Can You Cause Criminal Damage to a Facebook Account?

Yesterday, it was reported that a man from Donegal had been fined €2,000 for criminal damage, having posted offensive material under the name of an ex-girlfriend on her Facebook account. The Independent reports that:

A local garda told prosecuting counsel Sean Gillane SC that in the early hours of April 6th, 2011, the accused went to her house to confront her over a perceived infidelity. When the accused later left the house, the woman noticed that he had taken her phone.

He went through her text messages which confirmed to him that she was in a new relationship. He then logged into her Facebook from her phone and posted a status update in her name stating that she was “a whore” who would take “any offers.”

Complicating the case is the fact that the man was charged but acquitted of rape and false imprisonment of the woman on the same day. Had the rape prosecution resulted in a conviction, it might have been more appropriate to consider the Facebook incident an aggravating matter of that offence rather than an offence in its own right. However, the man pleaded guilty of the Criminal Damage matter, so there was no opportunity for the court to consider the appropriateness of the offence to the actions in question.

In considering the sentance yesterday, Judge Sheehan sought assistance from prosecuting counsel as to what the appropriate punshment might be.  He asked asked how he was to assess the damage if nothing had physically been broken. Counsel replied that the offence had more in common with harassment than criminal damage. This does seem to raise the question – why was he not charged with harassment? The reason for that is that the offence of harassment requires “persistent” abuse, which suggests that a one-off incident won’t be enough to make out the offence.

The Criminal Damage Act 1991 is generally more concerned with broken windows and arson than with Facebook accounts, though it does helpfully include the following within its definition of “damage”

” in relation to data-

to add to, alter, corrupt, erase or move to another storage medium or to a different location in the storage medium in which they are kept”

You would think, with Data Protection such a concern these days, that this offence would have been more often used. The DPP didn’t dwell much on the data aspect of the case though, and instead emphasised that the damage done to the victim had been primarily reputational (though, confusingly, it was also emphasised that the message was quickly taken down).

The traditional remedy for damage to reputation has been civil rather than criminal, via a suit for defamation. However,  until quite recently, the offence of criminal libel existed (it was abolished under the Defamation Act, 2009), which did provide a mechanism for a defamer to be criminally punished without the defamed having to go to the expense and trouble of suing them. In 2001, a Mayo man was prosecuted for listing a business rival on an escort site (disparagement of the sexual behaviour of women is a depressing constant in tales of online abuse) and was ordered to pay in excess of £10,000. The Government of the day abolished that offence though, citing its incompatability with Freedom of Speech.

One has to wonder why, if that offence was worth abolishing only a few years ago, the DPP has effectively reintroduced it through the back door. If the concern is for the privacy of data, and the preservation of the personal domain (online or offline) of the individual, then that is perhaps more appropriately within the remit of the Data Protection Commissioner, who might welcome this criminal law power. Yesterdays’s case, with its emphasis on reputational damage, suggests otherwise. Confusing matters further were references to harassment. And where people frequently mischievously post things online under the names of others (I see it in my timeline all the time), we need to come to some clarity on whether that should be a crime, and if so, why. Perhaps most importantly, we need clarity on which crime it actually is.

Google Spain, What It Means and What It Doesn’t.

Yesterday’s decision of the Court of Justice of the EU in C-131/12, Google Spain v. Agencia Española de Protección de Datos, has generated quite a lot of media commentary, some of it, in my opinion, a bit overheated. I thought it was worth doing a quick overview of what the decision does, and more importantly does not say, and to consider the implications for the future of your information privacy.

 What’s It About?

In 1998, a Spanish newspaper, La Vanguardia  published a report of a court-ordered foreclosure auction to pay social security debt. In 2009, having paid off his debt, the debtor, Mr Costeja González, discovered that Googling his name led to a link to the report.

Relying on the Data Protection principles that data should, inter alia, be kept up to date, be relevant and not excessive to the purposes for which they are processed, and be stored for no longer than is necessary, Mr. González asked the newspaper to take the information down. After all, the information was, in a sense, no longer accurate, and its publication no longer legally required.  The editor refused, as the publication had originally been made by order of the Ministry of Labor and Social Affairs. I should add that, on free speech grounds, no newspaper should ever remove, let alone be required to remove material from its web archive, provided it was legal to publish that material at the time (this includes cartoons). Mr González then asked Google Spain to stop referencing the link in its search results and also complained to Spain’s Data Protection Authority, the Agencia Española de Protección de Datos (AEPD).

The AEPD asked Google to stop indexing the link, but refused to ask the newspaper editor to take the original information down, as the publication was legally justified. Google appealed, and the Spanish court referred a number of questions to the CJEU. Yesterday’s decision was the outcome of that reference.

What Were The Issues?

The Spanish Court referred three questions to the CJEU. The first regarded the question of the Jurisdiction of the relevant Directive, and need not detain us here. The second was a multi-part question that asked:

  • Whether Google’s indexing of pages containing the personal data of individuals, and ranking and publishing of search results, is “processing” under Data Protection rules. The Court answered that it is.
  • Whether Google, in processing this data, is to be considered a “Data Controller” and therefore placed under certain obligations by Data Protection Rules. The Court answered that it is.
  • Whether these obligations are excluded when the the personal data has already been lawfully published by third parties and is kept on the web page from which it originates. The Court answered that they are not.

The final question was whether there is a “Right to be Forgotten” by search engines, even where the articles in question have been (and remain) legally published online? The Court answered that there is.

What Does it Mean?

If an individual wants irrelevant or incorrect personal information about themselves “forgotten”, they may ask a search search engine to remove it. The search engine is not required to automatically comply, but it must examine the merits of the request.

Whether the request should be granted will depend “on the nature of the information and its sensitivity for the data subject’s private life and on the interest of the public in having that information”. For example, where a public figure seeks to remove embarrassing details about him from the public record, the public’s right to know may override his privacy rights.

This is perhaps the most problematic aspect of the decision, that it leaves it to Google to decide who is a public figure, what the public interest is, and whether to release old information back into the search results after a person becomes a public figure. No doubt courts will be addressing these questions for years to come.

What Does it not Mean?

This is not a freedom of speech issue, and attempts to frame it as one are inaccurate if not mischievous. The right to speak, to publish and to be be published is unaffected. Google are not creators of original content, but a company that indexes the content of others for commercial purposes. No piece of writing that was available online before yesterday has been censored because of Google Spain v AEPD. This statement from the Index on Censorship says the judgment “is akin to marching into a library and forcing it to pulp books”. This is arrant, hysterical nonsense. The article that sparked the case is still available on the website of La Vanguardia. Indeed, it is presumably available, unpulped, in its original paper form in some Catalan libraries. Nothing in the decision prevents anything being published online, anywhere. Certainly, it won’t stop Wikipedia from publishing true and accurate information. In this regard, Jimmy Wales’ infringement of Godwin’s Law yesterday looks fairly ridiculous.

Answer to second question: Never

What is at play here is the right to Freedom of Information. This is a different right to Freedom of Expression, although the two are linked. Google provides an amazing service, one some of us can hardly imagine living without it. But we did once live without it, and quite happily too. The idea that we have a right to access to all published information about any other person is a new one. The concept would have seemed absurd a few years ago. The information, remember, is still out there. Whether the relative recent convenience of having it all in one place is the stuff of human rights is debatable. Certainly, we all feel more positive about freedom of information when it’s us googling other people than when they are googling us.

That debate is one we are going to be having a lot in the coming years. For all that we complain about the NSA or the Gardaí knowing our intimate  business, we are very laid-back when it comes to Google or Facebook making their money out of it. Imagine for a moment getting stamps for free in exchange for allowing the postman to read your letters and then try to sell you stuff on the doorstep. Because that is what Google is – an advertising company. We tell them all about ourselves and they use this information sell ads directed, with amazing precision, at us. We get nothing in return, except a free but completely unconfidential email service. There has been a lot if talk in recent years about whether this bargain is an acceptable one.

It is not enough to say that people have the right to keep their own information to themselves. If you want to live in the modern world, that is simply not an option. A straight choice between surrendering your privacy or going to live in a cabin in the woods need not be the only option. We have laws precisely to avoid forcing such choices upon us – nobody now suggests that road traffic should be completely unregulated, because you have a choice of whether to drive or not. For years the tide of this debate ran in favour of the corporations that make their money out of your data. Yesterdays judgement, though imperfect, is a good start in refocusing the debate to take the individual’s rights into account.

The Age of Consent

The Irish Times reported this morning that proposals are before cabinet to lower the age of sexual consent from 17 to 16. The proposals may be a hard sell, as sex and change are two things the Irish public are deeply uncomfortable with. However, any such discussion is welcome news, as the current age causes numerous problems, and not just for teenagers.

The Oireachtas Committee on the Constitutional Amendment on Children’s Rights recommended as far back as 2006 that the age be reduced to 16. The Irish Times reports that on that occasion, Enda Kenny opposed any change on the grounds that it  would send a “wrong signal to our children about values and standards”. One imagines here a young couple in the throes of passion, suddenly stopping as one of them says “No. I love you, but Section 3 of the Criminal Law (Sexual Offences) Act 2006 says we have to wait, and An Taoiseach Enda Kenny agrees”.

16-year-olds have sex. They always have done, and while society may wish otherwise, they probably always will. The question then is not whether to do away with teenage sex (because the law cannot do that), but whether or not to make criminals of those teenagers. As the law currently stands, any male of any age who has sexual intercourse with a girl (or boy) of under the age of 17 is guilty of an offense, irrespective of the other’s consent. A girl, however, cannot be guilty of that offense. This, incidentally, creates an interesting lacuna, whereby there is no age of consent for gay girls.

Aside from the  fundamental question of whether it is humane to make criminals of boys who engage in consensual sex with their girlfriends, there is the fact that the current law acts as a disincentive for teenage fathers to acknowledge their children, because in doing so they confess to a crime.

Where a sexual offense exists, there follows, under the Criminal Justice (Withholding of Information On Offences Against Children and Vulnerable Persons) Act, 2012, an obligation to report it to the appropriate authorities. Accordingly, anyone who becomes aware of a teenage pregnancy is committing an offense by not reporting it. In practice it is rare for young people to be prosecuted for engaging in sexual activity where they are of similar ages and where there is no complaint of coercion. This however is of no relevance to the 2012 Act, which makes no reference, in requiring disclosure of information, of whether a decision to prosecute is likely to be made. This has been a matter of grave concern to organizations and individual professionals working with very young parents.

A reduced age of consent is only one of a number of proposals before the cabinet. Another is  is to allow a defence where a sexual act was consensual and between two people of “proximate age”. This would solve many of the problems mentioned above whilst still dealing with the question of sexual exploitation of teenagers by older adults. It is worth considering. What is not worth considering at all is the third proposal, which involves the DPP using discretion in bringing prosecutions. This effectively amounts to doing nothing and hoping that nothing bad happens. It provides no legal certainty, and doesn’t deal with problems arising from the 2012 Act. However, like any proposal that it involves doing nothing, it will probably find many advocates.

Critics will say that lowering of the age of consent simply moves the goalposts, and it is true that it will not solve every problem in this area. But at present there are too many teenagers who find themselves on the wrong side of the law. A reduction of even one year would remove many of them from criminal liability, and allow our authorities and social services to focus on the harder cases which remain on the other side of that line.

Facebook, the Whistleblower, the Binman and his Surprise Witness

Some months ago I wrote a column for The Journal about the right to anonymity, online and off. By way of an example, I mentioned the then very recent case of Mr. Jim Ferry, a Donegal businessman who had obtained an order requiring Facebook to reveal the identity of an anonymous user who had, Mr. Ferry said, defamed him.

Mr. Ferry runs a waste disposal company, and the Facebook user complained of had set up an account in Mr. Ferry’s name, claiming to have engaged in illegal dumping. Mr. Ferry complained and the page was taken down, but Facebook were unwilling to hand over details of the user without a court order. Mr. Ferry had to go to the High Court to obtain the order. Facebook did not oppose the application, and the anonymous user was not on notice of it, so the order was made without dispute. At the time I wrote

“Mr Ferry is being prosecuted by Donegal County Council for illegal dumping. He may be innocent of all charges, and the law presumes him to be so, until proven guilty. But if he is convicted, then Facebook will have handed over the personal details of someone who has done nothing illegal, and said nothing untrue. Unlike other jurisdictions such as the United States, Irish law fails to ensure that users are notified of attempts to identify them and given an opportunity to oppose the application.

Consequently in most cases Irish users are dependent on the web platform or ISP or to make a case on their behalf. These companies however, have no commercial incentive to do so. Facebook don’t want to get involved in an argument about dumping. That’s why they didn’t oppose the application.”

Last month, Mr. Ferry’s prosecution for illegal dumping came up for hearing. I’ll get to the verdict and its implications for free speech and privacy shortly, but first some entertainment.

A summary trial, the case nonetheless took three days in Letterkenny District Court. Both prosecution and defence briefed Senior Counsel. Mr. Ferry, to the last, maintained his innocence. This became a more difficult task when video evidence was led. The Donegal News describes the video thus:

Judge Kelly was shown covert video recordings showing two of Ferry’s distinctive green and yellow bin lorries dumping waste in holes in the field before it was buried using a track digger at around 5 am on the morning in question.

One of the men was wearing a hi-viz jacket with the name ‘Ferry Refuse’ emblazoned across the back of it.

One might have thought this would be the end of the matter. But at the closing of the first day of the trial, there was a dramatic development:

The hearing ended early after Mr Gillane (for the defence) told Judge Kelly that “a development took place that I have not experienced before.”

He added that his solicitor had received a “communication” and asked that the matter be adjourned for the day.

One can only imagine that what followed was what is commonly described as “uproar in the Court”. The cliffhanger was resolved the following morning. A former employee of Mr. Ferry had walked into court and delivered a letter to Mr. Ferry’s solicitor, admitting that it had been he who was responsible for the dumping all along. This surprise witness, one Marty McDermott, is pictured below, presenting a delighted Mr. Ferry with a “Certificate of Appreciation” awarded “From His Loyal Staff”

Marty McDermott.The Donegal Democrat takes up the story:

The former employee, Marty McDermott told the court yesterday that he had been paid €5,000 to dump illegal waste on the land.

McDermott said he had been set up by a man. “The man that I can’t mention set me up.”

McDermott said the person who wanted him to carry out the dumping was a man who wanted leverage in the Gweedore and Gweebara Bridge area, to keep Jim Ferry out of his area. “He wanted to get him out of that hub,” 
he said.

McDermott said he couldn’t deal with the guilt of what he had done after hearing people speaking about the implications the upcoming court case would have on the yard.

He said he went and spoke to a priest who advised him to see a solicitor who in turn advised him not to go near the court. He later decided to communicate with Ferry’s defence team.

Alas for Mr. Ferry, the Court found Mr. McDermott’s evidence entirely unbelievable. Still, Mr. McDermott has at least got the matter off his chest, and as soon as he donates the €5,000 to a worthy cause, his conscience will be clean. Mr. Ferry was sentenced to six months, suspended and fined €12,000. He was also ordered to pay Donegal County Council €30,750 in costs. The cost of his own legal team (who, given the circumstances, were made to work hard for their money) will be similar. This is without factoring in the cost of his trip to the High Court against Facebook.

Which brings us back to the point I was trying to make before I was side-tracked by Letterkenny’s Trial of the Century. Mr. Ferry knew all along that he was guilty of illegal dumping. His efforts to require Facebook first to remove the (true) allegations against him, and then to unmask their author were entirely without merit. A whistleblower was silenced because a man with a lot of money to splash around on unnecessary legal costs wanted to suppress the truth. He was able to do so because Irish law contains no mechanism for informing internet users that their identity is about to be revealed, or requiring courts to take the right to anonymity into account when hearing this kind of application. Mr. Ferry got his comeuppance, and highly entertaining it was too. Until the law is modified, not every wrongdoer will be so unfortunate.

Another Bad Idea for Legislating Against Cyberbullying

Some months ago, myself and TJ McIntyre presented to the hearings on social media of the Oireachtas Joint Committee on Transport and Communications. When the hearings concluded, the Joint Committee issued a report which agreed with our view that no new laws are needed to deal with cyberbullying.

However, Fianna Fáil’s Robert Troy TD was not a member of the Joint Committee. He is his party’s spokesman for Children, and he recently published the Cyberbullying Bill 2013. As an opposition bill, the Cyberbullying Bill will never make it onto the statute book. Nonetheless, it might prove instructive to look at it, if only as an object lesson in why knee-jerk legislation can do more harm than good.

The reasons that any new laws against cyberbullying are a bad idea are threefold:

  • Bullying is already illegal, irrespective of how it is carried out.
  • Bullying is an institutional problem which new laws do nothing to address.
  • Prosecuting children as criminals will in most cases do far more harm than good.1

In addition to these general points, Deputy Troy’s Bill has a number of flaws specific to itself. It provides for an offence of Cyberbullying where:

any person who

 (a) sends an electronic communication through the use of technology including, without limiting the generality of the foregoing, computers, other electronic devices, social networks, text messaging, instant messaging, websites and electronic mail, that is

(i) intended to, or

(ii) ought reasonably be expected to,

cause fear, intimidation, humiliation, distress or other damage or harm to another person’s health, emotional well-being, self-esteem or reputation

It is worth noting here that the section does not provide that the message has to be directly addressed to its subject. Merely talking about somebody is sufficient to make one guilty of a crime attracting a sentence of up to 2 years and a fine of up to €20,000. So publishing something online that was disparaging about, say, a politician, might land you in jail. At least defamation only applies to untrue statements. Under this bill, it’s a crime to damage a person’s reputation (or even to hurt their feelings or affect their self-esteem), whether the statement is true or not.

Not content with jailing the tellers of inconvenient truths, Deputy Troy goes after all those who would connive in their impertinence. Section 2(1)(b) provides that anyone who “assists or encourages” the sending of such messages is guilty of the same offence. There is nothing in the bill equivalent to the “mere conduit” defense, meaning that phone companies, ISPs and social networks (not to mention anyone who lends someone the use of a computer for a few minutes), are to be held equally as responsible as their users or misusers. Lest that not go far enough, the next section seeks to visit upon the fathers the sins of the sons:

“Where the person who commits the offence of cyberbullying is a child, and the parents of that child

(a) know of the activity,

(b) know or ought reasonably to expect the activity to cause fear, intimidation, humiliation, distress or other damage or harm to another person’s health, emotional well-being, self-esteem or reputation, and

(c) fail to take steps to prevent the activity from continuing,

 the parents commit the offence of cyberbullying engages in cyberbullying (sic)”2

This places a parent on risk of conviction for anything their child might, with their awareness, say which is capable of being construed as cyberbullying. And given that that pretty much includes any negative statement whatsoever, parents are left with two options: prevent their children from saying anything online at all, or turn a blind eye to everything they do, and thus avail of a defence of ignorance. The bill thankfully ends there, before it can do any more damage.

This is a private members bill, and will disappear without trace. Nonetheless, it is worth noting that this is the kind of thing that some politicians have in mind for the internet: a law that makes it a crime to say anything that isn’t nice. It is also worth noting that this is how some opposition politicians conceive of their legislative role – the proposal of typo-ridden, flagrantly unconstitutional bills that have no hope of success, but might gain a bit of easy publicity on a hot button topic.

FOOTNOTES

1 For more on this, and indeed on the whole subject of bullying and how not to deal with it, read Emily Bazelon‘s superb “Sticks and Stones”, which picks apart hysteria and myths and brings valuable facts to bear on the topic.

2 That the bill was published without even a proper proofreading is characteristic of its generally shabby nature.

Banning Online Porn: Can’t Be Done, Won’t Be Done

UK Prime Minister David Cameron recently announced a plan to restrict access to online pornography. The Daily Mail, which has campaigned for such measures, was quick both to laud and take credit for the initiative. Hot on its heels came calls in the Oireachtas and from the ISPCC for similar moves here.

Almost immediately though, it became apparent that Cameron’s proposals were more more a matter of rhetoric than substance. He announced that ISPs would henceforth block pornographic content by default (this is known as “Default-On” filtering) and that it would be up to individual customers to opt out. In fact what will happen is that customers will be offered a choice as to whether they want to filtering or not, something that some ISPs are already doing. This was quite a feat of spin, taking the opt-in status quo and presenting it as a radical change to opt-out.

It is often the way that bans are easy to demand but difficult or impossible to deliver. These proposals run into trouble when specifics are required. That is why Cameron is already backing off on his big announcement, and why the Icelandic plans for a ban have come to nothing (a member of the parliamentary committee studying the proposal says it has a “near zero” chance of making it to into law).

The problems are both technical and legal. Legally, it has never been easy to define pornography. In 1964, Justice Potter Stewart of the US Supreme Court famously said of defining it “perhaps I could never succeed in intelligibly doing so. But I know it when I see it“. Justice Stewart is no longer with us, so we must do without his guidance. If there’s going to be a law on this, someone will have to sit down and define pornography in a few sentences. Will it include all nudity, or merely all sexually explicit content? What about Page 3? Will text be included as well as images? Where does that leave 50 Shades of Gray? And what of the impending film version of 50 Shades, or other, mainstream films with explicit sexual content? A shorthand for pornography has traditionally been that it was something produced exclusively for the purpose of sexual gratification and lacking artistic merit. I am not sure 50 Shades has much artistic merit, but then who am I to judge? And who is to decide, as a matter of law, what is art and what is not?

If a distinction is to be made between hardcore and softcore pornography, we are into even more subjective territory. Are ISPs to view every piece of sexually explicit material and decide whether it crosses the line or not? They have a hard enough time dealing with child pornography, a real and pressing danger. In Iceland, though specific proposals still have not been made, it was suggested that only violent pornography could be targeted. Which brings us back to 50 Shades again.

On the technical side, the same problem remains. If we have failed over generations to come up with a working definition, then automatic filters have no criteria regarding what to block. The best that can be done is to block certain sites. But with adult material so widely available, there will always be sites that escape the net. Facebook doesn’t allow adult content, but other social networks, like Tumblr and Reddit do. Filters are notoriously inexact. Chances are, if you had family-friendly filters switched on, you would not be able to read this post. Worse, sexual education and information material tends to get blocked too, which is surely a matter of concern when calls for a ban are mostly justified on grounds of child welfare. In any case, as the Minister for Communications, Energy & Natural Resources, Pat Rabbitte pointed out, the EU E-commerce Directive explicitly prohibits (see Article 15) member states from requiring ISPs to monitor content. His recent piece in the Independent opposing such measures is a model of clarity and good sense, when he could easily have score political points by pandering and scare-mongering.

Even where filters are in place, they can be avoided, in the same way as blocked torrent sites can still be accessed. When I was young, the joke amongst the middle-aged was that nobody older than 12 knew how to programme a VCR. Now, with the VCR a relic of the past, the same generation gap exists regarding the internet. You may complacently assume that your computer is locked down. Your teenager may know better.

This, finally, is the nub of them problem. A parent may decide to install content filters on his own computer, accepting that certain unobjectionable material will also be caught in the net. Private households are not required to consider collateral damage to freedom of speech, nor should they be. A society though must give these matters due weight. Minister Rabbitte has made it clear that this is not an area in which the Government wants to get involved. Those calling for a ban might therefore spend their energies more profitably by publicising existing solutions to the problem, and encouraging better parental supervision and understanding of children’s internet use.

Submitted Op Ed Column for Irish Times

I mentioned in a recent post that the proposed new EU Data Protection Regulation is, to say the least, problematic. Actually I called it a disgrace, which it is.

I go into slightly more detail in an article co-written with Daragh O’Brien, which we submitted to the Irish Times for consideration as an Op Ed piece. Alas, the Times, who’s coverage of Data issues can range from excellent to terrible in a single day, has declined to publish it. If is available to read at Daragh’s blog, which you should bookmark if you are even slightly interested in Data Protection, security and privacy.