter (1994): `People should have the option of not identifying themselves when entering transactions' (see Australian Privacy Charter Council (1994) Australian Privacy Charter - at <http://www.anu.edu.au/people/Roger.Clarke/DV/PrivacyCharter.html>). In 1998 the Australian Privacy Commissioner's National Principles for the Fair Handling of Personal Information included Principle 8 as now appears i n the Act (with 'should' in place of 'must').
[93] See below
[94] There is debate within the European Commission as to whether it is implied by the Directive (personal communication with Lee Bygrave); see Bygrave 2001 for discussion
[95] Schedule 1
[96] `s4(1) The provider shall offer the user anonymous use and payment of teleservices or use and payment under a pseudonym to the extent technically feasible and reasonable. The user shall be informed about these options.'
[97] Article 29 Committee 1997a; They recommend that where appropriate the 'minimum necessary collection' principle 'should specify that individual users be given the right of anonymity'. A surprising limitation of the Working Party's approach is that it does not adequately distinguish anonymity and pseudonymity, nor pursue the extent to which pseudonymity should be offered where anonymity is not practicable. The following main conclusions are relevant here:
International Working Group on Data Protection in Telecommunications, 1999. For the importance of the distinction between anonymity and pseudonymity, see Clarke 1999 and Smith and Clarke 1999
* The ability to choose to remain anonymous is essential if individuals are to preserve the same protection for their privacy on-line as they currently enjoy off-line.
* Anonymity is not appropriate in all circumstances. Determining the circumstances in which the 'anonymity option' is appropriate and those in which it is not requires the careful balancing of fundamental rights, not only to privacy but also to freedom of expression, with other important public policy objectives such as the prevention of crime. ...
* Wherever possible the balance that has been struck in relation to earlier technologies should be preserved with regard to services provided over the Internet.
* The ... purchase of most goods and services over the Internet should all be possible anonymously. ...
* Anonymous means to access the Internet (eg. public Internet kiosks, pre-paid access cards) and anonymous means of payment are two essential elements for true on-line anonymity. [98]
[99] See Greenleaf 2001 for related discussion
[100] For discussion, see Bygrave and Koelman at p16-, also p 27
[101] February 1999 They have not yet been implemented. The recommendations are expressed as applying to 'internet hardware and software products'. It would be better if they also applied expressly to digital works, as the issues are the same, but it is straining language to call a digital artwork 'software'. I have substituted 'digital works' for 'software' in discussing them.
[102] Article 29 Committee 1999a
[103] See Greenleaf 1998
[104] Bygrave and Koelman p23
[105] see Bygrave 2000
[106] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. L 281, 23.11.1995, p. 31 et seq.)
[107] See Bygrave and Koelman pgs 29-31 for detailed analysis.
[108] Hong Kong appears to be waiting until it is clearer how the EU and its member States will interpret and enforce the data export provisions in the Directive.
[109] US Department of Commerce 'Welcome to the Safe Harbor' website < http://www.export.gov/safeharbor/>
[110] Bygrave 2001 Processing Of Personal Data - see 'Article 29 Committee'