Secrecy law gutted
OUT-LAW Radio, 11/10/2007
We investigate how a recent ruling could undermine Freedom of
Information laws, and look into how BT is finally making Wi-Fi
sharing safe.
A text transcription follows.
This transcript is for anyone with a hearing impairment or who
for any other reason cannot listen to the MP3 audio file.
The following is the text spoken by OUT-LAW journalist Matthew
Magee.
Hello and welcome to out-law radio, the weekly podcast that
keeps you up to date on all the twists and turns in the world of
technology law.
Every week we bring you the latest news and in depth features
that help you to make sense of the ever changing laws that govern
technology today.
My name is Matthew Magee, and this week we investigate a ruling
that could neuter freedom of information law, and look into how
BT's wireless sharing technology keeps the police from your
door.
But first, the news:
- Risk of Bluetooth spam grows
and
- Mechanics sued for copyright infringement over alleged radio
volume
The Information Commissioner will no longer regulate the use of
Bluetooth mobile technology, prompting fears of a wave of
'Bluetooth spam'. The commissioner no longer considers the wireless
connection technology to be covered by the UK's privacy laws.
The Information Commissioner upholds the privacy and electronic
communications regulations which control the sending of unsolicited
marketing messages. That prohibition will now not extend to
Bluetooth technology, the ICO has said.
The Commissioner's guidelines have until now insisted that users
opt in to receive Bluetooth marketing in the same way that they
have to with other forms of communication. That will no longer be
the case, prompting fears of a surge in unwanted
communications.
"It is going to be a complete free for all," said Troy Norcross,
a mobile marketing consultant with New Media Edge. "I call it blue
spam for a reason."
The Kwik-fit garage chain is being taken to court accused of
violating musical copyright. Royalties' agency the Performing
Rights Society (PRS) is suing the company because of the volume at
which it says mechanics play the radio while working.
The PRS says that because mechanics play their music loudly
enough to be heard by colleagues and customers, it constitutes a
performance of the music which triggers royalty payments to artists
through it.
The case came before the Court of Session in Edinburgh last
week, where a judge said he would not dismiss it. The PRS is
claiming £200,000 in damages.
"Kwik-fit has been given every opportunity to take out the
appropriate licences but they have refused," said a PRS statement.
"Court action is regrettable but Kwik-fit’s actions have left us
with no choice."
That was this week's OUT-LAW news
There is an aphorism in the legal world that hard cases make for
bad law. It could have been written for the case of Karen Davies
and her mother's attempt to find out how she died.
Davies died in 1998 at Epsom General Hospital aged 33. In 2003
it emerged that the hospital had admitted liability in her death
and paid compensation to her widower Richard Davies for him and his
two children.
Karen Davies's mother Pauline Bluck sought more details about
her daughter's death, but Richard Davies, who was Karen's next of
kin, refused access to her medical records.
Bluck began a freedom of information campaign for access to the
records that was to take her unsuccessfully as far as the
Information Tribunal. It agreed with the Information Commissioner's
earlier ruling that she should not have access to the records
because those records were provided by a third party.
The tribunal said that there is an exemption in the Act for
confidential information provided by third parties. Sue Cullen is
an expert in freedom of information for Pinsent Masons, the law
firm behind Out-Law she says that the reasoning given could
undermine the whole FOI Act and put almost any government record
out of reach of freedom of information legislation. She explained
the exemption.
Sue Cullen: What has been tried and followed
through is the section 41 exemption for confidential information.
What he actually says is that if information was obtained by the
public authority from a third party which to most of us means form
outside the authority and it is truly confidential in nature such
that if they disclosed it then there would be an actionable breach
of confidence then again it is absolutely exempt.
Magee: There is a problem though says Cullen
can a medical record really be deemed to have come from a third
party or is it actually something that the hospital creates
itself.
Cullen: The finding that I thought was
extraordinary was that medical records made by the hospital about
its patients - namely the deceased woman - counted as information
obtained from a third party. What they said was well they got them
from the deceased person so that is a third party so that is fine.
That does not seem to make any practical sense.
I think the hospital surely generates its own records through
its own agents, the doctors and nurses, and they make the records
from their observations and they might get some of it from the
patient herself. But I mean if you go into hospital in a coma you
are not exactly imparting the information to the hospital they are
making their own observations and records about you that has got to
be an internally generated record. So I do not see how it can be
used. How the Section 41 exemption can be used in relation to
records the hospital makes about its patients because it will not
be information that it got from a third party that is my problem
with the decision.
Magee: The implications of the Information
Tribunal's judgement are staggering. Bureaucracies gather data from
people and put them into files and records - it is what
bureaucracies do. If the same rule were applied across the world of
government almost every record would be exempt because it contained
information from a third party even though the record had been
created and processed by the bureaucracy itself.
Cullen: If you are going to say that any
information which was somehow gathered by the organisation with the
assistance of people outside or from people outside, if you are
going to say that the confidentiality exemption is not limited if
you like to information supplied to you by an outside person which
is the wording of the section 41 exemption, then I think there is
an argument that as most information held by most organisations is
something that they would regard as confidential. If it genuinely
is confidential then most of the internal information arguably
would be absolutely exempt.
Magee: The precedent could threaten the very
purpose of the FOI Act by closing a door of secrecy on all
officialdom and it may even be that there was another route opened
to the tribunal that would not have such drastic potential
consequences. Cullen said that it might have been possible to rely
on the Human Rights Act.
Cullen: Maybe there is a legal prohibition
about giving this out because you have got article 8 of the Human
Rights Act the European Convention on Human Rights which says that
everyone has got a right to a private and family life, and if the
surviving family members if their privacy would be adversely
affected by disclosure of a deceased family member's medical
records that could breach article 8 which could be a breach of the
Human Rights Act, and that can be hooked into the Freedom of
Information Act via section 44 which says if there is a statutory
prohibition on disclosing the information then it is absolutely
exempt. So that might be another route to try.
Magee: The legal contortions involved here need
not have been attempted had the case turned up in Scotland.
Scotland's FOI Act has a very simple insertion that says that the
health records of the dead are exempt from the Act. It was the lack
of such a line that leads to this judgement which could send a
warning bell for the usefulness of all of the Freedom of
Information Act.
When OUT-LAW conducted an investigation last year into how
internet service providers felt about sharing WIFI connections we
found that they did not like it one bit – seven out of ten of the
top ten banned it all together.
There is an even bigger risk with sharing that just breaching
your ISP's terms and conditions, though. The indiscriminate sharing
of a connection can land you in extremely hot water. If you
generously share your internet access with the world by opening up
a local WIFI network you are inviting people to do whatever they
like online while masquerading as you.
If someone sitting in a car outside your house with a laptop
trades images of child abuse or conducts a smash and grab raid on
someone's online bank account, the police will come to your door,
not theirs, and you will have a pretty sticky time of it trying to
prove that the activity which came from your IP address was carried
out by a stranger.
One company has been working to change that. FON, a Spanish
company, has been selling routers which automatically share WIFI
with other FON subscribers, and they could be about to hit the big
time in the UK, having persuaded one of the big boys to change its
tune.
BT has signed up to FON and now encourages its subscribers to
share WIFI. Peter Smyth is Vice President of converged services at
BT's chief technology office. He explains the idea.
Peter Smyth: What we decided to do is actually
have what we call traffic separation so that the home user actually
has their own IP sect tunnel and when they actually authenticate
themselves to the network then basically their traffic is in their
own separate tunnel. From the network point of view it looks like
two different broadband connections, and they are going to
different places so that there is clear separation between the
activity of what the home user does and what the actual visitor
does.
Magee: So the big question is: how safe is it?
If I share my BT connection through the new system will I be on the
hook for some stranger's transgressions? Smyth is confident that I
will not.
Smyth: In terms of the actual transmission of
the information they are in separate tunnels which are separately
encrypted so that way you can show clear differentiation between
what actually happens on the home user's side and what actually
happens on the visitors side.
Magee: A security scare this week, though,
could not have been more poorly timed for BT's plans. Security
researchers have published information that they believe exposes a
vulnerability in the BT home hub that runs its home internet
access. They say that code on a malicious website could open a back
door into a person's home internet access.
A BT spokesman told OUT-LAW that a new security upgrade being
pushed out to routers should solve the problem, but it may make
some potential users think twice because of any potential future
vulnerabilities.
Smyth, though, says that he is confident in the WIFI sharing
system, and that he believes it is good enough that it will stand
up in court.
Smyth: We believe absolutely that there is
clear separation between the activities and identity and we believe
therefore that it would stand up in court if it ever came to
that.
That's all we have time for this week, thanks for listening.
Why not get in touch with Out-Law radio? Do you know of a
technology law story? We'd love to hear from you on radio@out-law.com.
Make sure you tune in next week; for now, goodbye
Out-Law radio was produced and presented by Matthew Magee for
international law firm Pinsent Masons.
