How OFCOM can stop the abusive trolls?

In recent weeks there has been a lot of discussion about how to deal with trolls making repeated threats of violence or rape via social media. In particular, the stream of abuse targeted at Caroline Craido-Perez and Stella Creasy MP on Twitter following the announcement that Jane Austen was to be the next person to be represented on the UK £10 note , thus being the only woman depicted on any bank note other than the Queen, has significantly raised this issue.

Most of the discussion has concentrated upon use of the criminal law to stop trolls, but there are problems with that approach. For example, the 32 year old man arrested in Bristol on 7 August 2013 in connection with tweets to Caroline Craido-Perez and Stella Creasy is reported to have been arrested under the Protection from Harassment Act 1997. This deals with a course of conduct against another person. What if the troll only sends one or two harassing communications to each target, but sends hundreds of communications?

In this post I suggest that the regulatory tools exist to tackle trolls, were the problem of trolling considered to be sufficiently serious for regulatory action.

The one body the has so far not entered the debate or been questioned about its response to trolling is Ofcom, the regulator for electronic communications networks and services in the UK. This is a surprise, given that one of the sections of the Communications Act 2003, for which Ofcom is the proper enforcement body, seems at first glance to be an anti-trolling provision. The section concerned is section 128 of the Communications Act 2003, the first section under the cross-heading ‘Persistent misuse of networks and services ‘. The provision includes:

(5)  For the purposes of this Chapter a person misuses an electronic communications network or electronic communications service if—

(a)  the effect or likely effect of his use of the network or service is to cause another person unnecessarily to suffer annoyance, inconvenience or anxiety; or

(b)  he uses the network or service to engage in conduct the effect or likely effect of which is to cause another person unnecessarily to suffer annoyance, inconvenience or anxiety.

(6)  For the purposes of this Chapter the cases in which a person is to be treated as persistently misusing a network or service include any case in which his misuse is repeated on a sufficient number of occasions for it to be clear that the misuse represents—

(a)  a pattern of behaviour or practice; or

(b)  recklessness as to whether persons suffer annoyance, inconvenience or anxiety.

Given that these statutory clarifications on what is meant by ‘misuse’ and ‘persistent misuse’ in the 2003 Act pre-date the modern social media concept of trolling, they are not a bad description of what trolling is. Section 128 describes a neat regulatory set of powers for Ofcom to give notice to a persistent misuser to stop misusing, with additional sections setting out how the notice can be enforced. This includes Ofcom having the powers to impose penalties of up to £5,000 as well as seeking a court injunction against a person ignoring a notice (so breach of that injunction would be a contempt of court, with penalties including a fine of up to £2,500 and imprisonment for up to 2 years – section 14 Contempt of Court Act 1981).

However, how can Ofcom serve a notice on a troll (who will typically be anonymous)? It would be perfectly possible for Ofcom to use its information gathering powers, rather than go to court to obtain a Norwich Pharmacal Order for each troll. These are set out at sections 135-146 of the Communications Act 2003, under the cross-heading ‘Information Provisions’. Of interest here is that Ofcom can seek information from parties in addition to communications providers. In particular, section 135(2)(f) allows Ofcom to request information from “a person not falling within the preceding paragraphs who appears to OFCOM to have information required by them for the purpose of carrying out their functions under this Chapter.”

There is no reason why this could not include Twitter UK Ltd, even though, as Twitter UK Ltd was at pains to point out in a statement to the Leveson Inquiry, it has technically nothing to do with the Twitter service. Twitter UK’s registered office is 100 New Bridge Street, London EC4V 6JA, the same address as the international law firm Baker & McKenzie. If Baker & McKenzie are Twitter UK’s solicitors, I am sure they could advise Twitter that Ofcom’s information gathering powers are broad and do come with some teeth, so that eventually Ofcom would be able to get the information it required. Even so, given the current interest in addressing trolling via Twitter, it would be a further PR disaster for Twitter UK to be seen to avoid information requests from Ofcom on the grounds that the Twitter services was nothing to do with it, the UK entity, but only a matter for the US Inc.

So, using section 135 information requests, Ofcom could obtain the IP address of trolls via Twitter and UK ISPs, and contact details for that IP address. With that information a section 128 persistent misuse notice could be served, and the troll told to behave or be cut off.

This route could also address the question of trolling via multiple accounts and/or different social media platforms. The notice is not limited to one account on one communications platform; the misuse must be by one person. Section 128(7) states:

For the purpose of determining whether misuse on a number of different occasions constitutes persistent misuse for the purposes of this Chapter, each of the following is immaterial—

(a)  that the misuse was in relation to a network on some occasions and in relation to a service on others;

(b)  that different networks or services were involved on different occasions; and

(c)  that the persons who were or were likely to suffer annoyance inconvenience or anxiety were different on different occasions.

It would therefore catch a person trolling using multiple accounts on Twitter, Facebook etc. to different targets.

However, there is a potential gap in this approach. What if the target of the trolling is, as recent examples have shown, on the receiving end of an avalanche of abuse or is being flamed? The avalanche could be the result of a mass of single communications from individual persons, each of whom may not be persistently misusing.

The radical answer, which may not stand up to regulatory scrutiny, is to suggest that it is possible to serve the persistent misuse notice not on the individual trolls, but on the person providing the platform upon which the trolling occurs. There is no precedent for this extended use of section 128, which to date has been used by Ofcom to shut down the misuse of automatic calling systems generating abandoned or silent calls (eg section 128 notice on HomeServe plc). The Ofcom argument would have to be that the notice recipient, by providing a platform with no effect monitoring or abuse notice and protection systems to protect users from unnecessarily to suffer annoyance, inconvenience or anxiety, is the person upon whom a section 128 notice can be served. The Ofcom notice could demand that a proper anti-trolling and/or abuse notice system be put in place, as in section 129 it states:

(2)  OFCOM may give the notified misuser an enforcement notification if they are satisfied—

(a)  that he has, in one or more of the notified respects, persistently misused an electronic communications network or electronic communications service; and

(b)  that he has not, since the giving of the notification, taken all such steps as OFCOM consider appropriate for—

(i)  securing that his misuse is brought to an end and is not repeated; and

(ii)  remedying the consequences of the notified misuse.

In practice, however, I don’t expect Ofcom to go anywhere near the trolling controversy. Regulation of networks and services is carried out by that part of Ofcom that can trace its roots back to Oftel. From the earliest days of telecommunications regulation, telecommunications (now electronic communications) regulators have sought to distance themselves from any requirement to regulate content.

Twitter, Google and EU Privacy

EU Commission Data Protection Reform logo

At the end of February is was reported that Twitter was selling off old tweets to marketing companies. Google also, with effect from 1 March 2012, changed its privacy policy for all of its services. These include YouTube, Gmail and Blogger as well as the ubiquitous search engine. In neither case were users’ consents obtained for the transaction or changes. This raises a number of privacy and data protection issues. In Google’s case the EU Justice Commissioner, Viviane Reding, has gone on record saying “transparency rules have not been applied”. The French data protection authority, the CNIL, launched a European-wide investigation into the Google policy changes.

I predict that there will be more of these announcements and privacy policy tweaks during the coming months. Companies with large banks of users’ or customers’ data from the European Union have a small window of opportunity to commercialise that data before the implementation of a new European Union data protection regulation. The draft of this regulation was published by the EU Justice Commission on 25 January 2012. In its current draft form, the regulation will begin to apply 2 years from the date it comes into force. No national laws are required to bring an EU regulation into effect in a member state.

Companies will therefore have 2 years in which to rely on the more relaxed rules included in the Data Protection Directive 95/46/EC. In particular, some processing that can be conducted without the consent of individuals, where these are new uses of the individuals’ data which are in the “legitimate interests pursued by [the company] or by the third party or parties to whom the data are disclosed”, will become much more difficult, if not impossible.

The whole nature of consent is properly addressed in the draft regulation. In the Directive, data can be processed where there is unambiguous consent. In the UK implementation of the Directive, the Data Protection Act 1998, is has always been possible to obtain consent indirectly for data that is not “sensitive personal data”. Whilst this has been one of a number of long-standing issues between the European Commission and the UK on data protection, there is a new provision in the draft regulation that will address valid consent. Of particular interest in cases such as Google, which is a dominant operator in the search engine services market, is the draft provision that states “consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the [company]”.

This goes back to another of the significant changes in the draft regulation. In the Directive there is a basic provision that personal data must be “processed fairly and lawfully”. In the regulation, the equivalent provision is “processed lawfully, fairly and in a transparent manner in relation to the data subject”. Expect some interesting arguments about transparency in the coming months – perhaps these have already started, given Viviane Reding’s comments on the Google changes.

To make matters even more interesting, the draft regulation gives consumer bodies the standing to be able to complain to a supervisory authority about data protection breaches on behalf of individuals. Super-complaints, as they are known in competition law, will up the ante for regulators – easy for the Information Commissioner to downplay an individual’s complaint; less easy to ignore a complaint from a body such as Which? or the National Consumer Council?

Lastly, the draft regulation includes new powers for supervisory authorities, including the power to fine enterprises, in the worst cases, up to 2% of their annual worldwide turnover. That ought to grab the attention of companies like Google and Twitter.

DoJ, Wikileaks and Twitter: Stones and Glasshouses

WL Helping HandThere seems to be a degree of outrage on many social media channels about the Department of Justice in the United States obtaining a court order to require the US-based social media platform Twitter, and possible Facebook and Google as well, to reveal account information about certain users who are alleged to be involved with Wikileaks. There should be no doubt amongst UK social media commentators or users that the law in the UK is more generous to government authorities than anything in the US.

US Law

The court order against Twitter was made under 18 USC §2703(d), which is an order made on application to a magistrate judge (and not a subpoena, as is being widely reported). These orders can only be granted where it is shown by the applicant government entity that there are reasonable grounds for believing that the information it will obtain from the respondent communications providers will be relevant and material to an ongoing criminal investigation. Whilst we are not experts in US law, we believe that orders under 18 USC §2703(d) enable the government entity making the application to obtain what we in the UK would call the communications data (see below) for a particular account from a respondent communications provider and details about the subscriber or customer for that account. The contents of any communication can only be demanded if they are over 180 days old, otherwise another criminal evidence procedure is required. As far as we are aware, in the US there is no federal statutory obligation on communications providers to retain communications data, but 18 USC §2703(f) does provide for data preservation orders.

UK Law

This post explains the relevant UK law, which shows that not only can similar communications data to the Twitter account information sought by the Department of Justice be obtained by government entities in the UK from UK communications providers, but that information can be demanded for much broader purposes than in connection with an ongoing criminal investigation. 

In the Regulation of Investigatory Powers Act 2000 (“RIPA”), “communications data” is defined as being (section 21(4) of RIPA):

(a)  any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted;

(b)  any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—

(i)  of any postal service or telecommunications service; or

(ii)  in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;

(c)  any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.

Whilst it is unclear to what extent communications data under RIPA includes web page or other internet usage data, the definition of traffic data was carefully drafted to exclude web page information (rider at s.21(6)).

Whilst communications providers had no standing obligation to retain data under RIPA, a designated person (as defined in sections 25(1) and (2)) may require any telecommunications operator of a telecommunications system that is “in possession of, or be capable of obtaining, any communications data” to obtain that data, if not already in the operator’s possession, and disclose it (section 22(4)).  However, the grounds under RIPA upon which communications data can be ordered to be obtained are the most extensive in any UK legislation.  They include, for example, matters such as “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department” (section 22(2)(f)).  The original purposes have also been extended by the Regulation of Investigatory Powers (Communications Data) (Additional Functions and Amendment) Order 2006 (all these purposes together being the “RIPA Purposes”).

The scope of these RIPA Purposes was addressed in the Home Office Acquisition and Disclosure of Communications Code of Practice, which came into effect on 1 October 2007 (the “RIPA Code”). The RIPA Code seeks to emphasis that any action by a designated person or a person authorised by them is “necessary and proportionate” (see paragraphs 2.1, 3.5, 3.7, 3.31 and 3.48). However, it does not contain much in the way of guidance on how a designated person is to assess what is “necessary and proportionate”.

Any notice given by the delegated person to a communications provider is only valid for a maximum of one month (section 23(4)), but it would appear that under RIPA the acquisition period for the relevant communications data which is the subject of the notice, can be unlimited.  The RIPA Code states that any notice must give the start date and end date for the acquisition of data, but with limits on future end dates, so that where a notice relates to the acquisition of communications data that will or may be generated in the future, the future period is restricted to no more than one month from the notice date (paragraph 3.44).

In practice government entities in the UK do not have to consider seeking an order under section 22 of RIPA to preserve communications data, as the UK has for a number of years implemented a data retention regime.  Communications providers in the UK are required to retain communications data under the Data Retention (EC Directive) Regulations 2009 (the “Data Retention Regulations”), which implement Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 (the “Data Retention Directive”) on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Regulations do not set out the purposes for data retention, but it is stated in the Data Retention Directive that the intention is to “ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Art.1(1))(the “Data Retention Directive Purposes”)(emphasis added).

In the Data Retention Regulations “communications data” is defined as being “traffic data and location data and related data necessary to identify the subscriber or user”.  Traffic data means “data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication”(Regulation 2).  This definition is slightly different from that set out at section 21(4) of RIPA)(see above); the most clear differences are that in RIPA location data is expressly included and defined (at sections 21(6) and (7)), and the more broad definition of traffic data.  In particular, the definition of traffic data in the Data Retention Regulations does not exclude from the definition of traffic data, data to the level of web page information.

Under the Data Retention Regulations public communications providers are required to retain the communications data set out in Regulation 4 and the Schedule.  This is generally data necessary to: (a) to trace and identify the source of a communication; (b) to identify the destination of a communication; (c) to identify the date, time and duration of a communication; (d) to identify the type of communication; or (e) to identify users’ communication equipment (or what purports to be their equipment).  The retention period for all communications data retained under is twelve (12) months (Regulation 5).  The Data Retention Regulations do not include an access regime for any retained communications data, but merely state that access may only be obtained only in specific cases and as permitted or required by law (Regulation 7).

Other Relevant Legislation

Data Protection Act 1998

The Data Protection Act 1998 (“DPA”) fifth data protection principle (at paragraph 5 of Part I of Schedule 1) provides that personal data shall not be retained than is necessary for the specified and lawful purpose(s) of the data controller.  Consequently, communications providers ought to state in any fair processing notice made available to their customers that communications data is being retained as required by the Regulations and may be disclosed to public authorities permitted to access the communications data under RIPA, even though most of this processing will be subject from the subject information provisions (as defined at section 27(2) of the DPA) under an exemption in Part IV of the DPA (section 28 (National security) and section 29 (Crime and taxation) being the most obvious).

Communications providers will be relying, in most cases, on the lawful purpose set out in paragraph 5 of Schedule 2 of the DPA (processing necessary for the administration of justice, to carry out statutory functions or functions of the Crown, a Minister of the Crown or a government department or for “the exercise of any other functions of a public nature exercised in the public interest by any person”), or, where the communications data contains sensitive personal data, on the purposes set out at paragraph 7 of Schedule 3 of the DPA (as paragraph 5 of Schedule 2, except without the ‘functions of a public nature exercised in the public interest’ purpose).

Human Rights Act 1998

Article 8(2) of the European Convention of Human Rights (the “Convention”), incorporated into UK law by the Human Rights Act 1998 (“HRA”), provides that “there shall be no interference by a public authority with the exercise of this [Article 8 privacy] right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” (the “Art 8(2) Purposes”).

The principle of retention of communications data for the Data Retention Directive Purposes, which are narrower than the Art 8(2) Purposes, is therefore lawful under the Convention and the HRA. What is open to question is the lawfulness of any of the Data Retention Regulations’ retention periods and the interference with data subjects’ rights to privacy where retention (and access) is carried out for RIPA Purposes that go beyond those set out at Article 8(2).

[We found the post “Thoughts on the DOJ wikileaks/twitter court order” by Christopher Soghoian on his slight paranoia blog interesting – and useful to confirm our understanding of 18 USC § 2703.]

Twitter: in which we serve

Original film poster

Original film poster

In Which We Serve (1942) is a classic wartime film, winning Noel Coward a Special Academy Award (Oscar) for its production.  It is an evocative propaganda film, following the exploits of a fictional HMS Torrin from its commissioning in 1939 to its sinking in 1941.

Sadly, the first use of Twitter to serve a court document does not appear to have been in such an heroic cause.  A blogger and lawyer well known for being on the right of the Conservative Party, Donal Blaney, took exception to the Twitter account @blaneysblarney purporting to be him.   Donal appears to claim that the person behind this Twitter Account, who uses a photograph of Donal as the account’s avatar, is infringing Donal’s intellectual property rights.  The details of the claim have yet to be published.

As Donal does not know the identity of his Twitter impersonator, he cannot serve upon the impersonator any statement of claim or injunction.  In many cases, a person in Donal’s position could seek to obtain a Norwich Pharmacal Order, but this is not appropriate in these circumstances as the person with the relevant identity information, Twitter, is outside of the jurisdiction.  This left Donal to seek other means.  Fortunately, the Court can use any alternative method for a claim form under Rule 6.15 of the Civil Procedure Rules:

“where it appears to the court that there is a good reason to authorise service by a method or at a place not otherwise permitted in this Part” (Rule 6.15(a))

This rule can be applied to injunctions:

“Rule 6.15 applies to any document in the proceedings as it applies to a claim form” (Rule 6.27)

Where has getting the service of the injunction by Twitter got Donal? It must be immediately obvious that enforcing an injunction served or attempted to be served by Twitter against an unknown party is near impossible. This appears to have been realised by another (or the same) Twitter user, judging by the new Twitter account that appeared on the day after the date of the injunction, 1 October 2009, @blarney_blaney (complete with Swastika avatar), to taunt Donal even further.

However, being the first claimant to obtain service by Twitter has brought Donal Blaney, his law firm Griffin Law and his barrister Matthew Richardson considerable publicity.