Adsense HTML

How should damages be assessed for privacy and cybersecurity breaches

Listen to this podcast where I discuss how damages should be assessed in privacy and cybersecurity lawsuits.

The Lawyers Weekly Show host Jerome Doraisamy speaks with Professor John Swinson, who teaches  cyber security law and privacy law at The University of Queensland, about growing awareness of data and cyber security issues and subsequent legal claims.


Amended Privacy Law in Australia

AUSTRALIAN PRIVACY AMENDMENT BILL. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 has now passed both houses of Parliament, and will be presented to the Governor General for assent.  The amendment adds substantial penalties  for serious or repeated breaches of the Australian Privacy Act.

Domain Name Disputes

With the recent introduction of "direct registration" in the Australian domain name space (e.g. anyone with a connection to Australia can register domain names such as lawprofessor.au or telstra.au), I predict that there will be a sudden uptick of auDRP disputes.  Even though .au did not launch until October 2022, as at today, three auDRP complaints have already been lodged: cointre.au, rockypoint.au and magnaflow.au.  

Some law firms are specialising in this area, such as Cooper Mills.

Google not a publisher of newspaper article that is indexed in search engine results

Google LLC v Defteros [2022] HCA 27, decided 17 August 2022 by High Court of Australia.

 

The High Court decided that for the purposes of defamation law, Google is not a publisher of a newspaper article when providing a link to the article in search engine results and a short summary of the article.

 

"The question which arises here is whether providing search results which, in response to an enquiry, direct the attention of a person to the webpage of another and assist them in accessing it amounts to an act of participation in the communication of defamatory matter. ...

 

It is not suggested that [Google] itself communicated the defamatory matter in the Underworld article, which appeared on The Age's website. Unlike the defendants in the innocent dissemination cases, [Google] did not do so by selling, distributing or otherwise disseminating the matter complained of. ...

 

The question of whether the appellant could be said to participate comes down to the assistance provided by the hyperlink to move to another webpage. This is not a strong basis for liability and it finds no support in existing authority in Australia or recent cases elsewhere." 



Facebook Data Leak

An interesting detailed article about the Facebook data leak:

https://www.digitalshadows.com/blog-and-research/the-facebook-data-leak-explained/

The leak took place in 2019.

"Initially, attackers offered the data at quite a steep price. As the data began circulating in open and gated cybercriminal forums in 2020, a listing on Russian-speaking cybercriminal forum XSS in August 2020 advertised the sale of this data for “only” USD 25,000 (see Figure 2). Listings were identified across several other forums, such as Raidforums. The sheer size of the data leakage and the wide geography it covered (106 countries) made the data a gold mine for cybercriminals. Therefore, these listings often caught the interest of multiple threat actors."

NY NFT Trademark Lawsuit by Hemmes regarding Birkin bag NFT art

A decision from Judge Rakoff from the SDNY regarding a motion to dismiss in a case involving NFTs.  See https://images.law.com/contrib/content/uploads/documents/389/164932/Hermes-v.-Rotschild.Rakoff-order-on-MTD-1.pdf

 The court denied the motion to dismiss.

Mr Rotschild, the defendant, created a digital image of the Hermes Birkin bag, with a baby fetus inside the bag.  It sold for $23,500.  He also created images of faux fur Birkin bags, and 100 numbered NFTs that sold for about the price of a real world Birkin bag.

Hemmes sued Rotschild for trademark infringement.  Rotschild says the NFTs are art that have First Amendment protection.  He also said that his use of MetaBirkin for the title of his art had First Amendment protection.

The court said that there were too many factual issues to determine (e.g. is the NFT art?) to dismiss the case against Rotschild without having a trial.

The Top Ten Developments in US Patent Law over the past 50 years

Professor Don Chisum is a leader in U.S. patent law.  He has recently written this excellent article:

Fifty Years of Patent Law: The Top Ten Developments

https://chisum-patent-academy.com/wp-content/uploads/ChisumTop10in50Article6July2022.pdf

Well worth reading if you are interested in patent law and the business of patents.

Lawsuit in Victoria against Google over false reviews for artifical plant company

The Age newspaper has this story regarding false reviews of an artificial patents business, that alleged were posted when the business had a dispute with a moving company.

See https://amp.theage.com.au/national/victoria/david-and-georgina-had-a-dispute-with-their-removalists-four-years-later-they-ve-taken-google-to-court-20220707-p5azub.html

Interestingly, they are suing Google.

Similar story to the Titan Sheds dispute that ended up in the Federal Court in Brisbane a few years back.  There are about 3 court decisions.  One involved trying to get evidence from Google, but because Google was offshore, this was difficult.  See Note

OSC enforcement against crypto asset trading platforms

The Ontario Securities Commission (OSC) announced this month the outcome of two successful enforcement actions against non-compliant crypto asset trading platforms.

ACCC to Review Facebook, Google and other large digital platforms

The ACCC is seeking views from consumers, businesses and other parties on options for legislative reform to address concerns about the dominance of digital platforms.

A discussion paper, released today, outlines options for addressing harms to competition, consumers, and business users in a range of areas dominated by large digital platforms, including social media, search, app marketplaces, general online retail marketplaces and ad tech.

Read more

Facebook Sued for $150 billion by Rohingya refugees

Rohingya refugees are suing Facebook over its own admitted failure to stop the spread of hate speech that contributed to violence in Myanmar.

A case has been filed in the USA.  Because of s230 of the Communications Decency Act, the plaintiffs are asserting that Myanmar law should apply, not U.S. law.

Commentators have stated it is a difficult case for the refugees.

Chinese cyberattacks

As experts say the number of cyber attacks being directed at Australia have reached a disturbing level, it can now be revealed that Chinese hackers came within minutes of shutting down two Queensland power stations . Had the attack been successful it could have been lights out for some 3 million homes.

Australian Social Media Law proposed

The Australian Government has just released a proposed law to deal with defamation and social media comments.

See Social Media (Anti-Trolling) Bill.

https://www.ag.gov.au/legal-system/social-media-anti-trolling-bill

The AG's office provides the following information:

"The challenges of responding to anonymous online trolling became clear after the High Court's decision in Fairfax Media Publications v Voller [2021] HCA 27, handed down in September 2021. The Voller decision shows that Australians who maintain a social media page may be exposed to defamation liability for defamatory comments posted on the page by others – even if they are not aware of those defamatory comments.

To urgently address this situation the Australian Government has developed the Social Media (Anti-Trolling) Bill 2021. To address the implications of the Voller decision, the Bill will protect Australians from defamation liability that could arise if they allow users to comment on their social media page."

 See my comments in The Australian blog:  "Law professor supports anti-trolling proposals"

Crypto Regulation

In an interesting article about Crypto Exchange regulation in the WSJ.

"The world’s fastest-growing major financial exchange has no head office or formal address, lacks licenses in countries where it operates and has a chief executive who until recently wouldn’t answer questions about his location."

The biggest exchange is Binance, which has no fixed address it seems.  Creates interesting internet jurisdiction issues.

UK Cookies Case

An interesting case today from the UK:  Lloyd v Google

See note here:  https://www.mishcon.com/news/the-developing-law-on-data-protection-group-claims

"This is of course a landmark judgment for data protection claims, but also more generally for consumer actions brought on an "opt-out" basis. The claimant, Mr Lloyd, represented a group of more than 4 million iPhone users, and alleged, on their behalf, that Google's historic deployment of cookies on the Safari browser had been not just unlawful, but that it meant that Google should pay compensation to everyone who had received cookies on that basis."

The court found for Google.

 

How the FBI obtains access to telephone information

This is a good article.  It provides insights on what exactly each carrier collects, a more recent run-down of how long each United States telecom retains certain types of data for, and images of the tool the FBI makes available to law enforcement agencies across the country to analyze cell phone tower data.

https://www.vice.com/en/article/m7vqkv/how-fbi-gets-phone-data-att-tmobile-verizon


Is cybersecurity insurance worth the risk?

A good source of information about cybersecurity risks is the Information Security Forum (ISF).

For example, ISF recently published an interesting report regarding cybersecurity insurance.  Is cybersecurity insurance worth the risk?  See Report.

Reverse Domain Name Hijacking Lawsuit Dismissed in USA

An interesting legal decision regarding the domain name pocketbook.com was handed down by a United States district judge this month.  The case arose out of this NAF UDRP decision from 2019 that decided for the domain name owner:  https://www.adrforum.com/DomainDecisions/1857174.htm

The court reviewed the Anticybersquatting Consumer Protection Act (ACPA) prohibits reverse
domain name hijacking, which occurs when “overreaching trademark owners” interfere with a
domain name registrant’s lawful use of a domain name. 

The court decided that the requirement that the domain name “has been suspended, disabled, or transferred” does not include temporary suspension during the pendency of a UDRP case.

See decision here https://domainnamewire.com/wp-content/pocketbook.pdf  and case note here.


Privacy Act Review in Australia

The Australian Attorney-General's Office has released the Privacy Act Review Discussion Paper and seeks comments before 10 January 2022. The discussion paper considers these matters:

  • Scope, application & effectiveness of the Privacy Act
  • Direct rights of action by individuals
  • Statutory tort for invasion of privacy
  • Notifiable data breach scheme effectiveness
  • Enforcement power effectiveness
  • Aspects of a certification scheme

https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/

Concurrently, the AG's Office is holding this consultation at the same time as a consultation on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill).

The Online Privacy Bill addresses the pressing privacy challenges posed by social media and certain other online platforms.

The Privacy Act Review seeks to build on the outcomes of the Online Privacy Bill to ensure that Australia's privacy law framework empowers consumers, protects their data and supports the Australian economy.

Non Specialist Lawyers Doing Domain Name Disputes - A big risk!

In my opinion, there is a big risk using a non-specialist lawyer to run a domain name dispute under the UDRP or auDRP.  A recent example is the Brisbane law firm Dowd & Co running a domain name dispute under the UDRP for a complainant.  Not only were they unsuccessful, there was a finding of Reverse Domain Name Hijacking (RDNH) against the Complainant, and resulting bad publicity.

The Panel stated:

"It is evident from the Complaint in this case that the Complainant has not fully appreciated the requirement to prove both registration and use in bad faith.... This Complaint was therefore doomed to fail at the outset as the Complainant could not prove registration in bad faith. The Complainant and/or its legal counsel should have appreciated this. A passing familiarity with Policy precedent on this issue (for example, as described in section 3.8 of the WIPO Overview 3.0) is something that the Panel is entitled to expect from parties represented by legal counsel, and it is lacking here. Such familiarity would have caused the Complainant to be aware of its difficulties in pursuing the Complaint. A modicum of additional research would also have indicated to the Complainant that the Respondent itself had created and run a business by the name of “Streamline Servers”, well before 2009, and it therefore had a bona fide basis for registration of the disputed domain name."

Not something good to have on the public record against you.

See GSL Networks Pty Ltd. v. Domains By Proxy, LLC / Alex Alvanos, Bobservers, WIPO Case No. D2021-2255

See Domain Wire

Cyber Insurance

An excellent paper on Cyber Insurance in Australia:  "Underwritten or Oversold".  Well worth reading.

From the CSCRC (the Cyber Security Cooperative Research Centre).


Affiliate Program Advertisers Must Take Care Not to be Misleading

Many businesses run affiliate programs.  That is, a publisher or blogger will receive a commission for referring people to the website of the business.

For example, The Circle is a good novel that considers the future of social media, and I will receive a small commission if you buy The Circle from Amazon via this link:  https://amzn.to/3pawSJK  Or better still, buy my book!  https://amzn.to/3vl85Dy

There are even affiliate programs for bitcoin purchases https://app.bitcoinlatinum.com/invite?ref=UD03527

Amazon recently emailed the following to their affiliate program members (which they call an Associates Program), to ensure that the affiliate is not acting in a misleading way (which is not uncommon):

This is a recurring reminder that any time you share an associate link, it’s important to disclose that to your audience. They will trust you more if you are transparent about where you are directing them and why. To meet the Associate Program’s requirements, you must (1) include a legally compliant disclosure with your links and (2) identify yourself on your Site as an Amazon Associate with the language required by the Operating Agreement. 

To comply with Federal Trade Commission (FTC) regulations, your link-level disclosure must be: 

1. Clear. A clear disclosure could be as simple as “(paid link)”, “#ad” or “#CommissionsEarned”. 

2. Conspicuous. It should be placed near any associate link or product review in a location that customers will notice easily. They shouldn’t have to hunt for it. 

In addition, the Operating Agreement requires that the following statement clearly and conspicuously appears on your Site: “As an Amazon Associate I earn from qualifying purchases.” For social media user-generated content, this statement must be associated with your account. 

To read more about the FTC Endorsement Guides, visit: https://www.ftc.gov/tips-advice/business-center/guidance/ftcs-endorsement-guides-what-people-are-asking#affiliate. 

Visit this page on AC to bookmark this information about disclosures.

LinkedIn to Pull Out of China

LinkedIn said it would end service in China after the platform censored posts to keep operating but still came under government scrutiny.

"The operating environment in China has also become more difficult. Since President Xi Jinping took the reins of the Communist Party in 2012, he has repeatedly cracked down on what can be said online. Presiding over the rising power of the Cyberspace Administration of China, the country’s internet regulator, Mr. Xi turned China’s internet from a place where some sensitive topics were censored to one where critics face arrests for a constantly shifting set of infractions, like jokes at Mr. Xi’s expense.

See NYTimes  and South China Morning Post

7-Eleven Stores in Australia breached privacy through facial recognition software

A recent decision of the Privacy Commission found that 7-Eleven Stores breached the privacy of Australians by photographing customers who completed in store surveys, and then used facial recognition software to determine characteristics of the customers.

See Decision

The store was in breach because it

  • collected individuals’ sensitive information without consent, and where that
    information was not reasonably necessary for the store’s functions and
    activities, and

  • failed to take reasonable steps to notify individuals about the fact and circumstances
    of collection and the purposes of collection of that information.
     
     

    See story in The Guardian 

Ring Doorbell and Privacy

Amazon's Ring Doorbell collects data that can be used for other purposes, such as sold to law enforcement.  In light of the recent 7-Eleven case, if Amazon does this, it would be problematic.

See Washington Post article:

“I think about what the effect is of law enforcement having easy access to cameras from everyone’s porch,” Gilliard said. “It makes nuisance crimes” — from stolen Amazon packages to an egged car — “available for escalation in a way that they weren’t previously.”

Free Speech on Campus

A recent storm at Yale Law School regarding a party invitation.

"Every first-year law student learns in torts class about the plaintiff with the “eggshell skull” — someone who suffers a greater injury than normal and must be compensated accordingly. But in the modern world, it seems, everyone’s skulls are susceptible to cracking at the slightest provocation. “Taking the worst possible reading and then twisting it to make it worse is a practice that is all too common,” Colbert told me."

See Washington Post

Laws to regulate Facebook's algorithm?

From the Washington Post:

On Facebook, you decide whom to befriend, which pages to follow, which groups to join. But once you’ve done that, it’s Facebook that decides which of their posts you see each time you open your feed — and which you don’t.

The software that makes those decisions for each user, based on a secret ranking formula devised by Facebook that includes more than 10,000 factors, is commonly referred to as “the news feed algorithm,” or sometimes just “the algorithm.”  ...

Amid a broader backlash against Big Tech, Haugen’s testimony and disclosures have brought fresh urgency to debates over how to rein in social media and Facebook in particular. And as lawmakers and advocates cast about for solutions, there’s growing interest in an approach that’s relatively new on the policy scene: regulating algorithms themselves, or at least making companies more responsible for their effects. The big question is whether that can be accomplished without ruining what people still like about social media — or running afoul of the First Amendment. ...

One way to regulate algorithms without directly regulating online speech would be to amend Section 230 of the Communications Decency Act, which shields websites and apps from being sued for hosting or moderating content posted by users. Several bills propose removing that protection for certain categories of harmful content that platforms promote via their algorithms, while keeping it in place for content they merely host without amplifying.

See also Opinion in NY Times from former Facebooker

 

Facebook post leads to claim for defamation


From the NY Times:  The case of the (potentially costly) missing apostrophe.

In a Facebook post last year, Anthony Zadravic of Australia seemed to accuse his former employer of not paying “his employees” pensions. Court documents suggest that he meant to add an apostrophe; writing “his employee’s” would have implied that it was only his own pension that was missing.

In deciding to proceed with the employer’s defamation case against Zadravic, the NSW judge in the case wrote: “To fail to pay one employee’s superannuation entitlement might be seen as unfortunate; to fail to pay some or all of them looks deliberate.”

Facebook a Threat to Democracy, says Nobel Peace Prize winner from Manila

Nobel Peace Prize winner Maria Ressa used her new prominence to criticise Facebook as a threat to democracy, saying the social media giant fails to protect against the spread of hate and disinformation and is "biased against facts".

https://www.reuters.com/world/philippine-nobel-winner-ressa-calls-facebook-biased-against-facts-2021-10-09/

I guess we should realize that social media is not really media, just like oat milk is not milk. 

From the Washington Post:

"The first time I heard Ressa speak, she told how she had once tried to explain to Mark Zuckerberg that the company’s dominance in her country brought with it a huge social responsibility. Ressa told Zuckerberg that 97 percent of Filipinos used Facebook, and she invited him to the Philippines to get a better understanding of the problems that result. Zuckerberg seemed to ignore the invitation, concentrating instead on how Facebook could increase its domination in the country. “What are the other 3 percent doing, Maria?” he allegedly asked."

 

Vermont Law School sued as it wants to cover up slave mural

Vermont Law School is being sued to prevent it covering up a painting, depicting the Underground Railway and slaves.  The Law School commissioned with work in 1994.  The artist is fighting for the integrity of the art work.  The case concerns moral rights.

The centre of the case is the Visual Artists Rights Act.  Or is the case really about changing community standards? 

A local paper has this story about the case.  An earlier newspaper article.  It is hard to determine who is morally right.

Internet Law cases - top 10?

A United States digital contracting company (Ironclad) has listed what it considers to be the top 10 major internet law cases since 2000.   Being U.S. centric, they have only listed U.S. decisions.  Strange, as one key feature of the Internet is that it is global, and is helping break down borders.  My guess is that Ironclad is not interested in expanding its business outside of the U.S.

In any event, here is their U.S. centric list.

Privacy and Opt-Out

Many people are aware of the use of cookies for tracking purposes.  But that is old technology.  Many advertisers use more sophisticated techniques for targeting advertisements, such as tracking pixels or audience matching or audience matched advertising.

In Australia, some advertising systems allow consumers to opt-out of audience matching targeting.  This is not well-known or promoted.  To opt-out, go here.

Responsibility for User Comments Posted on Facebook

The High Court of Australia decided today that a newspaper with a Facebook page is responsible for defamatory comments posted by Facebook users on the newspaper's Facebook page.

"The appellants' attempt to portray themselves as passive and unwitting victims of Facebook's functionality has an air of unreality. Having taken action to secure the commercial benefit of the Facebook functionality, the appellants bear the legal consequences."

None of this is surprising.  There are many prior cases in different areas that reach the same result.  There was an Advertising Standards Board decision against VB that came to a similar conclusion in a different area of law, and also the ACCC v. Allergy Pathways case from about 10 years ago.

The next question is whether Facebook could be liable for defamation for user content.

Fairfax Media Publications v Voller [2021] HCA 27 

And see Social Media Best Practice Guide from the ACA and the Diageo case from ASB.

What is interesting about the High Court decision is that it focuses on cases and texts from over 100 years ago, and looks at very few cases concerning the Internet or social media.


Privacy and Streaming Services

A recent report from the USA found that most of America’s popular streaming services and TV streaming gadgets such as Netflix, Roku and Disney+ failed to meet minimum requirements for privacy and security practices. The lone exception was Apple.

See Common Sense Media report

US Court says AI machine cannot be inventor

Reaching a different conclusion to an Australian Federal Court decision, a US District Court looking at the same facts decided that an AI machine cannot be an inventor on a patent.

See Bloomberg story: “The unequivocal statements from the Federal Circuit that ‘inventors much be natural persons’ and ‘only natural persons can be inventors’ supports the plain meaning of ‘individual’ in the Patent Act,” the judge ruled.

Real Estate Photographs Online

A recent Federal Court appeal considered the scope of the right to use photographs taken when marketing a house for sale.  This decision is relevant to anyone who wishes to commercialise data that they obtain for one purpose for a different purpose.

The real estate agent engages a photographer to photograph a house that is for sale, with the intent to upload the photographs onto a real estate sales portal such a RealEstate.com.au or Domain.com.au to advertise the property for sale.  The REA portal has terms that bind the real estate agent.  These terms include the right to sublicense the photographs and the listing information to CoreLogic RP Data for their property information database. 

The court found, in a 2-1 split judgment, that merely because the photographer allowed the photos to be uploaded to REA did not mean that the photographer agreed to REA's terms or agreed to allow the photographs to be sublicensed to CoreLogic RP Data.

In effect, the real estate agent is in breach of the REA contract by uploading the photos in these circumstances.  The license from the photographer to the real estate agent to allow the upload to REA is, in effect, useless unless the agent also obtains terms from the photographer that match the REA license.

CoreLogic RP Data is now in breach of the photographer's copyright.

A strange result. 

Hardingham v RP Data Pty Limited [2021] FCAFC 148

Direct Registration of Domain Names in Australia

Finally, what is called direct registration of domain names is coming to Australia.

See https://www.auda.org.au/statement/australias-internet-domain-growing-get-ready-getyourau

This will allow registrations such as swinson.au and telstra.au, without the .com part of the domain name.

This arose out of the work of the 2017 Policy Review Panel, of which I chaired.  See Paper and website.

Tweets not Journalism

The Federal Court of Australia has decided that a person who published allegedly defamatory tweets on Twitter does not receive the benefit of the journalists' privilege under the Evidence Act.

See Kumova v Davison [2021] FCA 753

This does not mean that a person who tweets can never be considered to be a journalist.  In this case, looking at the Twitter feed as a whole, the defendant was not considered to be a journalist.

See this helpful note from Clayton Utz.  Also Bennett & Co.  Story in the AFR and The Age.

 

Automonous Vechicles

 “The real problem is going to be, at what point is it still ethical to let the human drive,” Lunn said. “But before that, AI has to continue to learn from human drivers. Autonomy will have to make sure that we never have a trolley problem.”

Washington Post, 6 August 2021

Liability for anonymous online reviews

The Federal Court handed down a judgment yesterday regarding defamation for anonymous online reviews of a dentist.

Nettle v Cruse [2021] FCA 935

https://www.judgments.fedcourt.gov.au/judgments/Judgments/fca/single/2021/2021fca0935

"The publications in question here were excessive, scandalous and totally unjustified and unjustifiable. I have no hesitation in finding that they were malicious and calculated to cause maximum damage to Dr Nettle. The fact that Ms Cruse chose to publish such baseless and scandalous material about Dr Nettle either anonymously or in false names supports the inference that she well knew that it was false and misleading. That is perhaps confirmed by the fact that, when Dr Nettle eventually commenced this proceeding, Ms Cruse chose to disappear rather than front-up and defend her indefensible actions. Ms Cruse’s conduct towards Dr Nettle was, in all the circumstances, contumelious and disgraceful."

Ransomware and class action lawsuits

A good article on class action lawsuits in the United States that come after a ransomware attack:

Washington Post article

 "“Companies with good security sometimes have lapses,” Solove said. There isn’t a unified legal standard laying out what sort of security a company needs to have to protect it from liability if it loses its customers’ information or suffers a ransomware attack.

“It really isn’t clear what the standard of care is,” he said. “It’s tricky. All you have to do is fail on one thing.”

That means the potential for lawsuits will keep growing as ransomware attacks do. And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue."

 I wrote a short article on the topic of cybersecurity lawsuits at the beginning of this year.  See

AI machine can be an inventor, says Australian judge

A single judge of the Federal Court of Australia, Justice Beech, has overruled the Commissioner of Patents and decided that a computer program (an artificial intelligence system) can be an "inventor" for the purposes of the Australian Patents Act in respect of a PCT patent application.

In summary, the judge found:

  • An AI system is not a legal person.
  • An AI system cannot own a patent.
  • An AI system cannot assign a patent.
  • But an AI system can be an inventor of an invention that is the subject of a patent application.
  • Ownership of the invention goes to a legal person -- in this case, the person who owned the copyright in the AI system and operated the AI system.

Justice Beech said:

"167    Dr Thaler is the owner, programmer and operator of DABUS, the artificial intelligence system that made the invention; in that sense the invention was made for him. On established principles of property law, he is the owner of the invention. In that respect, the ownership of the work of the artificial intelligence system is analogous to ownership of the progeny of animals or the treatment of fruit or crops produced by the labour and expense of the occupier of the land (fructus industrialis), which are treated as chattels with separate existence to the land. ...

189    In my view, Dr Thaler, as the owner and controller of DABUS, would own any inventions made by DABUS, when they came into his possession. In this case, Dr Thaler apparently obtained possession of the invention through and from DABUS. And as a consequence of his possession of the invention, combined with his ownership and control of DABUS, he prima facie obtained title to the invention. By deriving possession of the invention from DABUS, Dr Thaler prima facie derived title. In this respect, title can be derived from the inventor notwithstanding that it vests ab initio other than in the inventor. That is, there is no need for the inventor ever to have owned the invention, and there is no need for title to be derived by an assignment. ...
 

194    Now more generally there are various possibilities for patent ownership of the output of an artificial intelligence system. First, one might have the software programmer or developer of the artificial intelligence system, who no doubt may directly or via an employer own copyright in the program in any event. Second, one might have the person who selected and provided the input data or training data for and trained the artificial intelligence system. Indeed, the person who provided the input data may be different from the trainer. Third, one might have the owner of the artificial intelligence system who invested, and potentially may have lost, their capital to produce the output. Fourth, one might have the operator of the artificial intelligence system. But in the present case it would seem that Dr Thaler is the owner."

 In short, title to the invention derives from an inventor who does not own the invention.

This case is not particularly helpful in determining who is the owner of the invention if there is more than one person involved -- for example, if Microsoft owns the copyright in the AI program running in the cloud, 20 people collect the training and input data over many years, I design the problem, and you and a team of people operate the AI system.

Does this case also mean that a corporation or a monkey could be an inventor?

The Patents Act requires that the inventor's name and address be provided to the Patents Office.  Does an AI system have a legal name or an address?  The case did not consider this.  Dr Thaler named his AI system as DABUS, so I guess that is the name of the inventor.  It is not really a name in the legal sense.

The judge spent little time considering the basis of the patent system - to incentivize people to make inventions.  A computer does not need an incentive.  The judgment briefly mentions this, and appears to suggest that creating an incentive to create an AI machine that invents is sufficient.  On that basis, patent patent system should reward parents for having sex to create a child and teaching the child to invent.

The judgment is artificial and shows little real intelligence.

And see about this South African patent: https://www.cyberspac.com/2021/08/ai-machine-can-be-inventor-says.html  Did it go through a full examination?

How reliable is AI in criminal evidence

A good article about how an AI system produces evidence used by police.  But humans changed the output of the AI algorithm, calling the evidence into question.

Vice Article about gunshot detection

Uber Interfered With Privacy of Australians

The Australian Privacy Commissioner has determined that Uber interfered with the privacy of an estimated 1.2 million Australians.

The Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack starting in October 2016.

Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017. 

See Press Release from OAIC

See Decision

 

The Impact of Amazon

Amazon has a special website that sets out its impact.  The focus is on the impact of Amazon in the U.S.  It is hard to find out what positive impact Amazon is having in Australia. 

See https://www.aboutamazon.com/impact

If you contract with AWS on their standard terms, unless you are located in one of a few listed countries, you are agreeing to U.S. law for the contract, and having to go to the U.S. for any disputes.

"Governing Laws" and “Governing Courts” mean, for each AWS Contracting Party, the laws and courts set forth in the following table:  see https://aws.amazon.com/agreement/. I guess that provides jobs for U.S. lawyers!


Giving the Government Power to Disrupt

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 has been subject to criticism   It allows the government to hack into computers of people they think are bad people.  Could innocent bystanders be impacted, just like when Microsoft did protective hacking about 8 years ago?  See  https://www.csoonline.com/article/2449572/microsoft-hammers-no-ip-collateral-damage-includes-hacking-teams-legal-malware.html

Details of the Bill are here:

https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/surveillance-legislation-amendment-identify-and-disrupt-bill-2020

The Law Council has released a 150 page criticism of the Bill.


Section 230

Has Section 230 of the Communications Decency Act gone too far?  Some think it does:

Judge Robert Katzmann in a recent case wrote a 35-page dissent to part of the ruling, arguing that Facebook’s algorithmic recommendations shouldn’t be covered by the legal protections of Section 230.

Late last year, the U.S. Supreme Court rejected a call to hear a different case that would have tested the Section 230 shield. In a statement attached to the court’s decision, Justice Clarence Thomas called for the court to consider whether Section 230’s protections had been expanded too far, citing Judge Katzmann’s opinion.

Justice Thomas said the court didn’t need to decide in the moment whether to rein in the legal protections. “But in an appropriate case, it behooves us to do so,” he said.

See NY Times article.

Many U.S. Internet businesses think that Section 230 has international application.  It does not.  It may provide protection in respect of U.S. lawsuits, but not lawsuits in other countries.

Blocking Bad Websites at the ISP

It is hard to have a bad website taken down.  In Australia, if the bad website is involved in copyright infringement, it is possible to have all Australian ISPs block the bad website, in effect making it disappear from the Internet as far as Australians are concerned.

That happened in recent Federal Court case, brought against Telstra and every other ISP in Australia, by a company that appears to operate a website for escort services.  Someone hacked their website and made copies of it.  The Federal Court blocked the copycat websites, using Section 115A of the Copyright Act.

See Gardner Industries Pty Ltd as trustee for the S M Gardner Family Trust v Telstra Corporation Limited [2021] FCA 294 (25 March 2021) (Greenwood J)

Who should police Internet content?

Who really runs the Internet? A lot of companies you rarely hear about.  A good article about the Internet and hate speech in the Washington Post.

https://www.washingtonpost.com/technology/2021/03/24/online-moderation-tech-stack/

Suing Google for online review

A lawyer who is trying to track down the person who posted a bad review of her lost an application against Google, seemingly on the basis that she did not follow court proper procedures.

"However, if such a proceeding is to be brought it must be brought on proper material, on notice to Google, and it must be conducted efficiently and expeditiously. That is not how this proceeding has been conducted. One thing that must be avoided is the provision of a flurry of materials making inchoate arguments shortly before a hearing."

Garde-Wilson v Google LLC [2021] FCA 243

From The Age:  Gangland lawyer Zarah Garde-Wilson says she will take a court fight directly to Google after the Federal Court dismissed her bid to force the search engine giant to reveal who was behind negative online reviews.

Ms Garde-Wilson, who rose to prominence representing the who’s who of Melbourne’s gangland war, suspects a rival lawyer is behind a negative Google review left under the name “Mohamed Ahmed”.

https://www.theage.com.au/national/victoria/zarah-garde-wilson-loses-bid-to-find-who-was-behind-bad-google-reviews-20210318-p57byd.html


Privacy Commissioner hands down award compensating for non-economic loss

The Australian Privacy Commission made an award compensating individuals for non-economic loss for a privacy law breach.  This was a first in Australia.

See https://www.oaic.gov.au/assets/privacy/privacy-decisions/privacy-determinations/WP-and-Secretary-to-the-Department-of-Home-Affairs-Privacy-2021-AICmr-2-11-January-2021.pdf and  https://www.kwm.com/en/au/knowledge/insights/privacy-commissioner-hands-down-first-representative-award-20210203

The decision requires the Department of Home Affairs to compensate over 1,200 asylum seekers for inadvertently publishing their personal information online in 2014.  

It is somewhat amazing that this case took seven years to reach this stage.

Take care if you pay the ransom

In response to the proliferation of ransomware attacks over the last five years, a series of United States Executive Orders and statutes have come to include cyberterrorists amongst the list of banned individuals with whom U.S. persons cannot conduct financial transactions.  This impacts payments to cybercriminals for ransomware attacks.

There is a detailed article from a U.S. law firm here, that sets out when payment of a ransom could lead to breach of U.S. law.  See https://www.friedfrank.com/siteFiles/Publications/NYLJ_03.05.21_Kleinman.pdf


Privacy Rights Expanding in Australia?

Justice Keane of the High Court of Australia gave a speech at the end of 2020 that discussed privacy.

It was titled; "Too Much Information: civilisation and the problems of privacy" and argued that relying upon judicial development of the law to solve the problem of privacy "has been, at best, a hit and miss affair".

Justice Keane said it "would not be surprising were the High Court now to accept a tort of invasion of privacy" along U.S. lines.

"But such a cause of action would probably be confined to cases of intentional intrusion, physically or otherwise, upon the solitude or seclusion of an individual or his or her private affairs.

"In the case of the publicising of a matter concerning the private life of an individual, the conduct would be actionable if the matter publicised is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public."

He noted that in the recent High Court case involving the Australian Federal Police raid on the home of journalist Annika Smethurst the media "carefully eschewed any attempt to press forward . . . towards a broader protection of privacy".  (I suspect that the media did not want to expand the right of privacy in Australia even though it may have been helpful in this case - because the media since at least 1890 has been the subject of negative criticism regarding the media's lack of respect of privacy rights.)

AFR Article: https://www.afr.com/companies/media-and-marketing/high-court-judge-takes-swipe-at-media-on-privacy-20200927-p55zo0

Text of Keene J's Speech: https://cdn.hcourt.gov.au/assets/publications/speeches/current-justices/keanej/keanej27Aug2020.pdf

Critical Infrastructure Reforms in Australia

The Australian Government is implementing "Critical Infrastructure reforms".  The consultation process for the new laws is being managed by the Critical Infrastructure Centre which is part of the Department of Home Affairs.

The CIC is currently assessing implementation of the governance rules to accompany the to-be-amended Security of Critical Infrastructure Act 2018 (Cth) at a broad, industry-neutral level. The CIC is intending these rules to provide an overview of the role industry will play in self-assessment and self-reporting, with the specific rules and obligations around assessment standards to come from later consultations.


At a high-level, materials made available by CIC set out CIC’s intention for the governance rules including a breakdown of the intention behind specific provisions in the draft Bill.

 

Key points

 

  • The Bill is not anticipated to pass until mid-2021 – while not all industry-specific rules may be finalised at that stage, consultation should be almost complete by then.
  • Consultation with industry is happening on sequential basis – Electricity and Gas sectors are to start consultation in late March/early April 2021, and then other industries will each have a consultation period one after another.
  • The consultation timeline will be quite aggressive – the governance rules are in consultation this week for publication in late March.
  • The obligations will not activate immediately on enactment of the Bill, and are instead taking a ‘switch on’ approach. The CIC is vague on what the triggers for ‘switching on’ will be and it is not clear if it was an industry-wide event, whether it was incident-based or whether it would occur from a certain point.

How should damages be assessed for privacy and cybersecurity breaches

Listen to this podcast where I discuss how damages should be assessed in privacy and cybersecurity lawsuits. The Lawyers Weekly Show host J...