Posts by Neil Brown

Re: Valid and invalid purposes

SARs are purpose-blind, and the controller has no basis for attempting to "look behind" a SAR, to try to establish the applicant's motive. Similarly, they have no basis for rejecting a SAR as being made "for the wrong reason".

The controller simply needs to get on and deal with it in the same way as any other SAR, and provide the information required by Article 15 (UK) GDPR.

This is one of the areas in which I see controllers make life unnecessarily hard for themselves. Lots of people - both controllers and subjects - still misunderstand what is covered by a SAR. It's common (in my experience, at least) to see people using it to try to get copies of documents, or things which are not their personal data or which is not information related to the processing of their personal data. If that's what they want then, yes, discovery is far more likely to yield those results, if it is available). Similarly, controllers get themselves in a tizz about what they are required to provide, especially in the face of an assertive data subject or a represented data subject, asking for things to which they are not legally entitled.

While there are undoubtedly times when discovery will be the better tool for the job, discovery is only available in limited situations. If someone is merely "under investigation", for example, discovery is unlikely to be available to them at that stage. Whether a SAR then would reveal anything useful might be a different matter, especially given the exemptions available to withhold the provision of information under a SAR, but SARs are available when discovery is not.

Seminars or sales pitches?

> They would not even attend free seminars on basic IT security because it detracted from the time they could bill to clients

I — lawyer — don’t typically attend free seminars on IT stuff, security or otherwise, since they are nearly always, in my experience, a sales pitch disguised as a seminar. Possibly one or two small bits of useful information, but mostly a list of dangers and pitfalls, and an explanation of how the presenter's company's chargeable product / service can solve them. (Perhaps it's exactly the same for non-lawyers going to a lawyer's seminar...?)

I tried to persuade the Law Society to run a "basics of IT security" session for lawyers in small firms, who may not have IT staff, where the content was vetted so it was practical and implementable and not (just) a sales pitch, but I got no-where, which was a shame.

Re: Email?

In this case, there was no dispute that the email was sent, with the content in question, from the person from whom it purported to have been sent. So no issue in terms of whether it was fraudulent.

If the defendant had alleged that they had never sent that email, and it was someone else spoofing their account, then the case would have looked very different, in terms of the points arguedt.

(Very few contracts under English law require a signature, so a trivially-copyable signature is unlikely to make a major different either way.)

Re: We have signed emails

Most commenters on here seem to be fumbling around in the dark, making comments over law they don't understand :)

IMHO, the decision did little more than apply existing law on signatures, looking at the purpose of the bit of text added automatically.

See, for example, the very recent work on this issue, from the Law Commission: https://www.lawcom.gov.uk/electronic-signatures-are-valid-say-governments-legal-experts/

Optional

> merely an offer

So anyone receiving the email can accept the offer?

Would it not make more sense to phrase it as an "invitation to treat", which is not capable of acceptable?

> a properly signed and agreed contract

What is the difference between a "signed" contract and a "properly signed" contract? After all, the court here held that the inclusion of the email signature was "signed", and thus presumably also "properly signed".

What is an "agreed" contract (as that suggests that there are contracts which are not "agreed")?

If — as is the case for most contracts — neither a signature nor even written evidence is required, what impact does this wording have, if any?

etc.

[Bloody lawyers etc.]

Re: Interesting

I'm not sure that's true, as the shielding law treats each transmission in isolation.

A company which offered an Internet access service and its own IPTV service would be shielded from liability in respect of a transmission initiated by a user of its Internet access service, but would not be shielded for something it chose to distribute via its IPTV service.

Re: Trademark - or copyright ?

The ruling stems from the Cartier litigation, which relates to website blocking injunctions issued to make it a little bit harder to access sites which infringe on certain trade marks.

It should apply to blocking orders based on infringement of copyright, but I guess that's a battle for another day.

It will be interesting to see whether it has an impact on blocking orders imposed on ISPs under the Digital Economy Act, in respect of porn sites which do not implement age verification, but there's a completely different framework. While it seems reasonable to me that the same approach should be taken, and that the BBFC should reimburse ISPs for their costs, that seems... unlikely.

It has no direct bearing on the Norwich Pharmacal orders used to obtain subscriber information from ISPs, in my opinion.

From a legal perspective...

The requirement to have age-verification in place applies to any person who "makes pornographic material available on the internet to persons in the United Kingdom on a commercial basis other than in a way that secures that, at any given time, the material is not normally accessible by persons under the age of 18." (s14(1) DEA 2017)

It does not matter whether that person is based in the UK or elsewhere.

An ISP can be compelled by an administrative (non-judicial) blocking order to take the steps either specified in the blocking notice, or else as "appear to the provider to be appropriate", to "prevent persons in the United Kingdom from being able to access the offending material using the service it provides". (s23(1))

The legislation expressly permits overblocking: "The steps that may be specified or arrangements that may be put in place ... include steps or arrangements that will or may also have the effect of preventing persons in the United Kingdom from being able to access material other than the offending material using the service provided by the internet service provider." (s23(3))

"Pornographic material" is defined in s15. It's too long for me to paste here, but it covers quite a lot, with an emphasis on material which was "produced solely or principally for the purposes of sexual arousal". And, since different people like different things, that potentially covers quite a lot.

Re: [an offense of] altering personal data in a way to prevent it being disclosed.

Basically, if someone has made a subject access request, you can't decide to just delete the lot or amend the records.

Re: Lots of other good products....

+1 for VirtualBox.

If you want your VM to start when the host Mac boots, rather than needing manual intervention in the VirtualBox GUI, a simple .plist file in /Library/LaunchDaemons/, run launchctl load, and you are away :)

Re: MSPaint equivalent?

Great tip — thanks.

Re: FileZilla

I think I used to use CyberDuck to do much the same. And with a comparably good name too...

Re: MSPaint equivalent?

Seconded (thirded?) for Pixelmator, although I do still find I use the unfortunatley-named The GIMP now and again, having got used to it in my Linux-only days.

Re: Lots of other good products....

+1 TextWrangler

Re: And some more:

Handbrake reference should have been "potentially requires V*L*C", not V*N*C. Oops.

What can't be done on any opther machine that can be done on macs? Now't!

iOS development?