Non disclosure agreements (NDAs) for IT Projects.

Non disclosure agreements (NDAs) for IT Projects.

NDAs can be defined in one instance as a contract: where two parties agree to share information for a certain purpose, but restricting informational access to third parties. These act as a means to ensure the IPR of a firm are protected.

This allows a client to secure any IPRs and as well prevent too much exposure which could effect any future patent applications. This also will act to clarify who owns the copyright. Instances where NDAs should be considered are:

- where there is outsourcing for new blue-skies project work

- transfer of data into the cloud

- acting within an existing system to add in addition services.

In the latter, all aspects of the ETL cycle would be under investigation which involves the non-client party gaining considerable insight into the client's business. Hence some form of agreement is required.

What does the NDA cover: this should be both the code itself, but also the sources of the data as well as the transformed information. However one area which can be negotiated is re-use of meta-material, the processes and scripts which were used during the project i.e. if this devolves entirely to the client or can this be freely implemented in other projects.

Audits provide a means to ensure that NDA procedures are being adhered to. Elements of audit might include investigation of specific documentation or visits by vetted client personal to observe procedures. However if the terms of the audit are too broad, where the client oversees all elements of the other party's work, this would act as delay on the project. Hence some measure of balance is required.

The issue of penalties should also be considered. These would come into effect if the terms were breached. It is non-uncommon (as mentioned in Cloud Computing by Millard) for clients to seek unlimited liability for such, which for the other party is very much a show-stopper. In passing, while there are element of similarity, the NDA is not a non-compete agreement with the latter having to engage with elements of employment law.

Thus NDAs are at best a means to provide a support framework so long as it does not devolve into a strait-jacket that sabotages the work of the parties.

The Sony cyberattack and the Legal options, in war and peace.

The Sony cyberattack and the Legal options, in war and peace.

There are a series of recent news reports that indicate that the Sony corporation in the US had been subject to a cyberattack. The result of this was the compromising of the corporation's internal systems, with the disclosure of both Intellectual property right material and private personal data relating to employees. This was in the form of movie scripts and emails. As one motive of the attack was a Sony film which denigrated the North Korean regime, "The Interview", it currently is thought this entity is the prime suspect in this.

From a legal perspective, what are the actions the various stakeholders can peruse in the context of how such international cyberattacks should be dealt with. These can be placed in context of earlier such attacks and what subsequent framework was created to pursue legal or other socio-political actions.

In 2007 the Baltic state of Estonia was targeted by a series of cyberattacks mostly on public sites. As it was believed to be related to moves purported to be anti-Russia by the Estonian government, this neighboring country was thought to be the main culprit. While this was never proved to be linked to the Russian government, traces of the cyberattack were connected to known pro-Russian sites. The actual damage done was by the targeting of infrastructure websites, incorporating defacement and DDoS which essentially made these unusable. This was of major impact as Estonia pursued a digitization of essential services: so a result as the seizing up of state utilities.

In the wake of this the Tallinn manual was crafted as a rule book to meet future attacks. In parallel as Estonia was a member of NATO, it was declared that any such cyberattack on a member state would be regarded as an attack on all. The means of this response was to be proportionate, but kinetic weaponry was not specially ruled out.

Thus the differences between this and the Sony attack are a private company was the subject to the attack and that incident while seemingly well planed did not extend to the same length of time. So in light of this, what in the US government's options as per the Tallinn Manual rule 11- ‘[a]‌ cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’.

First, was this an act of Armed Conflict/War? While Sony is a private company, the militarization of North Korean society would imply that any such attack would have the backing of their armed forces. Given the economic damage caused by the attack (loss of confidence in Sony and its cancellation of the film "The Interview") this breaches the prohibition on the use of force Article 2(4) of the United Nations Charter.

Second, however even if was so, then unlike physical world attacks, the identity of the perpetrators in cyberattacks might be cloaked and difficult to trace. For instance, the authors of the Stuxnet attack have not been definitely identified but only suggested.

So to sum up the author Roscini, the response has to be proportionate to the damage. While the private nature of this precludes an armed state response, in different circumstances with different actors such can never be ruled out.

Further Reading

- Who controls the Internet by Tim Wu

- Cyber Operations and the Use of Force in International Law by Marco Roscini

DDoS and the law.

DDoS and the law.

A distributed denial of service (DDoS) is where a computer cannot correctly function due to an intentional act which incapacitates the channels (ports in IT parlance) which a computer depends on to communicate with the outside world. The Mens Rea and the Actus rea are thus summed up. The DDoS usually comprises a number of infected computers (a botnet) acting in concert against the target: thereby flooding any attempt to block IP addresses. A physical world analogy would be if one could not leave one's house due to someone using a tennis ball machine to throw items at the doors and windows, trapping the occupant and not allowing anyone else to enter. This thus would be illegal in the analogue, so how is this dealt with in the digital and why does this occur?

The good news being, a DDoS is unlikely to be targeted at single users. There are other easier ways to target individual coupled with the real IT issues which are more likely to be the problem (mis-blocked ports, firewall settings etc.). However, to paraphrase the Sutton rule on illicit money, commercial enterprises are vulnerability to this type of attack. Not only is there is need under normal circumstances to be in operation 24/7, in seasonal sales times such as Christmas there is additional pressure to respond to any outage. If a business is unable to respond to user requests, then that sale's opportunity is likely gone. Thus even if there is no associated damage or corrupted, which could occurred in a Virus or Trojan based attack, loss of good will and customers would cripple a business. Thus what are means to deal with this under law and enforcement?

The Police have some measure of discretion of enforcement of legal matters. There would be difference between if the matter was minor and only effecting one person to the other extreme of a serious issue or effecting a group. However while Police have being more tech-savvy with an increasing online present (Anderson's "The Internet Police") due to the potential global nature of any DDoS attack, they are unlikely to be of intimidate assistance during an attack. Thus an IT department which has planned and drilled for this outage is a key requirement to handle such attacks.

Once the immediate DDoS is over what are the legal avenues to explore. In statute due to the evolving nature of IT the various acts which deal with computer crime are written as broadly as possible so as not to become obsolete which the common law filling any lacunas. Thus as the key effect of a DDoS is to deny the user proper use of his computer, then a Criminal Damage Act which covers actually impairing, threatening to or controlling items which damage property would be relevant. There might be more specific actions which is found in the UK's Computer Misuse Act under sections mentioning degradation of the target's PC functionality. All of these come under the remit of the steps which are required to be taken under the Council of Europe's Cybercrimes convention. Thus as per section 5 this provides a push to enact relevant laws which can deal with DDoS :

"

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offenses under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

" - Article 5 –System interference 

An example of a course case involving DDoS would be the UK's DPP vLennon. Here the defendant was convicted for email-bombing (a type of DDoS attack) his former employees, blocking their IT system. Finally, the extortion element of such could be followed up in any civil or criminal actions.

A Saga of Copyright : Authors Guild, et al.v. Google.

A Saga of Copyright : Authors Guild, et al.v. Google.

A saga can commonly be held to be a long tale involving many parties interacting within a complex environment seeking to overcome both their own flaws and outside forces. A classic example of this would be the Eddas of Iceland. While not as long running or (as yet) as bloody, there is a similarity with Icelandic sagas the multitude of legal pleadings of the parties before a judge and the search for justice & fairness in the dispute which has embroiled Google Books; which continues as per the latest in Authors Guild, et al.v. Google.

The background to this being Google has positioned itself as the the premier search engine company in the global economy (see "How Google test Software" by Wittaker as an interesting insight into how this is achieved). The mission goal for this company can be captured in a desire to allow the world's information to be search-able. As a large part of this heritage of information is present outside the digital format in paper based books, in 2004 Google began to convert the physical to the binary by scanning in books. This however was done without the permission of the copyright owner's permission (leaving aside books which were in public domain or without know authors) and the US based Author's Guild in 2005 brought a copyright infringement suit with Google's defense being that of "fair use".

This term original from the US case of Folsom v Marsh (1841) and facts revolved around a book of one of the American rebel leaders, a George Washington, and the correctness of being able to quote sections of that book. Four main elements of allowing such quotes were enumerated as being.

1- the purpose of such quotes and if these were of commercial nature

2- the original work and if it were copyrighted.

3- the percentage of the work quoted

4- how this might effect the commercial aspect of the work

The Saga initially looked to have a fairly benign ending with an agreement between the parties but this was rejected on the grounds of unfairness, The excellent IPKitten site has commented that the which ever side is the victor, it will mark a key ruling on how "fair use" is to be viewed in terms of transformative (from physical to digital) copyrighted material.

In the European context, how the moral rights of the author might be effected given the less than perfect technology that underlies scanning, could also be an issue. Either way, the Google Books like any good Saga will likely continue to provide years more topics of interest.

Online freedom of expression : human rights and exceptions.

Online freedom of expression : human rights and exceptions.

There are numerous Human rights conventions, including the global and the regional ones. For example the UN's Declaration and that of the European Convention on Human Rights (UNDHR & ECHR).The signatory parties are obliged to respect certain restrictions on the State power to regulate certain aspects of the their citizens' behaviour. The theorist Prof. Eric Posner suggested in his book "Twilight of Human Rights" that Authoritarian states do so as it establishes a patina of respectability in the international community while the more Liberal states believe their own constitutional freedoms are equivalent to their convention obligations and regard it is a pro-forma exercise. As with any of the convention articles, there are very few absolute rights contained within. The signatory documents as well contain numerous exceptions. For instance the ECHR places express limitations in Articles 8-11.

                                                           

Thus concentrating on one of these rights: Freedom of expression. This has been held as being a right that "constitutes one of the essential freedoms foundations of a democratic society" - Handyside v UK 1976. One question though is how Freedom of expression is regulated in an online environment from the perspective of Authoritarian and Liberal Jurisdictions. In each case, other rights have been forwarded as a reason to restrict this. For instance, according to Prof. Tim Wu in "Who controls the Internet", China justifies speech restrictions with a mixture of justifications drawn from the needs of state security and that the social good requires a stable society which is the basis of a functional economy. Whilst Liberal nations may not stress the security aspect, they as well base restrictions on the need of the greater social good. As Wu mentioned, France expanded considerable resources against Yahoo to prevent Nazi related material (illegal under French law) being sold in that Country in the early days of the Internet. At a Convention level, the main case in imposing limitations of expression is Gunduz, where freedom of expression in (for instance in incitement to hatred) was upheld as this was deemed to be contra societal good.

However, as authors such as Jacobs (author of the text "European Convention on Human Rights") mentioned that there were qualifiers. One being context as per Jersild (if it were part of a media discussion) and in another if it were part of a political speech, as per Surek (albeit this was a split decision). These seem to suggest that limitation is possible in both circumstances but these would need to reach a fairly high bar for the authorities to prove that this was the case.

As well and for ECHR rights in general, the restrictions must be ones authorised by the convention and "shall not be applied from any other purpose other than those for which they have been prescribed". The conclusion from Jacob's seems to be that the court would frown on all but the narrowest restrictions on rights but this being very fact specific depending on the case. Hence there is a difficulty establishing hard and fast rules.

How to protect Medical Data

Medical information and Database Systems

How does one model a data system, this was a question posed in recent discussion. Normally this should be implemented based on best practice of Database analysis and Requirements engineering.

This therefore involves a number of stages.

1- Talk to the clients

2- Create various use cases

3- Model the data using Entity-Relationship Diagrams

4- Normalise the Data from above.

5- Create the database

None of these directly impinges on legal matters, beyond the normal contractual obligations a designer owes the employer and the standard data protection rules that are present in now nearly all jurisdictions.

However, there is one aspect of data modeling where there is special emphasis, is that of sensitive data :specifically that which has its origins from medical patients. Sensitive data is of the kind mentioned as per the EU's Data Privacy Directive Article 8 as "racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health". Given the confidenital nature of the Doctor/Patient relationship, there must be a reasonable expectation of privacy.

Therefore the best practices which can be designed to secure this are:

- Ensure that there is adequate physical security. For instance where the data is being processed on site that simple steps such as having secure ids to enter a lockable room should be standard.

- Ensure that there is adequate electronic security. That access to computers must depend on at least one stage security methods; such as fingerprints or passwords unique to each user.

- That the Sysadmin ensures that the virus protections are functional and has a process for updating & patching the underlying operating system to combat Zero-Day exploits.

- Use the Database system itself as a tool to provide security. Instead of allowing a normal access user to view the underlying table, create views which filter out only data which the user can access to fulfill their role, but no more than that. In additional engaging auditing of who viewed, updated or deleted records, This provides an excellent tool to investigators overseeing any potential issues.

- Finally, if the data were encrypted this would potentially foil any large scale data breach.

Medical data is valuable. The UK's NHS has advanced plans in place to sell such to companies - link. This data will undergo anonymization so as to purge the personal details of patients: thus removing the data from the remit of the EU Data Directive. That this process can sometimes be undone is known from such well documented cases as Netflix. 

Thus this implies a need to design security considerations within the DNA of any database system which processes medical records. This should be done both to protect a valued economic resource and to remain within a statutory duty.

TLD and the US domestic law

ICANN still do it.

TLD stands for Top level domain. This is part of the protocol schema that allows the Internet to function. Within the TCP/IP stack, the former can be conceptualised as the envelope (holding a data packet) while the latter is the address. This then can either be in numeric or else in the more human friendly format: e.g. bitter-crank.blogspot.com, The TLD ".com" is an example of an address used by a commercial entity, while an address such as news.bcc,co.uk uses the TLD ".uk" to denote a site connected to the United Kingdom.



The background to this is at the dawn of the Internet era, such addresses like the technology itself were under the de facto control of the US, due to the ARPA funding of the research that laid the foundation of the Internet (see book "Where Wizards stay up late"). However in the 90s, as the US moved to divest itself of the full control of Internet policy, a body known as ICANN was contracted to handle such matters by the US Dept. of Commerce. This would allow a diverse and multi-stakeholder international model of Internet governance to emerge.

Following this, the collection of state TLD also includes that of countries such as Iran, Syria and North Korea: nations unfriendly to the US. According to the ICANN website, https://www.icann.org/resources/press-material/release-2014-11-12-en, a trial judge in the District of Columbia Circuit court dismissed an attempt to seize their TLDs as assets ( due to an alleged connection to State terrorism in a series of co-joined cases). The ruling' reasoning was that, as per the noted initial action of the Dept. of Commerce, the TLDs were held under a type of contractual right and hence outside the remit of the remedy sought by the Plaintiffs of the actions.

If the case had been decided an other way, what would have this resulted in? Not the destruction of the internet in those countries. As due to the hierarchical yet diffuse nature of the Web addressing, it should have been possible for those countries to retain the addressing, but be based on a new root system within their country. However this would be a fragmentation which both would have decreased the open nature of the web and could have potentially laid the foundation of other authoritarian countries to opt out of the ICANN framework. This could have had a crippling effect on the innovation potential of the web.

Data Privacy at Work and Anton Piller Orders

Data Privacy at Work and Anton Piller Orders

Privacy is a right. But like a majority of such is not absolute. There are usually a slew of other rights (several hundred according to Eric Posner's "Twilight of human rights") which need be balanced. Thus at work the employer has a measured right as well to monitor employees, within a reasonable limit.

The cases of Halford v UK (1997) 24 EHRR 523 and Copland v UK (2007) 45 EHRR 37  suggest there also has to be reasonable expectation of privacy at work to balance this. So if there was a credible threat of larceny involved it would seem to be correct to monitor, provided the employees were informed clearly and in good time. This type of data is also a resource so has a measure of value: for instance if companies are being merged, then up to a certain point it would be sensible not to swap employee personal data or at least make real efforts to anonymise the records in a commercial context.

Thus from an IT perspective, how does this relate to company supplied mobile devices such as smart phones? The data found within these, both in internal or external storage thanks to Moore's law, is always expanding. Even if no personal data or apps were permitted, the fact that geo-location data is captured during non-core office hours means not only is personal data being stored, but the protected class known as sensitive data could be viewed by employers. For instance, that an employee is going to a specialist doctor or at a rival's place of business would not be facts that the employee would wish to share.

These are not the only non-state actor that could view the personal data. There is the civil search warrant present in Common law countries known as the Anton Piller order. This is basically a search and seize order. This has been called the "Stealthbomber" of litigation. However, given that Data Protection is of EU Directive origin, would suggest that such orders need to modified to respect the personal information of the employee.

If there were to be shown the existence of procedural problems with the safety of this data, this would call into question the proportionality of any such order and would likely result in the designated Data Protection office becoming involved. The adverse publicity and possible fines could then apply as core individual EU rights are not lightly breached.

Book Review: The Master Switch

The Master Switch: The Rise and Fall of Information Empires by Tim Wu

This was published in 2011 and finally got around to reading it. The key idea behind this work echoes the concept of the “Creative Destruction” cycle in innovation. This was first posited by the Austrian economist Joseph Schumpeter: "process of industrial mutation that incessantly revolutionizes the economic structure from within, incessantly destroying the old one, incessantly creating a new one." - link.

In this book, Mr. Wu provides a legal/historical/technological context so as to show how this has effected both the development of innovation in the IT sector (e.g. Telegraph vs Telephones) as well as how this cycle is still in play in the modern digital era. So that small companies challenge a traditional service provider, with one emerging to take the elder's place (the Kronos effect) and in turns has to defend its new position against fresh newer challengers' innovations.

What seems to be missing is the grand sense of public service that motivated the early monopolists such as Bell's Vail, and instead the action to regulate the modern web is driven by an attempt to lock-in industrial power of past gains, such as present in the Copyright lobby.

Overall a well constructed, crafted read which places current innovations in context.

Embedded Videos and copyright

Embedded Videos

The Court of Justice of the European Union (CJEU) has recently ruled on a matter of copyright within Youtube videos. BestWater International Case (C-348/13). A German court relying on the EU power to seek the CJEU guidance on EU legal matters referred it. The material facts were that the applicant objected that two rival contractors had linked embedded youtube material from the applicant without permission on the rival's website

The legal question was

“

Does the embedding, within one’s own website, of another person’s work made available to the public on a third-party website, in circumstances such as those in the main proceedings, constitute communication to the public within the meaning of Article 3(1) of Directive 2001/29/EC, 1 even where that other person’s work is not thereby communicated to a new public and the communication of the work does not use a specific technical means which differs from that of the original communication?”

- Link to CJEU.

Result: Embedding a Youtube video on a 3^rd party site is not an infringement of copyright.

Context:

Taking a definition of copyright as “ that is is an identifier placed on works to inform the world of ownership”- “Fashion Law” by Ursula Furi-Perry.

My own understanding of embedding would be to hyperlink to another web-location and allow content, in this case a video, to be played.

Of interest: EU Copyright directive can be found here: http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32001L0029

Currently the judgement is only in German.

Ich kann nicht sprechen gut Deutsch : http://www.scribd.com/doc/244360017/EuGH-C-348-13-Framing (auf Deutesh) So my understanding is sparse, to say the least.

Comment:

So to peek beneath the surface of this ruling there are always a number of factors which influence the outcome: both the explicit ones of both public policy reasons for the “social good” and as part of the foundation impetus of the EU to boost trade as well as factors, borrowed from Posner's law and economics, on how well the embedded stakeholders have managed to lobbied so as to have their world view taken as the normative scenario. However, based on the outcome it seems common sense has prevailed.

Long term, what will be the fallout? i.e. does the rather overused term landmark belong to this.

Overall a cautious welcome. While it is rather trite at this stage to state that “Information wants to be free”, it can hardly be said that material on Youtube is out of the way. The material was in no way illegal uploaded onto the site or illegally kept their by the site's owners.

In fact, the ability to disable embedding was present.

“

If you've uploaded a video and do not want to allow others to embed your video on external sites, here's how to disable the option:

Visit your Video Manager.

Find the video you'd like to change and click Edit.

Click Advanced Settings under the video.

Uncheck the Allow Embedding checkbox under the "Distribution Options" section.

Click Save changes at the bottom of the page.

” https://support.google.com/youtube/answer/171780?hl=en, accessed 02/11/2014

Hence overkill. De minimus non curat lex, and this is rather an excellent reason for this to be followed. Thus the speed which the court dealt with this can be commended.

Interesting other view on this:

“The CJEU Continues to be the Court of Common Sense: The BestWater Case Ruling or Another Good Day for the Internet” -link.

Has Data Protection gone a step too far in Europe?

Data protection is very much part and parcel of the human rights driven approach that the EU has taken for personal data. Leaving aside the rather broad exceptions that are present for the state when it comes to gathering information on people when it comes to revenue and taxes (under section 8 of the Data Directive 1995) this is broadly a positive step. However as the saying goes, too much of a good intention can lead inter alia to a poor outcome. In this case, the use of data to better serve customer needs being waylaid.

This has in part been prompted by the reading of the book, What Stays in Vegas: The World of Personal Data by Adam Tanner. Here there are numerous negative examples of how Big Data and how the prevalence of digitization has lead to personal data being used for morally questionable outcomes. For instance the use of criminal mugshots in websites for the titillation of the general populace would likely give a typical Data Protection commissioner fits. This is very much in keeping with the commercial driven agenda where the worth of the data is key to understanding how the US crafts their rather minimalist data protection laws.

On the other hand, where commercial interests are present so too are the technological innovation that goes hand in hand with such. Key to this was the paper, written in part by CEO of a Vegas Corp. Gary Loveman, "Putting the Service-Profit Chain to Work" which traces the importance of the regular customer. Whilst he/she in an average transaction might not spend much, a satisfied customer in their lifetime would be the sum total of their entire spending and as such would be equivalent to the occasional bigger spender. This insight lead to more emphasis on data gathering on these heretofore unremarked segments of the market place and the use of Big data to better craft personalised products to keep them as regular spenders. As Tanner in his book mentions in the context of gathering this data, there is a market imperative to keep much of this open and voluntary as even the suggestion of "creepiness" would lose the client and perhaps draw the ire of the legislators. As well in parallel, this drives the technological innovation of Big data.

Thus while not saying their should be a whole scale rollback of the EU data protection, given that the current directive is being overhauled to make it fit for the Cloud/Big Data purpose, it would be relevant to note that the societal good can as well be serviced by for-profit motivations.