[Cross-posted from IT Law in Ireland]
I’m quoted in today’s Irish Times on the threats made by JC Decaux against Fusio resulting in their taking down their Dublin Bikes App.
Leave aside for a moment the PR stupidity of this strategy.
Ignore if you will the dubious legal basis of their claim. (Without going into the finer points of copyright in facts, database rights, clickwrap agreements or possible passing off, the vague nature of their complaint – “Following our conversion, I confirm that you do not have the rights to use the information published on the web site http://www.dublinbikes.ie/. In particular the data concerning the stations is the property of JCDecaux and cannot be used without our prior authorisation” – makes it clear that they have little idea what they are talking about.)
Think instead about the issue of principle. A body which is operating in partnership with Dublin City Council is attempting to stop an Irish company from providing – free of charge – facts to the public about the service which they offer, without giving any justification for doing so, and without offering an alternative of their own. (I’m happy to see that at least some of our politicians understand the absurdity of this.)
I spoke to the press office in Dublin City Council today, who made it clear that they regard this matter as nothing to do with them. But why not? DCC were happy to work with Fusio to develop the app. Is there no provision in their contract with JCD establishing an obligation to provide information to the public about the service? Will they make sure that future contracts address this type of situation? (And – while I’m on the topic of the contract – why does JCD own the domain dublinbikes.ie? Is there any provision in the contract for the domain to revert to DCC on its expiry?)
[Update - since initially posting this I have asked DCC for a copy of any correspondence with JCD over this issue and with any relevant portions of their contract with JCD. This seems to be an issue where JCD would be likely to reverse their stance if pressure were applied (one would hope they understand the risks of bad publicity!) - and where an important point of principle about reuse of data could be established. You may wish to email JCD at email@example.com; you can find contact details for your local councilors here.]
September 25th, 2009
Karlin Lillington has a strong piece in today’s Irish Times about a leaked draft agreement on data retention between state agencies (the Garda Síochána, Revenue and Defence Forces) and the telecoms industry (represented by ALTO, TIF and the ISPAI). Her comments are worth quoting extensively:
A secret memorandum of understanding between State agencies and the communications industry on how to implement the as-yet non-existent Government data retention legislation, confirms longstanding concerns about who is managing the data retention agenda and to what end.
With data retention, it appears that the tail is wagging the dog, in blatant disregard for proper democratic legislative process. The agencies that want access to our call and internet data are bypassing the Oireachtas, which at least theoretically, is the body that draws up and implements legislation.
As one alarmed privacy advocate told me: “This is legislation by decree.” …
No doubt, the argument will be made – and indeed is, within the body of the 13 page memorandum – that the document exists to help streamline the process by which our data are requested and handed over to various bodies that will now be allowed to look at it. Or as the memorandum states: “to promote efficient and effective standards of co-operation between the State and the Communications Industry.”
But it is not the business of the agencies to arrange any such matters privately with the communications industry, especially in the absence of actual legislation, or any public discussion or input, or any significant Oireachtas debate on a Bill that has only recently been published and not yet debated.
A data retention bill has not been passed by the Oireachtas yet, so this extraordinary “agreement” is based on sweeping assumptions, not articles of law.
More startling is the fact that agencies and industry are making such secretive plans for co-operation at all. It is the job of the Oireachtas and, ultimately, the courts to determine how legislation will be interpreted and implemented, not the Garda Commissioner, the Revenue Commissioners or the Defence Forces by private agreement.
This is the equivalent of the Financial Regulator securing a private understanding with Irish companies and banks as to how they will be supervised and how evidence will be obtained from them for investigations.
Another concern is that the memorandum, as it stands, indicates an agreement to obtain data that goes beyond what has been proposed so far in the published data retention bill.
The memorandum arranges for communications companies to hand over ‘‘any available personal details” of an IP address user, e-mail sender or VoIP user, even though the draft Bill (as seen by The Irish Times earlier this year) only requires name and address.
The memorandum also contains an agreement to hand over the MAC address associated with a computer user – the numerical “address” of a physical piece of hardware, such as a laptop, that enables it to connect to a network – though not required by the Bill.
The memorandum concludes with supreme arrogance: a detailed schedule pertaining to what will be handed over and how, matched to the text from the “Act” – again, simply the proposed Bill the Oireachtas has not yet approved. The schedule has a column for the “mutual agreement of retained data” and another for “issues addressed and agreed”.
Excuse me? Since when do agencies and industry get to “mutually agree” how they will privately interpret and comply with publicly mandated legislation (setting aside the glaring absence of any such legislation on which to base their ‘mutual agreement’)?
The memorandum notes in conclusion that it should be disseminated within Government “where necessary” and copies of the signed agreement be filed with legal representatives and stored internally in company files.
So, we have a private deal arranged in advance, in disregard of the role of the democratically elected Oireachtas and with no public input or scrutiny, between State agencies and the communications industry on how they will interpret and act on one of the most controversial pieces of legislation proposed for the State and European Union.
Legislation that has massive privacy and security implications for citizens and for businesses, and which already has been criticised by several leading business figures from indigenous and multinational companies as a threat to Ireland’s business environment.
Such arrangements have no place in a democracy and will surely alarm businesses that have chosen to base themselves in Ireland. Revelations that they exist will not instill confidence that privacy safeguards will be respected for citizens or businesses, nor dispel concerns that other murky off the record arrangements will be made along the way.
To be fair, there are portions of the draft agreement which are highly desirable. It aims to establish a single point of contact principle, which should minimise mistakes and abuse. It seeks to have state authorities digitally sign and encrypt any email requests for information. And it clarifies the appallingly vague technical language in the draft Data Retention Bill in a way which may make it workable.
But these safeguards should be built into the legislation itself, made mandatory and enforceable by judicial supervision. Instead, this agreement leaves them to an ad hoc arrangement between the State and the telecoms industry, and admits that it is merely “a non-binding statement of understanding or agreement [which] creates no legal obligations or commitments on the signing parties”. Moreover, it does so in secret, with no public input into the process. And, as Karlin points out, in some places it goes beyond what the draft legislation would require, and commits ISPs to handing over information without any legal obligation or permission to do so.
Read the full text of the leaked agreement here.
September 25th, 2009