Legal (and Ethical) Comment

Legal (and Ethical) Comment

A lot has been happening. It always does just as I start looking forward to my holidays. I do not know how I will cope with the 500 e-mails I will find when I get back, but I will deal with that later. I cannot delete them because my employer is monitoring me. I hope none of them is defamatory because I cannot afford to sue right now. I will forward a few of them but I will have to watch out for intellectual property ­ it is strict about distribution and dissemination. Of course, I will be careful what I say in response ­ professional negligence and vicarious liability being what they are these days.

The Law is Not Enough

If I am a little preoccupied by rights and responsibilities, it is probably because of an investigation into professional ethics. I started where most people start ­ with a sense of what is right, fair and good. I knew something about duty of care (which is important for issues of negligence) and something about contractual responsibilities, express and implied.

Reading confirmed all this and more. The cross-overs between law and ethics are complex: for instance, on issues of responsibility, duty, and rights. All kinds of people interest themselves in ethics, from philosophers to the most practical of managers. My desk has been covered with works by theologians and epistemologists, computer lawyers and e-commerce gurus, research into knowledge management and database law, human rights experts and cryptographers.

Among all the intellectual twists and turns, I encountered deontology and teleology, as one does, and pondered the deeper mysteries of duty and means-ends, rational choice theory and Rawl's rights-based theory of justice. So what about the law? Professional information people are getting more and more aware of the law. This is not just copyright on the Internet, or consortium licence agreements, or droit de suite, or jurisdictional exhaustion, or database sui generis law, how to protect your domain name, or where to go for a legal audit for your Web site. The awareness I am talking about is to do with professional conduct and personal liability.

In recent years, there appear to have been more cases against information workers. Reasons for this are not hard to see ­ a growing distrust of professionals, greater consumerism about professional services, wider knowledge about tort and contract law, and a culture of blame (where things happen because someone else is at fault). When information (allegedly neutral) turns into advice, and someone acts upon it, and injury occurs (personal, physical, economic loss), then we see a search for damages. There must be a reasonable chain of causation. There should also be reasonable foreseeability, above all for a professional on whom the layperson places reliance. I love the phrase I read last week ­ where such relationships have information asymmetry.

The standard or duty of care for the professional is not merely that of the reasonable man or woman, and what would or might have occurred in similar circumstances. Professional duty of care is higher, more stringent, than that ­ so we are thinking of a lawyer or doctor, financial adviser or systems consultant, and what they did and what other professionals, like them, would or might have done in similar circumstances ­ whether they showed due competence, were up to date with their skills and knowledge, and used appropriate techniques in the circumstances.

This is the territory of tort, where professional negligence lives. Things do go wrong at times ­ incorrect information, unfair exclusion, disclosure of confidential material, breach of contract, criminal damage to a database, piracy and infringement, defamation. So it is not just tort but contract, confidentiality and privacy, libel, and the rest. The law has a lot to say about all this. It demands compliance, ignorance is no defence, and it is costly and damaging to disobey. But I am wondering whether the law, for all its versatility, provides only minimum requirements.

Catching a Code

What about responsibility and duty, professionalism and doing the right thing ? It does seem as if the law is not enough. One thing is clear ­ that, if the law provides a minimum, codes of professional practice provide the aspirational maximum for service standards. The Code of Professional Conduct for the Institute for the Management of Information Systems, for example, highlights independence, confidentiality, the advancement of professional standards, respect for intellectual property rights, and upholding the honour and dignity of the profession. The EIRENE code of practice (drawn up by EIRENE/EIIA/EUSDIC in 1993) highlights integrity, confidentiality, business ethics, objectivity, and respect.

The Code of Professional Practice of the European Directory Publishers (http://www.eadp.org/) speaks about the reliability of products and services, professional business practice (e.g. company and product transparency, direct misrepresentation, use of advertising material, copyright and database protection, solicitation of customers), and professional conduct (e.g. personal data protection and respect for privacy). Many such codes probe through to core competencies which professionals should have, and core values which they should share.

The Guidelines for Professional Ethics of the (UK) Institute for Information Scientists goes to these core values:

1. 1.

   provide service to clients and society, and be responsible for the level and quality of service;

2. 2.

   facilitate wide access to information and ideas;

3. 3.

   acquire, store, manage and present information impartially;

4. 4.

   pursue truth and the advancement of knowledge;

5. 5.

   preserve and enhance society's cultural heritage;

6. 6.

   maintain and develop professional competence, through keeping up to date with new developments and maintaining current awareness; and

7. 7.

   develop their knowledge of the organisation in which they work.

All these examples suggest strongly that any talk of tort and contract, confidentiality and privacy and defamation, need ­ for the professional ­ to be put regularly in the context of this wider ethic. The ASIS (American Society for Information Science) professional guidelines (http://www.asis.org/AboutASIS/professional-guidelines.html) put it well: there are responsibilities to employers, clients, and system users; responsibilities to the profession; and responsibilities to society. Over-arching all these, perhaps, are statements like "We uphold the principles of intellectual freedom and resist all efforts to censor library resources" and "We do not advance private interests at the expense of library users, colleagues, or our employing institutions" (from the American Library Association Code of Ethics, (http://www.csu.edu.au/acadman.o3m.htm) includes "safe, effective, responsible and lawful use..." in order to safeguard "the interests of all users and of the University". There are obligations (e.g. unauthorised use), prohibitions (cracking programs, infringing security, harassing others, defacing notices), breaches, and penalties (e.g. caution or reprimand, fine, suspension, expulsion, and referral to the police in case of criminal behaviour).

That said, that professional codes of conduct extend mere legal compliance into a kind of aspirational zone, when we work them out in practice, the pragmatics of the law usually come into their own. This is perhaps why it is useful to go full circle, out from professional codes into the wider world of ethics. Where we started. If we are talking about privacy and intellectual property, we are also talking about rights. We may also be talking about the rights of access. Having my desk covered with philosophers has really been quite useful. They have reminded me of at least two things. First, that rights have all kinds of complex connections with freedoms and justice, and are in fact highly politically charged. Second, that, because arguments about rights can be special pleading of an ends-means type, and rapidly take us into utilitarianism, it is necessary to look beyond even that to what we actually mean by "good".

Aristotle takes an ends-means (i.e. teleological) approach to the good, or virtue (or arete), speaking about the morally admirable, and defining moral virtue as "a habitual disposition connected with choice, lying in a mean relative to us, a mean which is determined by reason, by which the person of practical reason would determine it". He goes on to talk about responsibility and culpable failure (in his Nicomachean Ethics). I rather like the way he insists that we take full responsibility for our own character. Virtue is in our power, just as viciousness is. I like the way, too, he connects failure ­ for what else have we been talking about, with negligence and liability ­ with reason and belief: "So the moral failure comes about in a way under the influence of reason and belief. The reason is not in itself contrary to right reasoning ... it is the desire, not the belief, which is undesirable".

Which takes us to virtue. MacIntyre's After Virtue (1984) is one of those watershed books which people seem to go back to time and time again. He argued that utilitarian arguments never ultimately held up when talking about rights. Even rights themselves were a social construction which begged lots of questions. Are there, for instance, natural or inherent rights, say, to have holidays with pay? This is an important question, asked by (among others) Wegner (2001) in a recent and stimulating new issue of Library Trends . There is always more, as a visit to the Web site of the International Center for Information Ethics (http://v.hbi-stuttgart.de/~capurro/icie-index.html) will reveal.

Without looking hard at what we mean by virtue, by the good, and not merely the good as defined by performance indicators, due diligence, or the happiness of the greatest number, our view of professional behaviour will always fall short. I am still working on the moral implications of this, but I know it is easy enough to see ethical principles underlying performance in contract, loyalty in confidentiality, respect in privacy, and caring in the duty of care in the tort of negligence. Next week I shall be thinking more of French wine and cheese. This week I've been wondering about obligation, duty, and the scope of the law. As Tony Honoré once said, "people are never legally liable merely because they have caused someone harm".

The Law is Quite Enough

On the other hand, a lot of legal things have really been going on. Apart from Tasini and Napster, which run and run. I have a large file on Napster. I get regular updates from e-sources like Ananova (http://www.ananova.com/news/). In May 2001 they were expected to launch their new copyright-friendly service, and had started recruiting users for a test of the new pay-as-you-go system based on a monthly fee. In June 2001 they were thought to be close to signing a deal with three of the world's "bid five" music labels. Bertelsmann formed an alliance with Napster back in October 2000, saying that its music division would withdraw from suing them and make its music available on the new distribution platform.

Last year 50 million or more people downloaded music from Napster, and the music industry did not get a penny or cent for it. If we are looking for evidence that the law was not enough, surely it was here. Copyright laws seemed to be just a theory. The major labels were nowhere. But maybe the real calculus is that, whatever happens to the law, the partnership of law and economic muscle wins every time. Users of Napster have plummeted according to US digital entertainment analyst Webnoize because Napster was being sued from all sides.

The Recording Industry Association of America was a major player, Metallica a major group, three majors joined with the Internet firm RealNetworks to form a new MusicNet outfit to promote online distribution. Now there is talk in Europe at least of competition law getting busy on the new allegiances (like Sony + Vivendi and their PressPlay). As we said, a story which runs and runs. Conrad Mewton's new book (Mewton, 2001) has useful background to the whole MP3 scene, with good stuff on downloading, streaming, and Webcasting.

Softly Softly Software

It used to be simple. Software was copyright, and the physical disks were patents. The problem began when certain patents claimed to enable the operation of machines. For instance, produce a solution matrix for a plurality of simultaneous linear equations comprising controlling iterative processing on a set of data representations. The end product, then, was data in the form of intellectual information, so was the information a product or not? Computers depended on programs to operate. Since then patent decisions have been an intriguing area to watch, going this way and that ­ a product or not, an application intended to run a computer (i.e. a computer program or a computer programmed to operate in a particular way).

In the guidelines for examiners drawn up by the European Patent Office came the phrase "technical contribution". "If the contribution to the known art resides solely in a computer program then the subject matter is not patentable in whatever form it might be presented in those claims". In the UK a computer program, as such, was not patentable. The situation is not normally changed when the computer program is loaded into a known computer. If however the subject matter made a technical contribution to the known art, patentability should not be denied merely on the ground that a computer program is involved in its implementation. That is, the subject matter could be patentable if it produced a technical effect.

Cases through the 1980s and 1990s reveal how this set of issues has moved along and how software-related inventions have gone this way and that. In 2000 the UK Patent Office started a thorough examination of whether patents should be granted for all computer programs and business methods (like Amazon.com's "one-click" process). The current position (in the UK) is that software is protected under copyright law. The duration of copyright lasts for 20 years, and registration is slow and costly. That said, the economic investment deserves protection.

It is not a bad thing when a software developer can get copyright (for 70 years) and patent protection (for 20 years), and throw in for good measure any associated law (like database law) if it is relevant. Different places have had different practices, and some believe patent awards have been too lax. The Amazon case opened up possibilities of patenting the allegedly unpatentable, and underwriting monopoly abuses. In Europe, however, the UK Patent Office and the EPO have been reviewing a more liberal regime. If patentability did not extend to things like business programs for computers, mathematical methods, and presentations of information, it meant that anything more than a computer program could not be patented.

The technical contribution test proved influential (the technical contribution which the invention makes to the known state of the art considered as a whole). In the case involving an IBM computer program displaying window information, the EPO held that it was possible to obtain a patent for a claimed computer program product which, when loaded into a computer, was able to carry out a technical process. As a result the UK Patent Office said it would accept claims to programs which did the same thing. The EC is seriously considering patents for software (consultation paper at http://europa.eu.int/comm/internal_market/en/intprop/indprop/index.htm dated 19 October 2000).

In November 2000 the Council of the EU reached political agreement on the main features of a proposal for a regulation on Community Design. This would provide a registration system for Community-wide legal protection of designs, and would be run by the office for the Harmonisation in the Internal Market which already dealt with Community Trade Marks. There has been debate in the UK about extending patents to business processes, and the current position is that the UK government opposes it. Patents can be allowed for software which have a technical effect (e.g. compression algorithms) but not software which facilitates business processes. Criticism is based in part on the anti-competitive effect of extending the law this way.

The Law Does Help but ...

Related research into patent protection of computer programmes has emerged from a team at Sheffield and Sussex Universities. It is called Patent Protection of Computer Programs: Final Report (2001) and is accessible at gtp://ftp:ipr-helpdesk.org/softstudy.pdf (100-plus pages). It argues that, in a world of heightened awareness for IPR and links between IPR and innovation and intellectual capital, we need to know more about how businesses, and in particular SMEs, manage IPR.

Most rely on copyright for their digital literary works, find the patent system complex and expensive and regard it as conferring few advantages, argue that their resources are too small to protect patents, do not particularly use patent information for innovation, place trust in protection like encryption, and contend that their main concern is with product rather than IPR. For any information researcher, fresh-faced and high on the rhetoric of Nonaka, Stewart, Davenport, Senge, and Skyrme on knowledge management, and the role of intellectual capital for creativity and competitive edge, the report makes salutary reading. A breath, in fact, of pragmatic air.

Another interesting legal twist has been the decision of the English High Court which rules on the issue of when the use of a trade mark registered in the UK in a Web site operated from outside the UK infringes the UK trade mark right. The case concerned Euromarket Designs, a US company operating a chain of stores in the USA, which sought judgement for infringement of its trade mark against a Ms Peters, who through her Irish company operated a store in Dublin. Both parties sold household goods under the name Crate & Barrel.

However Euromarket had registered Crate & Barrel as a UK and Community trade mark. Ms Peters created a Web site www.crateandbarrel.ie, and as a result Euromarket sued for UK infringement. Neither party operated in the UK. The High Court accepted that the name was derived independently and that Ms Peters did not use her Web site in the course of trade in the UK. Anyone visiting the Web site would see that it advertised only her store. The judgment was that:

...the mere fact that websites can be accessed anywhere in the world does not mean, for trade mark purposes, that the law should regard them as being used everywhere in the world. It all depends upon the circumstances, particularly the intention of the website owner and what the reader will understand if he accesses the site.

The implications for anyone trading anywhere are clear.

The Law is More than Enough

We have more things in the pipeline. There is a copyright and trademarks bill aiming to cover software piracy via the Internet. The inexhaustible Stevan Harnad goes on with his thoughtful analyses of traditional copyright mindsets for electronic journals (e.g. http://www/cogsci.soton.ac.uk/copyright.html and much else). Electronic signatures are now legally admissible in court in the same way as a hand-written signature (as a result of section 7 of the Electronic Communications Act, 2000). JILT continues in its excellent way, picking up on privacy, Internet patents, signatures, and cyber-learning in the 2001 issue.

Security stays in the news ­ worm holes found in Hotmail and Yahoo! mail, a vulnerability allowing attackers to create e-mail with html links that can act as worms and clog mail servers. Disclosure has caused some fuss, since the Consumers Association had to close its financial Web site after a security flaw revealed the credit card details of around 2000 customers, and Motley Fool was asked in court to disclose the identity of a message board user accused of posting defamatory remarks concerning the ISP Totalise. It had to do this on the post-Demon-Godfrey ruling that Motley Fool exercised editorial control over its postings.

The new Copyright Directive (Directive 2001/20/EC on the harmonisation of certain aspects of copyright and related rights in the information society) is a hot topic. It extends copyright protection to the Internet and other new media, and should be transposed into national laws in 18 months. It harmonises across the EU the rights of reproduction, distribution, communication to the public, the legal protection of anti-copying devices and rights management systems. It also includes a mandatory exception for technical copies on the Internet for network operators in certain circumstances (the exemption only applies when reproduction forms an essential part of a technological process, and takes place in the context of a transmission in a network). Other issues include fair compensation for rights-holders and optional exceptions to copyright which include private copying.

A lot more to come on that. Yet my suitcase beckons. You may have been following the UK debate about IT consultants and IR35 (how they pay tax). Individual workers were able to exploit fiscal advantages (e.g. reduced tax and national insurance). IR35 treats a service company as making a payment taxable under Schedule E and subject to Class 1 National Insurance Contributions. It sounds arcane, but, if you're an IT consultant, and there are more and more of them, it matters to you. An employment law envoi for you. Another matter to sort out later. Manana, but not negligently so.

Stuart Hannabuss (MSCSH@mailer.rgu.ac.uk) is a professor at the School of Information & Media, The Robert Gordon University, Aberdeen, Scotland, UK.