Graham Greenleaf *
[This is a draft of a chapter for the book Lawrence Lessig -
Hochelaga Lectures 2002: The Innovation Commons Sweet & Maxwell
Asia, Hong Kong, 2003. Please cite the published version in any references
to this chapter. Footnotes appear at the end of the draft]
The author argues that privacy's relationship to copyright is that the right to experience intellectual works in private - free from surveillance - is part of the public domain aspect of copyright works (in Boyle's terms) or the creative commons (in Lessig's terms).
The development of content-protection technologies (CPT) and digital rights management systems (DRMS), despite their benefits to rights holders, pose many dangers to the protection of privacy, which some have said could mean an end to the privacy of reading. Hong Kong and Australia are two of the earliest jurisdictions in the world with laws implementing the anti-circumvention and rights management information (RMI) protection provisions arising from the WIPO Copyright Treaty 1996 (WCT). They are also two of the few jurisdictions outside Europe with privacy (data protection) laws applying to the private sector. These two jurisdictions, therefore, give two of the best illustrations of the tensions now arising between copyright and privacy: property versus privacy. In this article, the author explores how CPT and DRMS affect privacy, how existing data protection and privacy laws affect the operation of CPT and DRMS, and whether laws against copyright circumvention devices and interference with RMI prevent privacy protection. The author concludes that privacy could now be unduly prejudiced in favour of property, and suggests reforms which may help restore the balance. The first decision on the Australian provisions, Sony v Stevens  FCA 906, also indicates that the Courts may also be interpreting anti-circumvention provisions narrowly, avoiding some of their dangers to privacy.
- 1. Property Versus Privacy
- 2. Anonymity and Privacy - Traditional IP Rights
- 3. Technologies and Systems for Copyright Protection
- 3.1. Pervasive networking of digital artifacts
- 3.2. CPT
- 3.3. DRMS
- 4. Privacy and Related Issues in CPT and DRMS
- 5. Laws Against Circumvention - Beyond Copyright?
- 5.1. The WCT and WPPT
- 5.2. Hong Kong and Australia as examples of implementation
- 5.3. Anti-circumvention - Australian and Hong Kong provisions
- 5.4. Anti-circumvention: analysis of the provisions
- Will users be liable, even though the act of circumvention is not a breach?
- "Upstream" prohibitions can make user rights meaningless
- Effects much broader than preventing copyright breaches
- Defences effectively removed in Australia
- Liability for publishing information about circumvention
- Broad and ill-defined scope of devices covered
- Unclear exemption for other commercial purposes
- Surveillance of users' computers may be authorised
- 5.5. Protection of rights management information (RMI) - Australia and Hong Kong
- 5.6. RMI: Analysis
- Identifying information can be RMI
- Information transmitted is not RMI
- RMI does not include information about actual usage
- "Self-help" for privacy protection is not allowed
- 5.7. Conclusions - the cumulative effect of anti-circumvention and RMI on privacy
- 6. The Effects of Privacy Laws on Technical Protection of IP
- 6.1. Is DRMS data "personal information"?
- 6.2. Anonymity and pseudonymity as privacy rights
- 6.3. Limits on collection
- 6.4. Limits on use and disclosure
- 6.5. Data export prohibitions, extra-territorial operation, and conflicts
- 7. Restoring the Balance - Do We Need Protection from Copyright?
- 7.1. What can privacy officials do?
- 7.2. "Rolling back" anti-circumvention and RMI laws
- 7.3. Preserving rights against contracts
- 8. Copyright and Privacy: An Ongoing Tension
The reverse process is now underway: technical protection of IP in cyberspace (ie over networks) may protect property interests in digital works4 more comprehensively than has ever been possible in physical space, and destroy many public interest elements in IP law in the process. In the worst scenarios, the surveillance mechanisms being developed to do this may also bring about the end of the anonymity of reading. Privacy is one of the interests threatened.
In criticising Barlow, Lessig observed that infinite copies could only be made if "the code permits such copying", and questioned why the code (software and other aspects of the technical architecture of cyberspace) could not be changed to make such copying impossible.5 For IP, this architecture involves content-protecting technologies (CPT)6 and digital rights management systems (DRMS).7 IP has become one of the areas where cyberspace architecture is said to be replacing law as the most effective method of protecting interests. However, the new adjuncts to IP law discussed in this paper (laws against circumvention devices and laws protecting rights management information (RMI)) are part of this change. Contract law is also a vital part of the new paradigm for protection of digital content. The process is one of law being partly replaced by technology, but with new and different forms of law supporting the protection by technology and vice versa.
DRMS and CPT have many legal implications, but this paper only focuses on their effect on privacy and their relationship to privacy laws. It explores what protections are found in information privacy laws against surveillance by digital works, their interaction with these new adjuncts to IP laws, and the extent to which privacy laws may need to be strengthened to help provide a reasonable balance between privacy and the protection of IP.
These tensions between property and privacy are illustrated by the laws of Hong Kong and Australia, because they are two of the earliest jurisdictions in the world to implement the anti-circumvention and RMI protection provisions arising from the WIPO Copyright Treaty 1996 (WCT), and because they are also two of the few jurisdictions outside Europe with privacy (data protection) laws applying to their private sectors. Their laws illustrate the tensions now arising between copyright protection and the protection of privacy: property versus privacy.
Perhaps we have only received a fragment of Brand's8
aphorism:is it really "Information wants to be free ... but it wants to
you under surveillance"?
James Boyle argues15 against what he and others describe as a "second enclosure movement", the use of a combination of technology, contracts and legislation by intellectual property maximalists to eliminate those aspects of common property found in intellectual property, just as the first enclosure movement eliminated common property in land. Now, as then, there is supposed to be a "tragedy of the commons" which justifies this enclosure. Boyle (like others) argues that the economics on which arguments for greater intellectual property rights are based are very dubious: "the idea that we must inevitably strengthen rights as copying costs decline just doesn't hold water". The "tragedy" is at best "not proven".
However, it is Boyle's next step, when he asks "what is the alternative to the second enclosure movement?" and answers "the construction of the public domain",16 that is most relevant here. Boyle admits it sounds paradoxical, but argues that "protection of the commons was one of the fundamental goals of intellectual property law". He argues, following David Lange,17 that what is now needed, to counter the ideology of the intellectual property maximalists, is a positive articulation of the role of the public domain in intellectual property.18 He argues that the "public domain" in intellectual property should not be construed solely as works that are completely unprotected (often by expiry of the copyright term), but should also be construed to include those "aspects of works which are unprotected". He endorses Litman's definition of the public domain as "a commons that includes those aspects of copyrighted works which copyright does not protect".19 The task of redefining the public domain in intellectual property is attracting the attention of many scholars.20
The idea of defining copyright partly in terms of its exceptions is shared by some official bodies. Australia's Copyright Law Review Committee "recognises that the exclusive rights of copyright are partly defined by the exceptions, in that the rights only exist to the extent that they are not qualified by the exceptions" and considers that "the principal exceptions, such as those for fair dealing, are fundamental to defining the copyright interest".21 As we will see, the Committee has proposed protections of the copyright public domain against encroachments by contract law based on this approach.
The boundaries of what is the public domain are contested, even by those scholars who argue for a positive and expansive view. For example, Benkler would exclude those aspects of fair use that can only be ascertained to apply in a particular case after a detailed factual enquiry.22 Another area of potential dispute is the use of those copyright works where copying (or other protected use) is permissible on payment of a compulsory licence fee. Boyle thinks this is included.23 We could consider refining the analysis by saying that the extent to which a work subject to a compulsory licence is in the public domain depends on the extent to which the fee for the licence is set by a public body and for reasons of public interest, as distinct from set by the owner solely on private interest considerations.
These more expansive notions of public domain intersect with Lessig's notion of a commons as a resource that is "free" for all to use, not necessarily at zero cost, "but if there is a cost, it is a neutrally imposed, or equally imposed cost".24 If we include Lessig's notion of "commons" as part of the public domain, then as Boyle suggests,25 this approach answers the question of how the "free software" and open source software movements become part of the public domain. The use of source code under these paradigms does have a "price of admission", acceptance of the conditions of the General Public License (GPL), and so is based on existence of copyright. But it is a price that is equally open for all to pay, and it clearly does constitute an effective creativity-inducing part of the digital commons. As Boyle summarises, a new dividing line for the public domain is between "the realm of individual control and the realm of distributed creation, management and enterprise", whereas the old distinction was between what was property and what was not (the "free"). "Public domain", like property itself (including intellectual property), starts to resemble a bundle of rights and privileges. Alternatively, in Boyle's paraphrase of Holmes' realist vision, "predictions of what the public can do freely and nothing more pretentious".26 A further extension of the approach of the "public domain movement" is that the limitations of copyright law which serve to protect privacy, sketched in the previous section, can be considered as part of the public domain and of the creative commons. In this introduction, only a few pointers toward this conclusion can be given. We expect to be able to maintain our anonymity when we pay for copyright works (at least unless there are strong justifications to the contrary). We expect to be able to experience the use of copyright works free from surveillance, even though we pay for them. We expect that the copyright owner's control or monitoring of uses of works will be limited to specific statutory rights once we have paid (the "first sale" doctrine). We extend our expectation of use in private to the fair uses for which we have not paid. All of these expectations are consistent with a theory of public domain no longer tied to the "free". All of these private uses are essential to the limits that must be placed on copyright if we are to have a creative commons, or a democratic society. Surveillance is inimical to creativity. We cannot expect people to "stand on the shoulders of giants"27 to create in the full glare of spotlights.
Our traditional bundle of rights (or privileges) to enjoy works in private is no accident. It is a feature, not a bug. Including it in a reconceptualisation of the public domain will provide a positive justification for its continued protection. The balance of this article explores how technology protecting copyright works, and laws protecting that technology, are endangering this aspect of the public domain.
"the trajectory is clear. We are connecting all to everything. ... As we implant a billion specks of our thought into everything we make, we are also connecting them up. Stationary objects are wired together. The nonstationary rest - that is, most manufactured objects - will be linked by infrared and radio, creating a wireless web vastly larger than the wired web. It is not necessary that each connected object transmit much data. A tiny chip plastered inside a water tank on an Australian ranch transmits only the telegraphic message of whether it is full or not. A chip on the horn of each steer beams out his pure location, nothing more: `I'm here, I'm here.' The chip in the gate at the end of the road communicates only when it was last opened: `Tuesday.'"Pervasive networking enables a trend toward artifacts that report back through these digital networks to some central monitoring point about their location, current state or prior usage, often in a way which allows that information to be correlated, more or less reliably, with the actions of individual people. Artifacts are often built with surveillance capacities enabled in default, sometimes with an "opt-out" capability.
To see that many digital artifacts do live in a networked world is simple enough. Many people now have Internet connections active whenever they are using their computers. Every program, document or other file on their computer is then (in theory) capable of communicating with anywhere else on the Internet, such as the computer system of its copyright owner or of an intermediary in a DRMS. Furthermore, many digital artifacts have their full utility only when their users are on-line. An obvious example is that word processing documents are now created routinely with live hypertext links, so that the document is interactive if opened when the user's personal computer (PC) is on-line, but not otherwise. Another example is software for playing recorded music which, when a music compact disc (CD) is inserted in a PC, automatically checks an Internet database to obtain the title and other details of all the tracks on the CD.29 The telecommunications infrastructure for digital artifacts to exercise surveillance is, therefore, an increasingly pervasive part of our computer use.
Many hardware devices used to present digital content are not yet networked (at least not so as to allow two-way communication), including most CD and digital video disc (DVD) players, and televisions. However, the range of hardware devices used for presenting content with wired or wireless communications capacities is growing rapidly, including mobile phones and personal digital assistants (PDAs). This article concentrates on digital content which is already part of the increasing pervasive networking, because that is where the privacy issues are most acute.
On-line surveillance through the use of "cookies"30 and "web bugs"31 (single pixel gifs) has already become a contentious privacy issue, but these examples relate more to marketing uses of our browsing habits than to the conditions of use of IP.
Our rights to limit surveillance via artifacts will become one of the key privacy issues for the start of this century, with surveillance by digital works likely to be one of the most contentious and common examples.
The three types of parties are:
The same paradigm is being used to protect content which is not protected by copyright law, including the items of content in a database and works which are in the public domain.
Most aspects of the very complex legal issues raised by the combinations
of these various protective measures are beyond the scope of this article,
which focuses only on the relationship between privacy protection and two
of these elements (technological measures and technology protection laws).
These CPT can be categorised in various ways. Koelman and Helberger
distinguish those that control access, those that control certain uses,
those that protect the integrity of a work and those that enable metering
of access and / or use.37 A report to the Canadian government38
distinguishes those that control access and those that control use, and
provides a range of other classifications and descriptions. For the purposes
of this article, some of the more important of the variety of CPT39
can be ranked in approximate order of their implications for privacy
(less to more):
DRMS may take many forms, depending in part on which combination of CPTs are employed. In addition, the business models which will become commercially successful are still emerging.
The "ideal aims" of a DRMS have been described (in a formulation more sympathetic to consumer and privacy rights than most product descriptions)45 as follows:
A description of one of the best-known early DRMS models, the European Imprimatur Project,46 illustrates how some fundamental changes to the way in which copyright currently operates would follow from the implementation of such a DRMS:
One of the key standards is for identification of digital works. Gervais48 described 11 competing standards, including a variety of media-specific identifiers, and more general proposals such as the Digital Object Identifier (DOI)49 and Persistent Uniform Resource Locators (PURLs).50 He also described five standards for metadata51 that (in the absence of one global identification system for digital works emerging) might provide a basis for interoperability between DRMS based around different numbering systems. DOI and PURL also have the potential to unify differing numbering systems without replacing them.
This babel of identifications for digital works is as yet slowing
down the development of networked DRMS, and this slow development buys
a limited amount of time for privacy protection to be developed.
Monitoring of reading and viewing habits poses the threat of a
"chilling effect" on freedom to read, think and speak. Cohen describes
it as "a giant leap ... toward monitoring human thought".52
Bygrave and Koelman argue that
"[t]he attendant, long-term implications of this for the vitality of pluralist, democratic society are obvious".53
The collection of information on reading and viewing habits creates risks of the misuse of personal information for secondary purposes, particularly, but not only, marketing purposes. These risks are amplified if those collecting personal information can aggregate data from our reading / viewing different sources, so as to construct profiles. The use of reading / viewing information for marketing purposes is obvious. Non-marketing examples of unacceptable secondary uses are that researchers or lawyers do not want anyone to know what digital works they are consulting, and an author wanting permission to include an extract in an anthology or other collection does not want his or her publishing plans indirectly disclosed to rival publishers.
Minimising unnecessary identification is a significant issue. There is a need to maximise the use of CPT which allow anonymous transactions involving digital works, provided that in doing so we do not create worse problems of unfair contract enforcement (see below). Otherwise, when it is necessary for transactions to be potentially identifiable, pseudonymity needs to be used wherever possible54 to prevent the misuse of personal information for secondary purposes, and also to prevent a "chilling effect" on freedom to read, think and speak.
Intermediaries between users and rights owners will play a crucial
role in safeguarding and administering pseudonymity, and in aggregating
usage information for publishers and authors without interfering with user
privacy.55 Many CPT can be and will be used without any intermediaries
between the end-user of a digital work and the rights holder. "Disintermediation"
was one of the buzzwords of Internet business models. In its positive incarnations,
we think of recording artists or authors being able to sell directly to
their publics. Just as likely, publishing houses of various sorts
(still the rights holders) will do a far greater percentage of direct selling
to the public without the use of intermediaries such as booksellers.
On-line booksellers could also develop into intermediaries for digital
works in a DRMS model. The result is likely to be a mixture of delivery
models, but the point is that a lot of CPT and DRMS will be run directly
by publishing houses with lots of different products to shift and a strong
interest in secondary use of identified consumption data, or by booksellers
with a similar combination of interests. We will not always be "lucky"
enough either to have some central industry-based monitoring body standing
between consumers and publishers trying to act as an "honest broker", or
to be dealing directly with the author who has only his or her own product
to sell. Which business models succeed will have a significant effect on
The enforcement of such contracts is also unlike real space contracts,
Lessig points out,57 because whereas the law always takes into
account various public and private interests in determining the extent
and means by which contracts will be enforced, when contracts are self-enforced
by code (eg by the work suddenly becoming unusable) these public values
are not likely to be taken into account. We might add that when the law
enforces a contract, there is an independent assessment of whether there
has been a breach of the contract, whereas here the enforcement is automated
and unilateral, built into the architecture. If "code contracts" replace
law, these are not necessarily the same as "law contracts", and may not
be in the public interest. There is also likely to be an overlap with privacy
interests here, because of the surveillance involved in determining whether
there has been a breach.
Although often phrased in terms of protecting copyright, they are of broader significance as one means by which authors can protect an expanded set of rights beyond copyright through a combination of contracts, technology and surveillance.
"Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restricts acts, in respect of their works, which are not authorised by the authors concerned or permitted by law."Article 12 of the WCT provides, in relation to RMI:
"(1) Contracting Parties shall provide adequate and effective legal remedies against any person knowingly performing any of the following acts knowing, or with respect to civil remedies having reasonable grounds to know, that it will induce, enable, facilitate or conceal an infringement of any right covered by this Treaty or the Berne Convention:
(i) to remove or alter any electronic RMI without authority;
(ii) to distribute, import for distribution, broadcast or communicate to the public, without authority, works or copies of works knowing that electronic RMI has been removed or altered without authority.
(2) As used in this Article, `rights management information' means information which identifies the work, the author of the work, the owner of any right in the work, or information about the terms and conditions of use of the work, and any numbers or codes that represent such information, when any of these items of information is attached to a copy of a work or appears in connection with the communication of a work to the public."Article 18 of the WPPT is in almost identical terms.61
From the perspective of privacy protection, some of the questions we
need to ask are whether these provisions and their national legislative
implementations allow persons to:
In 1998, the Australian government announced its plans to ban commercial dealings in circumvention devices and to ban removal of RMI.62 The proposed amendments drew heavily on what was then the proposed European Commission (EC) Directive.63 The amendments to the Copyright Act 1968 (Cth) by the Copyright Amendment (Digital Agenda) Act 2000 have been in force since March 2001.
The Hong Kong SAR has provisions with the same intent in sections 273 to 274 of the Copyright Ordinance (Cap 528) which was enacted in 1997, shortly after the finalisation of the WCT.
The United States' Digital Millennium Copyright Act (DMCA) of
1998 has amended Title 17 of the US Code (dealing with copyright) to implement
the WCT. The EC Directive on Copyright in the Information Society, which
deals with anti-circumvention and RMI issues primarily in Articles 6 and
7, was passed in May 2001.64 Both are only mentioned briefly
by way of comparison, particularly where they take a different approach
to privacy-related issues.
A "technological protection measure" means (section 10):
" ... a device or product, or a component incorporated into a process, that is designed, in the ordinary course of its operation, to prevent or inhibit the infringement of copyright in a work or other subject-matter by either or both of the following means:
(a) by ensuring that access to the work or other subject-matteris available solely by use of an access code or process (including decryption, unscrambling or other transformation of the work or other subject-matter) with the authority of the owner or licensee of the copyright;
(b) through a copy control mechanism."Where section 116A applies, the copyright owner may obtain an injunction, damages (including additional damages) or an account of profits (section 116D). There is also a criminal offence where the same conditions as in section 116A are satisfied, but with a higher burden of proof ("reckless" rather than "ought reasonably to have known") and with the onus of proof on the Crown (sections 132(5A)-(5B)). A similar offence is created in relation to the operation of a "circumvention service" (sections 132(5C)-(5D)).
Sony v Stevens,69 a decision by Sackville J of the Federal Court of Australia, is the first decision interpreting section 116A, and one of the first decisions to interpret any anti-circumvention provisions outside the United States.70 The facts were that each CD-ROM containing PlayStation software contains an access code (an encrypted string of characters) created by burning the access code on the CD-ROM as a sector of data that cannot be copied by conventional copying devices.71 The string must be read by the BootROM located within a PlayStation console and recognised as the appropriate access code for that particular game. Access codes are also different for different areas of the world, so that consoles sold in Australia require an access code for a particular game sold in Australia which is different from the access code required for the same game as sold in the United States. The access code therefore has two functions, ensuring that both unauthorised copies of games (without any access code) and games purchased in another region (with a different region's access code) will not play on consoles. The defendants sold "mod chips" or "converter chips" which, when installed in a console, overrode the PlayStation's operating system to allow the console to load unauthorised games of either form. Sackville J held that Sony failed to establish that the copyright work embodied in the PlayStation software was protected by a "technological protection measure" and therefore it was not necessary to determine whether the "mod chips" were circumvention devices (though it is likely he would have so found). The decision limits the scope of section 116A significantly.
As in Australia, the conflict between Sony and the distributors of "mod chips" is the first example of a possible copy control mechanism to reach the Hong Kong courts. Hong Kong retailer Lik Sang has been sued by Microsoft, Sony and Nintendo in the High Court of Hong Kong72 who obtained an interim injunction against its sale of mod chips in September 2002.
However, it is misleading to think that users in Hong Kong and Australia will never be liable for acts of circumvention. The use of a circumvention device will involve liability for breach of copyright by the user, if it involves the making of an infringing reproduction ("copies" in Hong Kong terminology). This may occur in two ways.
First, many, if not most, digital works cannot be used without a transient copy of the work being made by the hardware device used to display the work, often in random access memory (RAM) of a computer, or its equivalent in other hardware devices. If these transient copies are infringing reproductions, then the user would be liable unless a defence applied (such as one of the fair use defences), the work was in the public domain, or an implied licence still applied.73
In Australia, although section 43A provides that the transient copying of a work (literary, dramatic, musical or artistic) which occurs during use is a reproduction, it is not an infringement if it is made "as part of the technical process of making or receiving a communication" (unless "the making of the communication is an infringement of copyright", this will not usually help). While this means that web browsing does not infringe copyright, it does not assist a user who is using a circumvention device because they are not usually "making or receiving a communication". . However, the current case law holds that the transient copies held in RAM or equivalent in most situations will not constitute infringing copies. In Sony v Steven, Sackville J held that the temporary storage of part of a computer program in the RAM of a computer (in this case a Sony PlayStation console) did constitute reproduction of a substantial part of the program, but since the reproduction was not in a "material form",74 it did not infringe copyright in the program. The definition of "material form" says it includes "any form ... of storage from which ... a substantial part of the work ...can be reproduced". Sackville J considered that although "it might seem surprising that the reproduction in electronic or digital form of a computer program is not necessarily an infringement of copyright in the computer program", it is "plausible that the legislation is structured in this way as a means of balancing the interests of copyright owners and users" because if a work such as a computer program is reproduced in electronic or digital form, but is not amenable to further reproduction, it might well be thought too restrictive to regard that as an infringement.75 He considered that "if the legislation is not intended to render unlawful the mere use of a computer program, even one that is copied, but is intended to regard further copying of the program as an infringement, it may make sense to distinguish between use of the program in circumstances where it can be reproduced and in circumstances where it cannot".76 Here, the RAM of the PlayStation could not be reproduced, and there was no infringement by playing a game. Sackville J followed Australian Video Retailers v Warner Home Video Pty Ltd,77 which held that the transient copies produced by playing movies embodied in DVDs will not constitute a "copy" of a film under section 10. He considered that Microsoft Corporation v Business Boost Pty Ltd,78 which had held that loading computer programs into RAM constituted infringement, was only supportable on the basis that Tamberlin J could only have reached this conclusion on the basis that the program was reproducible from the RAM. The Australian position therefore currently favours the view that copying into RAM is not infringement, but as there appears to be judicial disagreement, the matter will not be settled until it goes to the Full Bench of the Federal Court.
In Hong Kong, section 65 provides that transient copies of every type of subject matter are not infringing if "technically required for the viewing or listening of the work by a member of the public to whom a copy of the work is made available", notwithstanding section 23 providing that such copies are infringements (section 23(6) says that "copying" includes making copies which are transient or incidental to other uses of the work). This implies that, provided a user has legitimately obtained a copy of a work, making a temporary copy of it for purposes of viewing or listening, in the course of use of a circumvention device, would not constitute infringement. Even where section 65 does not apply, there might be no infringement by, for example, playing region controlled DVDs, despite section 23(6),79 because no "making of copies" is involved if Sony v Stevens and Australian Video Retailers v Warner are followed. The selling of "mod chips" for DVD players would be a separate issue, discussed later.
Second, it is quite possible that the use of a circumvention device will require the copying and / or adaptation of software or data comprised in the CPT / DRMS which is protected by copyright. Such copying will probably fall outside the protection for transient copies (section 65 and section 43A discussed above) because it is not for "receiving a communication" or "viewing or listening". It does not come within the exceptions for copying software for such purposes as error correction in either the Hong Kong or Australian legislation.80 However, some uses of circumvention could arguably involve copying programs in ways which are "for the purposes for which the program was designed" (Australia, section 47B) or "necessary for the lawful use of the program" (Hong Kong, section 61). In both jurisdictions, use of the circumvention device could result in an infringing copy of software, but it is difficult to generalise.
Furthermore, a question remains as to whether a person who writes his or her own small piece of software in order to prevent some surveillance device operating as it is intended might be regarded as "making" a device.
An additional risk is that, where a digital work is provided on-line by someone else, use of a circumvention device or service to obtain unauthorised access to a computer system could also involve criminal offences.81
We can conclude that, although use of circumvention devices is not explicitly
prohibited, in both Australia and Hong Kong, users need (but do not have)
a positive statutory "right to circumvent" in order to be able to safely
access a digital work for purposes which would provide a defence to an
action for infringement. Such a right should be provided by law.
However, as Koelman argues in the European context, "too broad a prohibition
on preparatory activities would render the permission to circumvent meaningless".82
The discussion following supports this hypothesis in relation to Australia
and Hong Kong.
First, in the definition of "technological protection measure", provided that an "access control" or "copy control" measure does have some effect in "inhibiting" copyright infringements, it is not necessary that this should be its primary purpose. In Sony v Stevens, Sackville J held that it was not necessary for prevention of circumvention to the sole or exclusive purpose of a technological protection measure, but expressly left open the question whether a device designed primarily for other purposes but which incidentally prevented or inhibited copyright infringement would be covered.83 Therefore, on the evidence, the fact that the access code in this case had the function of preventing games purchased in other regions being played did in itself prevent the access code from being a technological protection measure.
Many access control or copy control mechanisms would at least "inhibit" copyright infringement unless the mechanism was nearly or totally ineffective. "Inhibit" must include something less than "stop", otherwise "prevent" would have no meaning in the section. However, if a CPT is only aimed at preventing something which is not a breach of copyright (such as playing DVDs: Australian Video Retailers v Warner), then it will not constitute a "technological protection measure".84 So the scope of "technological protection measure" is very broad, but with very large holes.
Similarly, it does not matter that a "copy control mechanism" also stops the copying of content that is not protected by copyright (eg public domain material, or individual items in a database) or stops copying in circumstances which would not be a breach of copyright because defences apply.
The use of "designed" in that definition implies that a device must be intended by its designer to protect copyright, and not merely inadvertently do so (as any computer security device might do). It must have some effectiveness.85
Second, knowledge or belief that infringement of copyright will take place is not required by section 116A, only knowledge or belief that a technological protection measure will be circumvented. If it were believed that the circumvention device was only going to be used in relation to public domain works, or data items in a database, this would not be an excuse.
Third, although only a copyright owner or exclusive licensee can take action (section 116A(5)), it is sufficient if they have one copyright work protected by the relevant device being circumvented, even if no one intends to use the device to circumvent protection in that work. Copyright owners can, therefore, commence actions which are really intended to protect technologically protected content which does not have copyright protection.
In Hong Kong, the defendant is only liable if he or she deals with or possesses the circumvention device "knowing or having reason to believe that it will be used to make infringing copies or infringing fixations". If a particular defendant (eg a library) possesses a device only for the purpose of allowing "fair dealings" of works (sections 38 and 39), then this is not a breach. If a defendant has a reasonable belief that a device in which he or she is dealing (or possesses) will only be used for circumventions in relation to works in the public domain (including those in which copyright has expired), or database items in which there is no copyright, or any content in relation to which a defence applies, then there will be no breach in the making or dealing. In addition, uses of circumvention devices which do not involve any copies being made, but (for example) merely prevent the collection of personal information for privacy-protection purposes, will not be a breach.
The Hong Kong provisions are a more careful and cautious implementation of the WCT requirements, and are tied much more closely to the protection of copyright-protected content and actions than are the Australian provisions.
There are various provisions allowing supply of circumvention devices for some purposes to libraries, archives, educational institutions, the Crown, law enforcement agencies, etc.86 These exemptions involve the approved type of institution making a declaration to the provider of the circumvention device identifying the category of exemption and stating that "a work ... to which the person proposes to use the device ... is not readily available to the person in a form that is not protected by a technological protection measure".
However, these exemptions do not include the "fair dealing" defences (sections 40-43), of use for research or study, criticism and review, reporting news, or providing professional advice. Fair uses, and the privacy of fair use, are not recognised by this legislation.87 In order to preserve the effective exercise of "fair dealing" rights, the "right to circumvent" suggested above is needed.
As discussed above, in Hong Kong, dealing in a circumvention device without reason to believe it would be used for infringing uses would not be a breach, and nor would possessing it in the course of a business. Use of a device for a non-infringing purpose is not a breach, because use does not cause liability. The Hong Kong legislation is, therefore, better than the Australian legislation on this point. However, in practice, the lack of availability of circumvention devices may mean that most users of digital works who would be theoretically entitled to take advantage of fair use exemptions will be unable to do so.88
Another problem would be a website which provides links to overseas websites where circumvention devices may be downloaded. In the United States, in Remeirdes,89 eight motion picture companies sued 2600 Magazine to enjoin it from publishing or linking to DeCSS, a computer program used to circumvent the encryption used in DVDs The case was defended partly on the grounds that the anti-trafficking provisions of the DMCA are unconstitutional because they infringe First Amendment freedom of speech rights, but the Court of Appeals rejected this argument because the DMCA provisions in so far as they prohibited linking did so because of DeCSS functional ability to instruct a computer, not because of its content.. Other similar cases have been commenced.90. , Academic argument in Canada has also suggested that some anti-circumvention provisions may be unconstitutional there.91 As in the United States and Canada, consideration needs to be given to whether section 273(2)(b) is inconsistent with the protection of freedom of expression in the Hong Kong Bill of Rights Ordinance (Cap 383), on the basis that it goes beyond what is "necessary" to protect the rights of others.92 It would also be necessary to take into account Article 34 of the Basic Law providing that "Hong Kong residents shall have freedom to engage in academic research, literary and artistic creation, and other cultural activities". At the least, these provisions should lead to a narrow reading of section 273(2)(b).
In Australia, there are prohibitions on anyone who "by way of
trade ... otherwise promotes, advertises or markets, such a circumvention
device" (section 116A(1)(ii)) or "makes such a circumvention device available
online to an extent that will affect prejudicially the owner of the copyright"
(section 116A(1)(vi)), or provides or promotes a circumvention service,
if "the person knew, or ought reasonably to have known, that the device
or service would be used" for circumvention. A person who merely provides
information about circumvention devices on a non-commercial basis (eg an
academic or technical paper) is unlikely to fall within these provisions.
Whether a hypertext link to a circumvention device "makes [it] ... available
online" under section 116A(1)(vi) is similar to the more general question
of whether providing hypertext links to any work constitutes an infringement
of the new right of "making available to the public" under both the Australian
and Hong Kong legislation. This is a broader question than can be pursued
here, but there is some opinion that links may constitute "making available".93
Unlike the United States or Hong Kong, there are in Australia no
entrenched rights of freedom of speech (outside political matters) which
could be used to attack these provisions.
The access control protection in section 116A (defined as means which operate "by ensuring that access to the work or other subject-matter is available solely by use of an access code or process (including decryption, unscrambling or other transformation of the work or other subject-matter) with the authority of the owner or licensee of the copyright") is intended to protect the use of CPT using access limitations such as "crypto-bottling" of works (where access depends on use of a particular decryption key) or the simple device of providing on-line (or CD-ROM) access only by password. Technologies to make digital artifacts expire after use or after a period could also be protected here. However, in Sony v Stevens, the plaintiffs attempted to argue that the access code embodied in each CD-ROM containing a PlayStation game was a "technological protection measure" in its own right. The argument94 was that no unauthorised copy of the game was complete because it cannot contain the access code, but the mod chip was a circumvention device "because it circumvents or facilitates the circumvention of that measure by making the complete copy useful". Sackville J refused to allow the argument because the case had not been pleaded in that way, but noted that it rested on the "dubious" assumption "that the access code is part of the computer program in respect of which copyright subsists". Sackville J is not suggesting that an access control protection must always be part of the work which it protects (which is not supported by the legislation), but rather that if a copyright owner claims that the circumvention consists of getting around the fact that an access control mechanism cannot be copied, then the access control mechanism must be part of the work the protection of which is being circumvented. Although of limited scope, this point is of considerable practical importance, as this case shows. Sackville J did not, of course, decide the point, but his reasoning seems sound.
"Copy control mechanism" is undefined, and its possible meaning is most uncertain. It would, for example, include any technology which limits printing from web pages or databases in any way. However, would it include ex post facto technological means of detecting copyright infringements, such as the use of web spiders to search for unauthorised copies of digital works? These are not access controls, but could well be considered "a copy control mechanism". The inclusion of surveillance devices as protected technology could have significant privacy implications. Similarly, a digital watermark or similar device of steganography does not prevent access, but it may well be regarded as "a copy control mechanism" in that it both inhibits copying and allows its detection. Such devices would include a code that a word processor or a hypertext markup language (HTML) editor could put into documents to identify if it was created by a licensed copy of software. The question courts will have to resolve is whether "copy control" includes deterrence or detection. The reference to "inhibit" in the Australian definition could support such an interpretation.
Sony v Stevens now provides the first but not the final step
toward this resolution. Sony contended that "the definition of `technological
protection measure' is satisfied so long as the protective devices, as
a practical matter, remove or minimise the incentive for persons to copy
PlayStation games as a prelude to playing the copies on the PlayStation
console". Sony "contended that the protective devices do this by rendering
infringing copies unsaleable unless the devices can be circumvented".95
Sackville J considered that the definition of "technological protection
measure" "contemplates that but for the
operation of the device
or product, there would be no technological or perhaps mechanical barrier
to a person gaining access to the copyright work, or making copies of the
work after access has been gained, thereby putting himself or herself in
a position to infringe copyright in the work" (emphasis in original). "I
do not think the definition is concerned with devices or products that
do not, by their operations, prevent or curtail specific acts infringing
or facilitating the infringement of copyright in a work, but merely have
a general deterrent or discouraging effect on those who might be contemplating
infringing copyright in a class of works, for example by making unlawful
copies of a CD-ROM".96 Turning to the problem of what meaning and effect
this leaves for the word "inhibit", Sackville J says:
"I think the construction I have adopted gives the word `inhibit' in the definition work to do. There may be devices which are not necessarily designed, in the ordinary course of their operation, to prevent the infringement of copyright, but to inhibit such infringement. A copy control mechanism, for example, might not prevent all copying that infringes copyright, but might limit the extent of unlawful copying that can take place, for example by reducing the quality of copies that can be made of the copyright work. Such a device could properly be said to be designed, in the ordinary course of its operation, to `inhibit' the infringement of copyright in a work, rather than to prevent such infringement. It may be that access to only part of a work is restricted by a process requiring decryption or unscrambling. In this situation, too, it might be more appropriate to say that the process is designed to inhibit rather than prevent the infringement of copyright in the work."97Sackville J considers that this question is not resolved by the legislative history, but that his interpretation is consistent with that history. He finds nothing in the legislative history to support protection of technological measures which only prevents or inhibits the infringement of copyright by discouraging infringements of copyright which predate the attempt at circumvention through access or copying.98 He therefore concludes that the access code is not a technological protection measure within the meaning of the Act "if the only way in which they inhibit infringement of copyright in PlayStation games is by discouraging people from copying these games as a prelude to playing them on PlayStation consoles".
Unless this interpretation by Sackville J is reversed in subsequent decisions, the elimination of merely "deterrent devices" from the meaning of "technological protection measure" is a very significant limitation on the potential scope of section 116A, and particularly on the dangers to privacy posed by section 116A. These implications will be discussed further below.
If web spiders are copy control mechanisms (and it is a big "if" after Sony v Stevens), it then becomes a question of whether a website operator can circumvent them without "making" a circumvention device, or obtaining one from someone else who will then be dealing in a circumvention device. At what point will writing a few lines of software to configure a web server differently become "making" a circumvention device?
In Hong Kong, works are protected if they are made available "in
any form which is copy-protected" (section 273(1)(b)). "Copy-protection"
"include(s) any device or means specifically intended to prevent or restrict
copying of a work or fixation of a performance or to impair the quality
of copies or fixations made" (section 273(4)). Even though the definition
is only inclusive, not exclusive, it will not cover access control mechanisms
(except where circumvention of access control does involve the making of
copies of a work) as this is not within the ordinary meaning of "copy protection".
The Hong Kong definition refers to "prevent or restrict", not "prevent
or inhibit" and additionally refers to "impair the quality of copies or
fixations made". It is possible that "restrict" might be interpreted broadly
to include devices that only deter copying, on the basis that (unlike in
Sony v Stevens) it cannot only mean impairing the quality of copies,
as this is already covered explicitly by the definition. Alternatively,
"restrict" could be interpreted narrowly to mean to limit copying to only
one page at a time, or to certain parts of a work, in contrast to "prevent"
meaning to stop the copying of any part of the work. The narrow interpretation,
particularly in light of Sony v Stevens, seems the better view,
on both the ordinary meaning of "copy protection" and with the defined
inclusion. If so, the Hong Kong provision would not include web spiders
or steganography, which merely deter copying by increasing the likelihood
of detection. They may also produce a similar result when a case similar
to Sony v Stevens comes before the Hong Kong courts.
The Hong Kong prohibition on dealing with devices is limited to "any device or means specifically designed or adapted to circumvent the form of copy-protection employed" (section 273(2)(a)). This limitation to devices "specifically designed" to circumvent will serve to exempt devices which have more general purposes but incidentally defeat a form of copy protection.
One of the most far-reaching forms of surveillance by and of digital works is, therefore, protected against circumvention - it will be illegal to assist users to circumvent such surveillance. The EC Copyright Directive provisions on anti-circumvention raise similar problems of interpretation.100
Such collection may be in breach of privacy laws, though this is not certain (see the next section). As a matter of policy, anti-circumvention provisions should not provide protection for any technological measures that do not meet privacy protection standards required by legislation. The DMCA provides an explicit defence against its anti-circumvention provisions where circumvention is only for the purpose of protection of personally identifying information, but the protection can be defeated by "conspicuous notice".101
Other variants of on-line surveillance of users are less clearly within the Australian definition of "technological protection measures" after Sony v Stevens. For example, a digital artifact that recorded its own usage even when off-line, and then (once it went on-line) sent this information "home" so that users could be charged for usage, or for detection of breaches of licence conditions (such as copying or printing), probably would not be regarded as an access control mechanism. It could still be argued to be a copy control mechanism if "control" is interpreted to include deterrence or detection, but Sony v Stevens denies this.
Under the Hong Kong provisions, it is less likely that digital artifacts on a user's PC that send information "home" when they are on-line are protected against circumvention. As discussed above, access prevention devices are not protected as such under the Hong Kong Ordinance, but it is still possible that a device enforcing a "phone home" process which prevents (and does not merely deter) unauthorised access could be regarded as "copy protection" both on the ordinary usage of the term, and under the defined inclusion as intended to "prevent or restrict copying". As with Australia, protection of the recording of usage details and ex post facto reporting of them when the artifact goes on-line will depend on whether "copy-protection" is interpreted to include deterrence and detection, but this is even less likely in Hong Kong.
Where on-line surveillance is regarded as a copy protection device in
Hong Kong, any protection for users against secondary usage of the information
(such as marketing uses) will depend on Hong Kong's privacy laws, as the
Copyright Ordinance does not itself impose any limits on use of the information
Additional actions in relation to commercial dealings with copyright subject matter from which RMI has been removed are provided in section 116C, where the relevant knowledge is that the person knew, or ought reasonably to have known, that the removal of the RMI "would induce, enable, facilitate or conceal an infringement of the copyright in the work or other subject-matter" (which knowledge is presumed by section 116C(3)).
Criminal offences equivalent to the actions in section 116B and section 116C are provided in section 132(5D) which makes it a criminal offence to "remove or alter any electronic rights management information attached to a copy of a work", provided there is the required intent,102 and in section 132(5D) which provides related offences concerning distributing, importing and communicating artifacts where such information has been removed or altered.
"Electronic rights management information" is defined in section
10 in terms very similar103 to those in Article 12(2) of the
WCT and Article 19 of the WPPT :104
"Electronic rights management information means: (a) information attached to a copy of a work or other subject-matter that:
(i) identifies the work or subject-matter, and its author or copyright owner; and
(ii) identifies or indicates some or all of the terms and conditions on which the work or subject-matter may be used, or indicates that the use of the work or subject-matter is subject to terms or conditions; and
(b) any numbers or codes that represent such information in electronic form."
This might not seem to matter if (as argued above) RMI does not include personal information (except perhaps the identity of a licensee where this is a necessary part of the conditions of use of a work), so removal of such information is not a breach of the RMI provisions.
Nevertheless, removal of such "pseudo-RMI" might require the use of
an (unobtainable) circumvention device, or if the user attempts to modify
the work to prevent the collection of this "pseudo-RMI", this may be a
breach of copyright, so the pseudo-RMI may be protected. The user still
needs some positive right similar to that found in the United States' DCMA,
at least in Australia. In Hong Kong, devices to remove RMI are less likely
to be circumvention devices because circumvention devices must make infringing
copies (as discussed above).
Hong Kong and Australia are two of the few jurisdictions outside Europe with data protection (or "personal information protection") laws which cover the private sector.110 Hong Kong's Personal Data (Privacy) Ordinance (Cap 486) has been in force since 1995, and Australia's Privacy Act 1988 (Cth) has applied to significant parts of the private sector since December 2001.
Since the implementation of the EC Copyright Directive in May 2001, European countries must implement both anti-circumvention / RMI laws and data protection laws.111 Bygrave and Koelman have each made a number of studies of the interrelationship between European privacy laws and anti-circumvention / RMI laws.112
The experience of the United States is of limited relevance here. The United States is unlikely to enact comprehensive data protection laws, partly for constitutional reasons.113 The DMCA has explicit provisions limiting the operation of the anti-circumvention and RMI-protection provisions where they would infringe privacy, as mentioned above. Arguments that laws prohibiting copyright circumvention devices diminish "the right to read anonymously"114 and may breach the guarantees of freedom of speech and privacy in the US Constitution are of limited relevance as legal arguments in countries such as Australia which do not have such constitutional guarantees. These arguments, which are still unresolved in the United States, have some potential relevance in Hong Kong due to the limited protection of freedom of speech in the Hong Kong Bill of Rights Ordinance and the entrenchment of the International Covenant on Civil and Political Rights by the Basic Law. Most European and some other countries are more willing than the United States115 to protect privacy by general information privacy legislation, and do not have the same constitutional constraints in doing so.116
In many cyberspace transactions, what will constitute "personal information" is uncertain, and this may have a severe effect on the applicability of data protection laws to those transactions. In Australian law, whether machine addresses and e-mail addresses would constitute personal information would usually be a question of fact in a particular case.118 Bygrave and Koelman also thought this was uncertain.119
In the DRMS context, there may be many doubtful situations. For example, if a web spider merely collects the identification number of a licensed digital work, but it is possible for that identification number to be subsequently correlated (perhaps via a number of steps) with the identity of the individual who holds the licence, has the web spider been involved in the collection of personal information? Questions may also arise whether, if part of the information is accessible to the public on a web page, the combined information can still be "personal information", but this will depend on the wording of particular legislative provisions.120
However, these types of definitions may miss the real point of many cyberspace interactions. If a DRMS can determine that a copy of a digital work it has located on the net (or which has reported to it) is an infringing copy, or is being used in breach of its licence, and it can initiate enforcement action without knowing the identity of the person who is responsible, it has acted against an individual and with serious consequences. For example, if a digital work merely sends "back to base" information about the PC on which it is located, or the Internet sub-domain on which it resides, but there is no record in the rights owner's database of a licence in relation to those locations, so that the work automatically ceases to be useable, where is the collection or use of personal information? Similarly, if information about the reading habits of a pseudonymous licensee can be aggregated so that it is commercially valuable to market other digital works to that individual, and there is access to an e-mail address which makes this possible, the publisher has no need to know the identity of the individual marketed to.
This weakness in definitions of personal information may place a significant limit on the capacity of data protection laws to protect privacy in relation to surveillance systems used for copyright protection.
In Australia's privacy law, National Privacy Principle (NPP) 8 "Anonymity" requires that "[w]herever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation". This "anonymity principle" is unusual in data protection laws,122 but does have a precedent in Germany.123 It is not explicitly required by the EC data protection Directive.124 Although the title of NPP 8 only refers to anonymity and not pseudonymity, the words "not identifying themselves" are broad enough to encompass systems which allow pseudonymity, with actual identification only being permitted under certain conditions.
There is no explicit equivalent in the Hong Kong Privacy Ordinance. It would be difficult to read a requirement of pseudonymity or anonymity into the scattered words of Data Protection Principle (DPP) 1,125 requiring that data collected is "necessary for", "directly related to" or "adequate but not excessive in relation to" the purpose of collection. Similarly, it is unlikely that the words "unless the information is necessary for one or more of its functions or activities" in Australia's NPP 1 would be interpreted to require pseudonymity or anonymity.
One of the few other examples is Germany's Teleservices Data Protection
Act (Article 2 of the Information and Communications Services Act of 1997),
which requires the objective of minimising or eliminating the collection
and use of personal information to be built into the "design and selection
of technical devices" (hardware and software):
"s3(4) The design and selection of technical devices to be used for teleservices shall be oriented to the goal of collecting, processing and using either no personal data at all or as few data as possible."This design requirement makes meaningful the specific requirement on service providers to provide anonymous and pseudonymous uses of teleservices "to the extent technically feasible and reasonable",126 because it removes the excuse that systems have not been designed to allow for anonymous or pseudonymous transactions. Here, the control of architecture by law is both a serious, though general, limitation on the types of Internet systems that may be built, and a necessary precondition for legal sanctions aimed directly at the behaviour of service providers.
One of the main differences between this Australian formulation and that in the German law is that it does not have the explicit legislative requirement for systems to be designed to allow anonymity and pseudonymity. The Australian provision might, therefore, be interpreted to allow the excuse that it is not "practicable" because the system design makes it technically impossible. However, the strong wording of "must have the option" may be interpreted to at least require any systems designed after the legislation commences to provide anonymity and pseudonymity options wherever "practicable".
Data protection commissioners are increasingly aware of the importance of this issue. The Article 29 Working Party of European Data Protection Commissioners made recommendations in 1997 concerning anonymity on the Internet127 which show a clear preference for maximising anonymity in Internet transactions, subject to balancing this with other rights. In 2000, the International Working Group on Data Protection in Telecommunications, drawn from data protection agencies worldwide, specifically recommended the development of DRMS "which allow for anonymous or pseudonymous transactions".128
An important protection of privacy in DRMS systems will be if individuals must be given notice when information is collected about them. In Australia, notice of collection, use and disclosure practices must be given to the individual "at or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual" (NPP 1.3), and "reasonable steps" must be taken to give such notice to the individual even where the information is collected from third parties ("from someone else": NPP 1.5). Hong Kong's DPP 1 has similar provisions, but notice is only required in relation to collection directly from the data subject. In both Australia and Hong Kong, it is questionable whether, when information is collected about a person from a website, or even from the individual's computer, it is collected from "the individual" (Australia) or from "the data subject" (Hong Kong). If it is not so collected, but instead classified as collected from observation / surveillance, no notice is required. The correct interpretation is unresolved, but the better view is that observation of a person, or extraction of information from that person's private computer files (as distinct from pages on a publicly accessible website) should be regarded as collection from the person.129
Many aspects of data collection by DRMS will be with the consent of the data subject, or pursuant to a contract with the data subject. They will, therefore, have to comply with the normal requirements of disclosure of purpose, and limitations on excessive collection (as discussed above).130
More contentious forms of collection of personal information are likely to arise because of the surveillance aspects of DRMS. If an MSP uses a web spider solely for the purpose of collecting RMI, or if the digital work sends reports back to the MSP, it may be collecting "personal information" (see discussion above). The MSP may be in a contractual relationship with the person concerned (a licensee), but questions may arise as to whether the collection is with consent, or (in EU Directive terms) the collection is necessary for the performance of the contract or for the purpose of the legitimate interests of the MSP or its client. Disclosure of surveillance practices at the time of contract will probably be necessary, as it may be impossible at the time of collection (e.g. collection by web spiders).
If the person whose personal information is collected has no relevant contractual relationships (e.g. a person whose machine address is disclosed as the location of a digital work), then there will be no consent to collection and no contract, so justification for collection may be more difficult to provide. Hong Kong's Ordinance requires "prescribed consent" which is "express consent given voluntarily",131 but Australia's federal privacy law is much more permissive, including "implied consent" within its definition of "consent". It is therefore more likely that consent to surveillance will be found under the Australian law, possibly from factors such as failure to opt out of use conditions stated on the digital work.
Secondary uses, particularly marketing uses, are analysed by Bygrave and Koelman,135 who note a number of European provisions which could have a significant effect on DRMS operations.
In relation to automated processing, Article 15(1) of the EU Privacy Directive gives persons the right not to be subject to decisions based on automated processing which evaluates information about the personality of the data subject for the purpose of decisions which may have a significant effect on the person.136 If a CPT terminated the useability of a digital work because of automated processing of information about breaches or expiry of a licence, it could be caught if the information processed included personal information. The processing would have to be shown to be done pursuant to a contract, and even then would have to be within the data subject's reasonable expectations. There is no equivalent protection against automated processing in the Australian or Hong Kong legislation.
Germany's Teleservices Data Protection Act prevents the aggregation
in an identifiable form of personal information relating to the use of
several teleservices by one user (section 4). Such a restriction would
significantly limit the secondary uses of DRMS information. There is no
direct equivalent in the Australian or Hong Kong legislation, but it could
be questioned whether such aggregation is in itself a legitimate purpose
Issues arising from this include the effect of data export prohibition
requirements, the possible extra-territorial operation of data protection
laws, and questions of conflict of laws. Only the first is discussed here.
As is well known, the EU Data Protection Directive137 requires European privacy laws to include data export prohibitions. In many instances, the exceptions in Article 26 of the EU Privacy Directive will apply,138 but there are likely exceptions such as collection by web spiders and other situations where CPT may operate outside contractual relationships.
NPP 9 in the Australian Act prohibits personal data exports to recipients in foreign countries unless one or more exceptions apply. Exceptions are made where the transferor "reasonably believes" the recipient is "subject to a law, binding scheme or contract" which effectively upholds principles substantially similar to the NPPs, where "the individual consents to the transfer", where the transfer is pursuant to certain contract or pre-contractual negotiation, where the transfer is for the individual's presumed benefit (and it is impractical to obtain consent), and where the exporter has taken "reasonable steps" to ensure that the information will not be "held, used or disclosed" contrary to the NPPs.
The data export prohibition in the Hong Kong Ordinance (section 33) is the only section not yet in operation.139 Its provisions are similar to the Australian NPP 9, but stricter in many respects. The Hong Kong provision only recognises foreign laws, not schemes or contracts. This is particularly important given that the United States (the likely home of many DRMS) does not have privacy legislation but relies upon a voluntary "Safe Harbor" scheme.140 It only exempts consent "in writing", therefore excluding arguments that consent might be implied by conduct. It does not exempt various types of contracts and negotiations (except in so far as they involve written consent). It requires the exporter to take not only "reasonable precautions", but also to exercise due diligence to ensure that the data will not be "collected, held, processed or used" (not only "held, used or disclosed" as in Australia) in ways that would be contrary to the Ordinance. The Australian provision is a "watered down" version of the Hong Kong provision, but it is in force.
In those situations where personal information is transferred
to another jurisdiction via the Internet as part of a DRMS, data export
provisions could be breached (only in Australia as yet). However, as discussed
above (under "Is DRMS data `personal information'?"), there may be situations
where the transfer of DRMS data does not constitute "personal information"
or "personal data" and, therefore, falls outside the scope of data protection
laws, even though the transfer effectively facilitates the DRMS to react
to the situation on an individual basis.
"Several factors could serve to hinder the large-scale implementation of privacy-invasive DRMS. Such systems might be marginalised by market mechanisms - for example, strong consumer preferences for privacy, combined with competition between copyright-holders to satisfy these preferences. The take-up of privacy-invasive DRMS might also be hindered by difficulties in achieving standardisation and compatibility of technological measures."Kerr, Maurushat and Tacit concluded in 2002 that it was still too early to answer the question "Will TPMs be used as widely as predicted?", particularly due to the uncertain level of consumer resistance. They conclude that "great caution should be exercised by policy-makers who are considering an immediate legal response to what is still a relatively unknown if not practically unborn technology".142
It is, therefore, difficult to determine what privacy protections
are needed. At the same time, legislation is now giving pro-active protection
to CPT and DRMS, through anti-circumvention and RMI laws, so it is too
late to do nothing. Contracts are also providing further legal protection
to CPT, DRMS and RMI, and technical measures make entry into such contracts
more pervasive. Australia's Copyright Law Review Committee concluded that
many on-line licence agreements they surveyed did explicitly or impliedly
exclude or modify exceptions to exclusive rights of owners, and that such
contractual exclusions are more likely to be enforced in the on-line arena.143
We need to make the best effort we can to ensure that a balance is maintained
(or more likely, restored) between the protection of property and the protection
of privacy. These efforts may include the work of privacy officials, amendment
of copyright and privacy legislation, and limiting the role that contracts
can play to undercut such privacy protections as may otherwise exist.
If narrow interpretations of these laws as in Sony v Stevens
prevail, some of these suggestions may prove to be unnecessary.
The Committee also recommends147 that "the integrity of the `permitted purposes' in s116A(3), (4) and (7) of the Copyright Act be retained by preventing a copyright owner from making it a condition of access to his or her work or other subject matter that users will not avail themselves of a circumvention device or service for the `permitted purpose' of doing an act that is not an infringement of copyright under [the exceptions in s116A148]". So, where section 116 has allowed circumvention, contract cannot override this.
While the Committee could not, under its terms of reference, re-open the question of when it should be possible to circumvent a technological protection measure, adoption of its recommendations will help ensure that contract cannot extend the legislative protection (criticised in this article) any further. The same issue deserves consideration in Hong Kong.
The Committee's approach, if adopted, may have interesting implications for Australia's federal privacy law, which allows some interferences with privacy if they are with consent of the data subject, and defines "consent" as including implied consent (discussed above). Where such consent is also part of a contractual relationship, the consent would be ineffective under the privacy law if it had the effect of undermining the protected copyright interests, and a breach of the privacy law could also result.
When Lessig says that "control vs. freedom will be the debate of the
21st century",149 he is talking about property. But merely by posing the
issue in that way, it is clear that we must also talk about privacy, and
how privacy (and surveillance) are part of property.
2 See Part II of Graham Greenleaf, "An Endnote on Regulating Cyberspace: Architecture vs Law?" (1998) 21(20) University of New South Wales Law Journal, "Electronic Commerce: Legal Issues For The Information Age", http://www.austlii.edu.au/au/other/unswlj/thematic/1998/vol21no2/greenleaf.html.
3 John Perry Barlow, "Selling Wine Without Bottles: The Economy of Mind on the Global Net" Wired Archive 2.03 (1993) at 86, http://www.eff.org/pub/Publications/John_Perry_Barlow/HTML/idea_economy_article.html.
4 "Digital works" is used loosely in this article to refer to any digital artifact that could embody copyright sub-edit matter.
5 "Code Replacing Law: Intellectual Property" in Lawrence Lessig, "The Law Of The Horse: What Cyberlaw Might Teach" (1998) 113 Harvard Law Review 501, http://lessig.org/content/articles/works/finalhls.pdf or http://www.swiss.ai.mit.edu/classes/6.805/articles/lessig-horse.pdf.
6 There is no widely accepted terminology for individual technologies that protect digital content. The author uses "CPT" to refer to "content protecting technologies" rather than "copyright-protecting", because they protect content which copyright does not protect.
7 DRMS were also known as electronic copyright management systems (ECMS), but DRMS is the more current terminology.
8 One list of famous quotes adds "Among others. No telling who really said this first", http://world.std.com/~tob/quotes.htm. However, John Perry Barlow insists (though he still does not give a source) that the full version of Brand's quote is: "Information wants to be free - because it is now so easy to copy and distribute casually - and information wants to be expensive - because in an Information Age, nothing is so valuable as the right information at the right time." (Barlow, in an Atlantic Monthly Roundtable, http://www.theatlantic.com/unbound/forum/copyright/barlow2.htm). The author will adhere to his own imaginary version.
9 The following description was largely true in relation to the end-users of copyright artifacts, consumers, but was less true of various categories of intermediaries who licensed the uses of copyright works.
10 See Lee Bygrave and Kamiel Koelman, Privacy, Data Protection and Copyright: Their Interaction in the Context of Electronic Copyright Management Systems, (report commissioned for the Imprimatur project) (Institute for Information Law, University of Amsterdam, June 1998), http://folk.uio.no/lee/articles/ECMS_Imprimatur.pdf; see also their chapter in Hugenholtz (ed), Copyright and Electronic Commerce (Deventer: Kluwer, 2000) for examples.
11 Ibid., Ch 5 stresses this reason, giving too little weight to the factors mentioned earlier.
12 As Bygrave notes in Lee Bygrave, "The technologisation of copyright: Implications for privacy and related interests" (2002) 24(2) European Intellectual Property Review 51, part of the function of privacy laws is to protect "the incentive to participate in a democratic, pluralist society by securing the privacy, autonomy and integrity of individuals".
13 The summary of these arguments on which this is based are from part 6.1.1 of Stefan Bechtold, "From Copyright to Information Law - Implications of Digital Rights Management", Workshop on Security and Privacy in Digital Rights Management 2001 (Philadelphia, USA, 5 Nov 2001), http://www.star-lab.com/sander/spdrm/papers/bechtold.pdf.
14 Ibid., the conclusion reached by Bechtold.
15 James Boyle, "The Second Enclosure Movement and the Construction of the Public Domain" (2002); draft paper prepared for the Privacy, Property and Personality Conference, University of Edinburgh, Nov 2002, http://www.law.duke.edu/pd/papers/boyle.pdf-; See, in abbreviated form, Daedalus, Spring 2002 Intellectual Property Issue.
16 Ibid., Part II.
17 David Lange, "Recognizing the Public Domain" (1981) Law and Contemporary Problems, 5.
18 For a contrary view, that public domain is just the holes left in copyright, see Edward Samuels, "The Public Domain in Copyright Law" (1993) 41 J. Copyright Society 137.
19 Jessica Litman, "The Public Domain" (1990) 39 Emory Law Journal 965
20 See the papers presented at the Conference on the Public Domain, Duke Law School, Nov 2001, http://www.law.duke.edu/pd/schedule.html.
21 Copyright Law Review Committee (Australia), Copyright and Contract, Attorney-General's Department (Australia), 2002 at 201, http://184.108.40.206/www/clrHome.nsf/AllDocs/RWP092E76FE8AF2501CCA256C44001FFC28.
22 Yochai Benkler, "Free as the air to common use: First Amendment constraints on enclosure of the public domain" (1999) 74 NYU Law Rev. 354, 361-362, as discussed by Boyle (n 15 above), p 30.
23 Boyle (n 15 above), p 30.
24 Lawrence Lessig, "The Architecture of Innovation", Conference on the Public Domain, Duke Law School, Nov 2001, http://www.law.duke.edu/pd/papers/lessig.pdf.
25 Boyle (n 15 above), p 33.
26 Boyle (n 15 above), p 37.
27 Sir Isaac Newton.
28 Kevin Kelly, "New Rules for the New Economy" Wired Archive 5.09, Sept 1997, http://www.wired.com/wired/5.09/newrules.html.
29 Apple's iMusic software and its use of the CDDB database is one example.
30 "A cookie is information that a Web site puts on your hard disk so that it can remember something about you at a later time." (from Whatis?com definition), see http://searchSecurity.techtarget.com/sDefinition/0,,sid14_gci211838,00.html.
31 "A Web bug is a file object, usually a graphic image such as a transparent one-pixel-by-one pixel GIF, that is placed on a Web page or in an e-mail message to monitor user behavior, functioning as a kind of spyware. Unlike a cookie, which can be accepted or declined by a browser user, a Web bug arrives as just another GIF on the Web page. A Web bug is typically invisible to the user because it is transparent (matches the color of the page background) and takes up only a tiny amount of space." (from Whatis?com definition), see http://searchWebManagement.techtarget.com/sDefinition/0,,sid27_gci341290,00.html.
32 The following analysis is influenced most strongly by Bechtold (n 13 above), though many other authors have argued similarly. Bechtold adds the emphasis on technology licensing of hardware manufacturers to previous analyses. The author has generalised the approach he takes at a number of points.
33 A contract entered into by the consumer being required to agree to contractual terms, by clicking an "I agree" button with a mouse, before the consumer can access the digital work; see ProCD, Inc v Zeidenberg, 86 F.3d 1447 (7th Cir. 1996) for the most significant US decision.
34 See Bechtold (n 13 above), part 3 and part 5.1.2 for a summary of this argument.
35 Ibid., part 4.
36 Ibid., part 8.
37 See part 2 of Kamiel Koelman and Natali Helberger, Protection of Technological Measures, Report under the Imprimatur project (Institute for Information Law, University of Amsterdam, 1998), available at http://www.ivir.nl/publications/koelman/technical.pdf.
38 Ian Kerr, Alana Maurushat and Christian S., Tacit Technical Protection Measures: Tilting at the Copyright Windmill (2002) Part 1, 1-31; Study funded by the Department of Canadian Heritage.
39 This summary draws on discussions from the following articles: Koelman and Helberger (See n 37 above); Roger Clarke and Gillian Dempsey, "Electronic Trading in Copyright Objects and Its Implications for Universities", Australian EDUCAUSE'99 Conference, Sydney, 18-21 Apr 1999, http://www.anu.edu.au/people/Roger.Clarke/EC/ETCU.html; Mark Stefik, "Shifting The Possible: How Trusted Systems And Digital Property Rights Challenge Us To Rethink Digital Publishing" (Spring 1997) 12 Berkeley Technology Law Journal 1, http://www.law.berkeley.edu/journals/btlj/articles/12_1/Stefik/html/reader.html; Julie Cohen, "Some Reflections on Copyright Management Systems and Laws Designed to Protect Them", (1997) 12 Berkeley Tech. L.J. 161, http://www.law.berkeley.edu/journals/btlj/articles/12_1/Cohen/html/reader.html; International Federation of Reproduction Rights Organisations (IFRRO), Committee On New Technologies, Digital Rights Management Technologies, was, but no longer, at http://www.ncri.com/articles/rights_management/.
40 For example, works protected by Softlock are freely copyable and partially readable "demos", but become full-featured once a password is purchased. They automatically revert to demos when copied to another machine. Softlock's advertisement says: "turn pirates into distributors". Was on http://www.softlock.com/, June 1998, now deleted.
41 Brad Cox, "Superdistribution" Wired Archive 2.09, Sept 1994, http://www.wired.com/wired/archive/2.09/superdis.html.
42 See Stefik (n 39 above) and Mark Stefik, The Internet Edge (Boston: MIT Press, 1999).
43 Charles C. Mann, "Who Will Own Your Next Good Idea?" The Atlantic Monthly, Part II, (Sept 1998), http://www.theatlantic.com/issues/98sep/copy2.htm.
44 International Federation of Reproduction Rights Organisations (IFRRO), see http://www.ifrro.org/.
45 Was on Australia's Cultural Network site at http://www.acn.net.au/resources/ip/ecms.htm, now deleted.
46 In Europe, the Imprimatur project, sponsored by the European Commission (EC), developed the Imprimatur Business Model. Bygrave and Koelman (n 10 above) describe the actors and inter-relationships in the model at p 3:
"In brief, the role of the creation provider (CP) is analogous to that
of a publisher; ie, he / she / it packages the original work into a marketable
product. The role of the media distributor (MD) is that of a retailer;
ie, he / she / it vends various kinds of rights with respect to usage of
the product. The role of the unique number issuer (UNI) is analogous to
the role of the issuer of ISBN codes; ie, it provides the CP with a unique
number to insert in the product as microcode so that the product and its
rights-holders can be subsequently identified for the purposes of royalty
payments. The role of the IPR database provider is to store basic data
on the legal status of the products marketed by the MD. These data concern
the identity of each product and its current rights-holder. The main purpose
of the database is to provide verification of a product's legal status
to potential purchasers of a right with respect to usage of the product.
As such, the IPR database is somewhat similar in content and function to
a land title register. The role of the monitoring service provider (MSP)
is to monitor, on behalf of creators / copyright-holders, what purchasers
acquire from MDs. Finally, the certification authority (CA) is intended
to assure any party to an ECMS operation of the authenticity of the other
parties whom he / she / it deals. Thus, the CA fulfils the role of trusted
third party (TTP)."
47 See Bygrave and Koelman (n 10 above), p 7.
48 Daniel J. Gervais, "Electronic Rights Management and Digital Identifier Systems" (1998) 4(2), The Journal of Electronic Publishing, http://www.press.umich.edu/jep/04-03/gervais.html (visited 22 June 1999).
49 "A DOI (digital object identifier) is a permanent identifier given to a Web file or other Internet document so that if its Internet address changes, users will be redirected to its new address. You submit a DOI to a centrally-managed directory and then use the address of that directory plus the DOI instead of a regular Internet address. The DOI system was conceived by the Association of American Publishers in partnership with the Corporation for National Research Initiatives and is now administered by the International DOI Foundation. Essentially, the DOI system is a scheme for Web page redirection by a central manager." (from Whatis?com definition), see http://whatis.techtarget.com/definition/0,,sid9_gci213897,00.html.
50 "Functionally, a PURL is a URL. However, instead of pointing directly to the location of an Internet resource, a PURL points to an intermediate resolution service. The PURL resolution service associates the PURL with the actual URL and returns that URL to the client. The client can then complete the URL transaction in the normal fashion. In Web parlance, this is a standard HTTP redirect." (from PURL homepage), see http://www.purl.org/.
51 Dublin Core, US MARC, INDECS Project, Stanford Digital Library Metadata Architecture, BIBLINK/NEDLIB.
52 Julie Cohen, speaking mainly of the IFRRO's notion of an ideal
DRMS, concludes in Julie Cohen, "A Right to Read Anonymously: A Closer
Look at `copyright management' in Cyberspace", (1996) 28 Conn. L. Rev.
"These capabilities, if realized, threaten individual privacy to an unprecedented degree. Although credit-reporting agencies and credit card providers capture various facets of one's commercial life, CMS raise the possibility that someone might capture a fairly complete picture of one's intellectual life.
Reading, listening, and viewing habits reveal an enormous amount about
individual opinions, beliefs, and tastes, and may also reveal an individual's
association with particular causes and organizations. Equally important,
reading, listening, and viewing contribute to an ongoing process of intellectual
evolution. Individuals do not arrive in the world with their beliefs and
opinions fully-formed; rather, beliefs and opinions are formed and modified
over time, through exposure to information and other external stimuli.
Thus, technologies that monitor reading, listening, and viewing habits
represent a giant leap - whether forward or backward the reader may decide
- toward monitoring human thought. The closest analogue, the library check-out
record, is primitive by comparison. And library check-out records are subject
to stringent privacy laws in most states." (footnotes omitted).
53 Bygrave and Koelman (n 10 above), while not opposed to DRMS, stress
that the surveillance dangers are one of the most significant obstacles
to their acceptable operation:
" ... such systems could facilitate the monitoring of what people privately
read, listen to, or view, in a manner that is both more fine-grained and
automated than previously practised. This surveillance potential may not
only weaken the privacy of information consumers but also function as a
form for thought control, weighing down citizens with "the subtle, imponderable
pressures of the orthodox", and thereby inhibiting the expression of non-conformist
opinions and preferences. In short, an ECMS could function as a kind of
digital Panopticon. The attendant, long-term implications of this for the
vitality of pluralist, democratic society are obvious."
54 Gervais (n 48 above) describes the role of pseudonymity in the proper
operation of DRMS:
"A related issue is how to identify individual digital copies (which
presumably have been sold to a specific user), without creating a risk
to privacy or confidentiality. If indeed individual copies are identified,
using a watermark containing a transaction code for instance, a viable
solution could be to number individual copies, without including data identifying
the user who `ordered' the copy in question. Copy numbers could be linked,
in a secure database, to the individual users. Should there be a good reason
to make the link between the copy number and the user - for instance, under
court order - that link could be made. The role of trusted third parties
acting as aggregators of usage data might be especially important to users.
An aggregator or collective management organization using an electronic
copyright-management system could thus maintain the confidentiality of
the link (if any) between a given copy delivered on-line and a specific
user. The content owner would receive with the payment for use of his works
a report on the number of uses, possibly with an indication of the type
of users concerned, but no information about individual users. Without
this type of confidentiality guarantee, it may be very difficult for electronic
copyright commerce to prosper. In other words, properly tuned electronic
copyright-management systems that aggregate data so as to protect privacy
and confidentiality are probably essential ingredients of the success of
electronic copyright commerce."
55 Gervais (n 48 above), a proponent of DRMS, emphasises the crucial
role that DRMS intermediaries (such as MSPs and CAs in the Imprimatur model)
will have in the protection of privacy:
"An electronic copyright-management system does not in and by itself protect privacy, but it is probably the best tool to do so. If the rules under which the electronic copyright-management system operates are correctly designed, the system would return to rights holders aggregated information on use of his / her works. For example, the system could say that clearance was granted to use `Scientific Article X' to `11 pharmaceutical companies in the last month', or that `2,345 users in this part of Chicago' downloaded a given musical work. The rights holder thus gets market data without violating anyone's confidentiality or privacy. Even now the Copyright Clearance Center in the U.S. does not report to rights holders which articles from medical or scientific journals are used by individual users (eg., pharmaceutical companies). It only tells rights holders how often a work was used by, say, the pharmaceutical industry as a whole. Most collective management organizations aggregate information in this way and this is perhaps a function whose value has thus far been underestimated by users."
56 Lessig (n 5 above). Lessig also notes an extensive argument in the United States as to whether "the fair use exceptions to copyright protection are not affirmative rights against the copyright holder, but instead the consequence of not being able to efficiently meter usage. Once that technical limitation is erased, then so too would the fair use rights be erased."
57 Lessig (n 5 above).
58 They are also an instance of laws facilitating surveillance which we can describe as "data surveillance law".
59 Koelman and Helberger (n 37 above), part 3.1 note a number of US, UK and EU provisions which deal only with some types of circumvention, or specific types of works.
60 WIPO Copyright Treaty, 20 Dec 1996, 36 ILM 65 (1997), http://www.wipo.int/treaties/ip/copyright/wipo-copyright.pdf; in force since 2 Mar 2002; see Kerr, Maurushat and Tacit (n 38 above), Parts 2-3 for a convenient legislative history and analysis. .
61 WIPO Performances and Phonograms Treaty, 20 Dec 1996, 36 ILM 76 (1997), http://www.wipo.int/treaties/ip/performances/wipo-performances.pdf; in force since 20 May 2002.
62 See Commonwealth Attorney-General's Discussion Paper The Digital Agenda (1998) "Part 5 - Proposed scheme for new technological measures and rights management information provisions", http://law.gov.au/publications/digital.htm#anchor1565870. Seealso Speech by Attorney-General D. Williams, "Copyright and the Internet: New Government reforms", para 35, Murdoch University, 30 Apr 1998, http://law.gov.au/articles/copyright_internet.html.
63 Proposed EC Directive on the harmonisation of certain aspects of copyright and related rights in the Information Society - see Arts 6 and 7 - now Directive 2001/29/EC.
64 Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (O.J. L 167, 22 June 2001, p 10 et seq.); for analysis, see Bygrave (n 12 above) and Kamiel Koelman, "A hard nut to crack: The protection of technological measures" (2000) European Intellectual Property Review 227, draft available at http://www.ivir.nl/publications/koelman/hardnut.html.
65 Section 116A(1) sets out the scope of the right:
"s116A(1) Subject to subsections (2), (3) and (4), this section applies if:
(a) a work or other subject-matter is protected by a technological protection measure; and
(b) a person does any of the following acts without the permission of the owner or exclusive licensee of the copyright in the work or other subject-matter:
(i) makes a circumvention device capable of circumventing, or facilitating the circumvention of, the technological protection measure;
(ii) sells, lets for hire, or by way of trade offers or exposes for sale or hire or otherwise promotes, advertises or markets, such a circumvention device;
(iii) distributes such a circumvention device for the purpose of trade, or for any other purpose that will affect prejudicially the owner of the copyright;
(iv) exhibits such a circumvention device in public by way of trade;
(v) imports such a circumvention device into Australia for the purpose of:
(vi) makes such a circumvention device available online to an extent that will affect prejudicially the owner of the copyright;
(vii) provides, or by way of trade promotes, advertises or markets, a circumvention service capable of circumventing, or facilitating the circumvention of, the technological protection measure; and
(c) the person knew, or ought reasonably to have known, that the device
or service would be used to circumvent, or facilitate the circumvention
of, the technological protection measure."
66 Section 10 defines "circumvention device": "circumvention device means a device (including a computer program) having only a limited commercially significant purpose or use, or no such purpose or use, other than the circumvention, or facilitating the circumvention, of an effective technological protection measure."
67 Section 10 defines "circumvention service": "circumvention service means a service, the performance of which has only a limited commercially significant purpose, or no such purpose or use, other than the circumvention, or facilitating the circumvention, of an effective technological protection measure."
68 References following are to the Copyright Ordinance (Cap 528).
69 Kabushiki Kaisha Sony Computer Entertainment v Stevens  FCA 906 (26 July 2002) (hereinafter "Sony v Stevens")
70 See Kerr, Maurushat and Tacit (n 38 above), part 7, reviewing decisions to 2002.
71 Sony v Stevens (n 69 above) at 46.
72 See details on the website of Lik Sang at http://www.lik-sang.com/news.php?artc=2707.
73 It seems unlikely that an implied licence would still operate under circumstances of attempted circumvention.
74 Section 31(1)(a)(i) describes the exclusive right as "to reproduce the work in a material form".
75 Sony v Stevens (n 69 above) at 148-149.
76 Ibid. at .
77  FCA 1719.
78 (2000) 49 IPR 573.
79 Section 23(6) states: "Copying in relation to any description of work includes the making of copies which are transient or are incidental to some other use of the work".
80 Sections 60-61 Hong Kong and ss 47AB-47H Australia.
81 The scope of the "computer crime" laws of Australia and Hong Kong is not covered in this article.
82 Koelman (n 64 above). "Preparatory activities" means the making of and dealing with circumvention devices, the "upstream" activities.
83 Sony v Stevens (n 69 above) at 104, referring also to Sony Computer Entertainment v Owen  EWHC 45 (ChD).
84 I am indebted to John McPhail on this point: personal communication on file with author.
85 If a device is intended to protect copyright works, but is in fact quite ineffective to do so, is it still a "technological protection measure"? This does not matter because, following the WTO Treaty, there is only a "circumvention device if it has the purpose of circumventing an effective technological protection measure" (s 10 definition of "circumvention device"). Legislation has been introduced which would remove the word "effective" from the definition: Copyright Amendment (Parallel Importation) Bill 2002 (Cth), Schedule 3, cl 1.
86 See s 116A(3)-(4A) and (7)-(9). There is a separate national security exemption in s 116A(2).
87 Compare Cohen (n 52 above), Part V "The First Amendment Case Against the Proposed Anti-Tampering Law".
88 Compare Koelman (n 64 above), "Preparatory activities".
89 Universal Studios, Inc v Corley, 273 F.3d 429 (2d Cir.2001); see Kerr, Maurushat and Tacit (n 38 above), part 7.4.4 for a review of this and other DMCA cases.
90 For a review and current status of all of the "DeCSS cases", see the "OpenLaw: Open DVD" forum at http://eon.law.harvard.edu/openlaw/DVD/ (Berkman Centre, Harvard Law School).
91 Kerr, Maurushat and Tacit (n 38 above), part 6.1 notes unpublished work by Maurushat supporting this conclusion.
92 Art 16(3), s 8 Hong Kong Bill of Rights, Bill of Rights Ordinance (Cap 383).
93 Ross McLean and Anne Flahvin, "The Digital Agenda Act: how
the new copyright law (and contract) is redefining the relationship between
users and owners of copyright" (2001) CyberLRes 21l,
http://www.austlii.edu.au/au/other/CyberLRes/2001/21/. See also Ross McLean and Anne Flahvin, "Aspects of the New Right to Communicate", UNSW Continuing Legal Education Conference, Nov 2000.
94 Sony v Stevens (n 69 above) at 162-164.
95 Sony v Stevens (n 69 above) at 111.
96 Sony v Stevens (n 69 above) at 115.
97 Sony v Stevens (n 69 above) at 116.
98 Paraphrasing Sackville J at 117.
99 The Robot Exclusion Protocol is observed voluntarily by most commercial web spiders, see A Standard for Robot Exclusion, http://www.robotstxt.org/wc/norobots.html, and "A Method for Web Robots Control" (an "Internet Draft", a working document of the Internet Engineering Task Force, 1996, expired June 1997), http://www.robotstxt.org/wc/norobots-rfc.html. Site administrators have the technical capacity to exclude specific robots from their site compulsorily if they do not obey the protocol.
100 Bygrave (n 12 above) says the Directive "provides no obvious answer".
101 See US Code Title 17 Sec 1201 (i) Protection of Personally
Identifying Information, providing that it is not a breach to circumvent
"the capability of collecting or disseminating personally identifying information
reflecting the online activities of a natural person" if the following
conditions are satisfied:
"(a) the access controls collect or disseminate information about the online activities of a person;
(b) conspicuous notice about this information processing is not given;
(c) the data subject is not provided the ability to prevent the information being gathered and disseminated; and
(d) the disabling of the controls has the sole effect, and is solely
for the purpose, of preventing the collection and dissemination."
102 Section 132(5D) provides:
"(5C) A person must not remove or alter any electronic rights management
information attached to a copy of a work or other subject-matter in which
copyright subsists, except with the permission of the owner or exclusive
licensee of the copyright, if the person knows, or is reckless as to whether,
the removal or alteration will induce, enable, facilitate or conceal an
infringement of the copyright in the work or other subject-matter."
103 Though the Australian provision conjoins (a)(i) and (a)(ii) with "and", not "or".
104 WIPO Performances and Phonograms Treaty.
105 Section 274(3). References in this section to RMI mean:
"(a) information which identifies the work, the author of the work, the owner of any right in the work, the performer, or the performance of the performer;
(b) information about the terms and conditions of use of the work, the person having fixation rights in relation to the performance, or the performance; or
(c) any numbers or codes that represent such information, when any of
these items of information is attached to a copy of a work or a fixed performance
or appears in connection with the making available of a work or a fixed
performance to the public."
106 See Bygrave and Koelman (n 10 above), p 53.
107 Compare Bygrave and Koelman (n 10 above), p 53.
108 See US Code Sec 1202 Integrity of copyright management information, providing that "copyright management information" includes "terms and conditions for use of the work" and "such other information as the Registrar of Copyrights may prescribe by regulation, except that the Registrar of Copyrights may not require the provision of any information concerning the user of a copyright work".
109 See Bygrave and Koelman (n 10 above), p 53; see also Koelman (n 64 above).
110 New Zealand and Canada are the other significant examples.
111 Directive 95/46/EC of the European Parliament and of the Council of 24 Oct 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. L 281, 23 Nov 1995, p 31 et seq.).
112 See Bygrave and Koelman (n 10 above), particularly Ch 2;
Koelman (n 64 above); and Bygrave
(n 12 above).
113 Michael Froomkin, "The Death of Privacy?" (May 2000) Stan.
L. Rev. 146, draft available at
114 Cohen (n 52 above).
115 In many other countries, there is likely to be less reluctance to interfere in "private orderings" of transactional relationships concerning IP by legislation, for example, by compulsory licensing schemes. Even in the United States, compulsory terms in such contractual relationships are not so unusual. William W. Fisher stresses that compulsory terms in contracts are not at all unusual in the United States, and proposes a set of such compulsory contractual terms for contracts concerning IP rights: see William W. III Fisher, "Property and contracts on the internet" (1998) 73 Chicago - Kent Law Review 1203, draft at http://www.law.harvard.edu/Academic_Affairs/coursepages/tfisher/compuls99.htm.
116 Froomkin (n 113 above).
117 Section 2 defines "personal data":
" `personal data' means any data-
(a) relating directly or indirectly to a living individual;
(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
(c) in a form in which access to or processing of the data is
118 Graham Greenleaf, "Privacy principles - irrelevant to cyberspace?" (1996) 3 PLPR 114, http://www.austlii.edu.au//au/other/plpr/vol3No06/v03n06d.html.
119 See Bygrave and Koelman (n 10 above), p 14.
120 See Greenleaf (n 2 above), Part F "Stopping Searching - Robot Exclusion Standards" for discussion.
121 See, for example, Graham Greenleaf, "`IP, phone home' ECMS, (c)-tech, and protecting privacy against surveillance by digital works" Proceedings of the 21st International Conference on Privacy and Personal Data Protection, Hong Kong, 1999, Proceedings text available on-line at http://www.pco.org.hk/english/infocentre/files/greenleaf-paper.doc, HTML version available at http://austlii.edu.au/~graham/publications/ip_privacy/; Jonathan Weinberg, "Hardware-Based ID, Rights Management, and Trusted Systems" (2000) 52 Stan. L. Rev. 125, http://www.law.wayne.edu/weinberg/newstanford.PDF.
122 Its Australian origins lie in Principle 10 of the Australian Privacy Charter (1994): "People should have the option of not identifying themselves when entering transactions" (see Australian Privacy Charter Council (1994) Australian Privacy Charter, http://www.anu.edu.au/people/Roger.Clarke/DV/PrivacyCharter.html). In 1998, the Australian Privacy Commissioner's National Principles for the Fair Handling of Personal Information included Principle 8 as now appears in the Act (with "should" in place of "must").
123 See n 126 below and accompanying text.
124 There is debate within the EC as to whether it is implied by the Directive (personal communication with Lee Bygrave); see Bygrave (n 12 above) for discussion.
125 Schedule 1.
126 "s4(1) The provider shall offer the user anonymous use and payment of teleservices or use and payment under a pseudonym to the extent technically feasible and reasonable. The user shall be informed about these options."
127 Art 29 Committee 1997, The Working Party On The Protection Of Individuals With Regard To The Processing Of Personal Data, Recommendation 3/97 Anonymity on the Internet (3 Dec 1997), http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp6en.htm.
They recommend that, where appropriate, the "minimum necessary
collection" principle "should specify that individual users be given the
right of anonymity". A surprising limitation of the working party's approach
is that it does not adequately distinguish anonymity and pseudonymity,
nor pursue the extent to which pseudonymity should be offered where anonymity
is not practicable. The following main conclusions are relevant here:
1 The ability to choose to remain anonymous is essential if individuals are to preserve the same protection for their privacy on-line as they currently enjoy off-line.
2 Anonymity is not appropriate in all circumstances. Determining the circumstances in which the "anonymity option" is appropriate and those in which it is not requires the careful balancing of fundamental rights, not only to privacy but also to freedom of expression, with other important public policy objectives such as the prevention of crime.
3 Wherever possible, the balance that has been struck in relation to earlier technologies should be preserved with regard to services provided over the Internet.
4 The ... purchase of most goods and services over the Internet should all be possible anonymously.
5 Anonymous means to access the Internet (eg public Internet kiosks, pre-paid access cards) and anonymous means of payment are two essential elements for true on-line anonymity.
128 International Working Group on Data Protection in Telecommunications
Common Position on Privacy and Copyright Management adopted
at the 27th Meeting of the Working Group on
4-5 May 2000 in Rethymnon / Crete, http://www.datenschutz-berlin.de/doc/int/iwgdpt/co_en.htm. For the importance of the distinction between anonymity and pseudonymity, see Roger Clarke, "Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice", IFIP User Identification & Privacy Protection Conference, Stockholm, June 1999, http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html and Anita Smith and Roger Clarke, "Identification, Authentication and Anonymity in a Legal Context", IFIP User Identification & Privacy Protection Conference, Stockholm, June 1999, http://www.anu.edu.au/people/Roger.Clarke/DV/AnonLegal.html.
129 See Graham Greenleaf, "Key concepts undermining the NPPs - A second opinion" (2001) 8 Privacy Law & Policy Reporter 1 for related discussion.
130 For discussion, see Bygrave and Koelman (n 10 above), p 16, also p 27.
131 Personal Data (Privacy) Ordinance, s 2(3).
132 Feb 1999. They have not yet been implemented. The recommendations are expressed as applying to "internet hardware and software products". It would be better if they also applied expressly to digital works, as the issues are the same, but it is straining language to call a digital artwork "software". "Digital works" have been substituted for "software" in this discussion.
133 Art 29 Committee 1999, The Working Party On The Protection Of Individuals With Regard To The Processing Of Personal Data, Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware (23 Feb 1999), http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp17en.htm/.
134 See Greenleaf (n 2 above).
135 Bygrave and Koelman (n 10 above), p 23.
136 See Lee Bygrave, "Minding the machine: art 15 of the EC Data Protection Directive and automated profiling" (2000) 7 Privacy Law and Policy Reporter 67.
137 Directive 95/46/EC of the European Parliament and of the Council of 24 Oct 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. L 281, 23 Nov 1995, p 31 et seq.).
138 See Bygrave and Koelman (n 10 above), pp 29-31 for detailed analysis.
139 Hong Kong appears to be waiting until it is clearer how the EU and its member States will interpret and enforce the data export provisions in the Directive.
140 US Department of Commerce, "Welcome to the Safe Harbor" website http://www.export.gov/safeharbor/.
141 Bygrave (n 12 above).
142 See Kerr, Maurushat and Tacit (n 38 above), part 7.4.4 for a summary of US cases to 2002, but they do not report any cases from other jurisdictions prior to 2002.
143 CLRC (n 21 above) at 4.94 and 4.138.
144 Sections 40, 41, 42, 43, 43A, 48A, 49, 50, 51, 51AA, 51A, 52, 103A, 103B, 103C, 104, 110A, 110B, 111A.
145 CLRC (n 21 above), Recommendation at 7.49.
146 CLRC (n 21 above) at 7.25.
147 CLRC (n 21 above), Recommendation at 7.50.
148 "[N]amely, reproducing a computer program for reasons of interoperability (s.47D), error correction (s. 47E) or security testing (s. 47F), copying by parliamentary libraries (s. 48A), inter-library loan (s. 50), reproducing and communicating works for users for research and study (s. 49), reproducing and communicating works in archives or libraries for preservation purposes (s. 51A), government copying (s. 183) and copying by educational or other institutions under Part VB" (CLRC, n 21 above, at 7.28).
149 Lessig, "The Architecture of Innovation" (n 24 above), p 178.