Some people have alleged that GCHQ is exploiting a technical loophole in legislation that allows them to intercept external communications - that is, communications either sent or received outside the UK - at will and without authorisation. This is... nonsense.
Notice how she doesn't say that mass state surveillance isn't going on, she is merely saying that it isn't happening without authorisation. Personally I'd be rather shocked if she said that it was going on without authorisation as (if ministerial responsibility meant something) it would be her job on the line. The Government has already made it clear that it believes mass surveillance is perfectly legal, and the authorisation needed for it is simply a piece of paper, signed by May or one of her colleagues once every 6 months.
It doesn't care about technology, it cares about intention and effect.
Technologically there is little difference between downloading to a cache and downloading to another part of a drive for long-term storage.
But in terms of intention and effect it is pretty clear there is; the former has a "transient" quality, the latter has a degree of permanence. The former is incidental to viewing things, the latter is a deliberate act to make a copy for later.
Except The City of London is not part of the sovereign nation of Great Britain.
Technically this is true, but only because Great Britain isn't a country that exists any more. While the City of London's governance is weird and it has some special treatment, it is still bound by the laws of the UK, including issues of due process. The way the police can get around this is by asking DNS providers to hand over the stuff voluntarily. Then if anyone is breaking the rules it is the DNS provider and the police are in the clear.
CoLP's PIPCU people are funded by the UK's Department of Business, Innovation and Skills, not the City of London Corporation. BIS is responsible for many copyright things (including the proposed copyright exceptions) and I it is possible they agreed to fund PIPCU for two years (£2.5m in total) in exchange for alphabet-soup not putting up too much of a fight about the copyright exceptions. Of course, that hasn't worked, and the important ones have been delayed for months (possibly indefinitely) due to the record label lobby groups, but that's politics for you...
While I agree with this point, I'm not sure it is even relevant. I skimmed the majority opinion and they don't seem to have said that laches doesn't apply, just that it isn't necessarily an absolute bar on the case. I think they're saying that the court should look at both the statute of limitations and issues around laches before deciding whether or not to throw out the case and, on these facts, the case should go ahead. There was a mention of limiting the availability of equitable remedies, though, due to the delay.
I think the later part of that article is the important bit, where the lawyer suggests that Google could just refer the requests to the ICO to deal with. As the article notes, this is about removing "irrelevant and outdated information", I'm not sure if any of the three examples classifies, or if their right to privacy about that information will outweigh the wider public interest in the information being accessible.
But search engines do go against privacy because they process private information. Search engines play a huge role in helping people find stuff online - a site doesn't exist to the vast majority of people if it isn't indexed by search engines. Search engines make it easy for people to find stuff, and if that stuff is private, the search engines shouldn't be helping to make it easier for people to find it. Which is kind of what the first paragraph I quoted is all about.
EU law works on proportionality. As the ruling notes, search engines have a major role in letting people find stuff online. If search engines stop linking something that can have a big effect in keeping it from being found, even if the actual sites are still publishing the information. Removing it can be a proportionate response.
For things like criminal convictions, many systems in the EU already have rules whereby convictions become spent or secret after a while - stuff remaining on search engines would go against this.
Interesting to see that many commentators in the UK are quite happy with the idea behind this. I think this is the key section of the ruling:
It must be pointed out at the outset that... processing of personal data... carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him.
People in the EU care about privacy, and search engines go against privacy.
Another key quote which is missing from most summaries is this one:
Whilst it is true that the data subject’s rights protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.
As with pretty much all EU law, the key concept is proportionality. A search engine is processing personal data, and making personal data available to the public, which may be an interference with a person's right to privacy. If that interference is disproportionate to the end achieved (such as reporting on events, journalism and so on), it is illegal and the person can apply to have the processing stopped.
Of course, while this proportionality idea sounds great in theory, in practice it comes down to having to work out everything on a case-by-case basis, and as we've seen with copyright, that generally means that Internet operators will do whatever they're asked - at least by rich people who can afford to go to court.
As an aside; to those saying that Google isn't the Internet or that the CJEU doesn't understand technology, read the judgment. The CJEU deals with these issues - the ruling covers any processing of data - by Google or any other search engine.
Who is going to cover the millions the UK Government spent working on the statutory scheme?
And who gets to decide what goes into the "educational" letters; at least with the statutory scheme there was some oversight of both the content of the letters and the evidence-gathering process, now we have neither.
So for £75k a year the BPI gets to send propaganda to millions of people. Money which I imagine will come out of the artists' and writers' shares of sales. And ISP subscribers have to cover the other 25%. And the general public gets screwed for the millions already spent setting this up.
All on the back of no evidence.
And to top it all, this week we find out that - due to pressure from the UK music publishers (and friends), we won't be getting some of the key new copyright exceptions any time soon. They were supposed to happen at the beginning of next month, but now it may be October, if ever.
What happens to those laws will depend on how those countries have implemented it. And how the Charter of Fundamental Rights of the EU works.
In some theories, the CFREU applies to any EU law and any domestic law that is implementing EU law. So if the Data Retention Directive breaks the CFREU, any law trying to implement it will also break the CFREU and therefore be illegal. Depending on how that country handles legality of laws.
In the UK things are a bit weird as the Directive was implemented through a "Regulation" - which is a special kind of secondary legislation that the Government has the power to rush through under the original EU-joining Act. But this power can only be used to comply with EU obligations - and if the Directive is invalid, the Government couldn't have used the power to introduce the Regulation - meaning that the Regulation is illegal.
So... over the next few days expect the various national governments and ISPs to come out with their plan for what they're going to do next.
However, the subsection is, imho, ambiguous - something I brought up with the IPO during their technical review of these exceptions, and something I need to chase up with them again given that the Government's response isn't clear either.
The law says:
The following persons have the same rights against B as a copyright owner has in respect of an infringement of copyright—
If that means "these people have" "the rights a copyright owner has when their copyright has been infringement" then those rights are the right to sue for damages, injunctions etc. and so they can sue you if you circumvent DRM - whether or not there is an underlying infringement.
But if it means "these people have" "the rights a copyright owner has" "when there is an infringement of copyright" then they can only sue you when there is an actual copyright infringement. So you can circumvent drm for personal use once this new exception comes into force.
Interestingly, it may be that the relevant EU law wouldn't allow circumvention even when not infringing copyright, because a couple of key words were missed when the WIPO Copyright Treaty was turned into an EU Directive... funny that.
Regs permit 5% or 1 chapter or 1 article only to be copied. So photographing more than this is a real issue
I'm surprised they're still pushing this given that it is no longer legally true. The Courts have confirmed that there are no quantitative rules as to what can be copied with it being not covered by copyright; the rules are qualitative instead. Plus they seem to conflate the "substantial copying" test with the limitations for research and private study.
It's almost as if the people writing the BL's page on copyright don't really understand copyright law either.
Still, their claim about privacy might work, and if not taking photos is a condition of being allowed in there may be some issue of breach of contract or trespass. Not that those would necessarily be justified...
A minor point to correct; I may be wrong but it is usually the Council of the European Union - not the European Council - which has to sign off on these types of measures.
The European Council is the head of Governments of the Member States and sets the broad policy agenda of the EU. But their involvement in legislating etc. is fairly limited.
The Council of the EU is the other half - along with the Parliament - of the EU's legislature. Like the US Senate used to be, it represents the interests of the Member States rather than the people and is made up of the relevant ministers from the national governments.
It's also not to be confused with the Council of Europe, which is a completely different thing (not part of the EU) and runs the ECHR and so on.
Reading the IPKat's coverage of this story it seems that Italy may have a specific law providing rights in relation to classical art works. So it is a form of special statutory "copyright" (in the sense that it prohibits copying), that seems to be unique to Italy.
Although now I'm wondering if a case could be made that it violates some kind of EU law.
Which raises the question, why aren't these vicious, dangerous, career pedophiles being indicted and prosecuted?
Because they're exempt from normal laws - or wasn't that already clear? Members of GCHQ (and the other intelligence services) have their own special opt-out from the English law on indecent photographs of children. They can download, share or create as much child porn as they want, provided they do so "for the exercise of any of the functions of GCHQ."
I guess these issues haven't been debated enough...
You can either provide the password, and thereby grant access to the encrypted HD/flashdrive, providing evidence of your guilt should there be anything incriminating among the encrypted files, or refuse, and be charged with that.
The court's reasoning for this not being self-incrimination hinged on the difference between the encrypted information and the password. It is the information that is incriminating, but that exists independently of the defendant. The defendant is being compelled to provide the password only, which itself isn't necessarily incriminating. The court did note that there could be circumstances where the defendant's knowledge of the password would be incriminating, but then it would be open for them to argue that that information should not be used as evidence at trial.
It's also worth remembering that this is a pre-trial issue (or even pre-charge). It is part of the initial investigation. So if there are problems with self-incrimination that can be dealt with at a pre-trial hearing.
The Court's position seems to be that this law isn't designed to get around self-incrimination, but get around the fact that it is much harder to crack an encrypted drive than break open a safe.
Lauri has been charged with no crime in Britain, yet their government is still invoking this law to attempt to force him to provide information that could incriminate him or damage his defense should he go to trial.
Just to be really picky, but failure to disclose a password when ordered to by the court using the Part III RIPA procedure is a crime. So failing to disclose it can lead to being charged with a crime. Generally there is some underlying crime being investigated (in this case the hacking), but I'm not sure they have to charge him with that crime.
The issue of whether this s49 power goes against rules on self-incrimination has been quite widely debated, but so far the English courts have decided that it doesn't.
Obvious; which is why it has been posted over 70 times across various subreddits. And that's just the original link, not secondary articles, or the TechDirt analysis, or the follow-up article about it being censored.
For being great at social and technical engineering, the NSA really suck.
Perhaps some subreddit mods are just fed up with the same story being posted again and again.
Or perhaps it is actually GCHQ's JTRIG lot are being really sneaky; posting all these extra versions and comments about censorship - causing distrust of the subreddits' mods, reddit in general, and distracting from the real story. It seems to fit well with was in the leak. But perhaps that is too paranoid of me.
The question is: how did he know there were 58,000 GCHQ documents if the hard drive was encrypted?
From what I remember of the witness statements and the judgment there was an index file on the drives that wasn't encrypted or to which Miranda did have access. Secondly, I think the UK Government had some idea of what documents Snowden had taken (possibly all the set that they had shared with the NSA?), so just needed to match the encrypted documents up with what they thought was copied.
The police had reported that they'd decrypted a few of the documents before the hearings happened, so either they had passwords, or were able to reverse the encryption by knowing what the files were.