Smart document generation

If giving legal advice is one of the two core skills of legal practitioners, the other is drafting legal documents. No matter what area of the law you practice in, you will need to generate a brief, a lease, a will, a contract, a certificate of incorporation—you name it. It is no surprise therefore that ever since PCs were first introduced into law firms, lawyers have been looking for ways of using them to make generating documents faster and easier. Word processors helped, and precedent data banks did too, but the Holy Grail in this field is a system that can generate a complete, airtight first draft of the required legal document at the click of a mouse. The idea of software that can generate standardized legal documents is not new. Software packages that produce documents on the basis of certain specified inputs have been on the market for some time. They range from simple electronic forms or automated cut-and-paste to sophisticated software that can draw on internal definitions and even do a measure of logic checking.[1] Most law firms nowadays have in place systems of varying degrees of sophistication to avoid re-inventing the wheel each time a legal document is needed.

The Semantic Web promises to take the evolution of document generation further—much further. Advanced functionality such as checking the internal consistency of a document, or checking for compliance with a specified body of rules can be achieved by a non-semantic application built for that purpose. But where semantic applications will really break ahead of the pack is in their ability to draw on a web of structured online legal data and in their interoperability. Being able to access pre-existing taxonomies and rules will facilitate the task of developers, as much of the “logic” an application needs to process will already have been formalized and tested by a broad, collaborative community.

Furthermore, because the task of developing those taxonomies and applying them to data is an ongoing process, less effort will be needed by individual developers to keep applications up-to-date. Suppose a semantic application checks for consistency of the document with a certain body of rules. If a relevant statute is amended, or a court decision clarifies the interpretation of a given rule, there is no need for developers to update the code of the application to implement the amendments. Whatever authoritative online source of legal rules the application draws on can be updated, and all applications drawing on that source will stay abreast of the latest law, without needing to download an update. Another advantage of using smart data is that generating documents would involve more than just producing a human-readable document. The end product would not be a simple text file. Rather, as we have seen, the document could include metadata encoded in accordance with open, machine-readable standards, referencing online taxonomies and rules that give meaning to the data. This means that any other application, whether proprietary or otherwise, which uses those open standards, will be able to process that metadata, and understand the structure and content of the document. The Semantic Web guarantees interoperability by default, and avoids the problem of “smart” documents that are only smart to users who own a particular proprietary application.

Executable semantic contracts

If the content of the contract is machine-readable, parts of it may also be machine-executable: if applications can determine the rights and obligations of the parties to such a “semantic contract,” there is no reason why they could not also process payments, notify the parties when notice of renewal is due, renew the contract on specified conditions, etc. In addition to the efficiencies gained in generating the contracts on the lawyer’s side, semantic documents could yield huge gains on the client side. Rather than manually going through each agreement to determine who owes what to whom, when, and on what conditions, semantic contracts could be fed into software that will do this processing automatically.[2] With this technology, therefore, the law firm gets to cut the costs of production (and therefore, eventually, the cost of the service), while the client gets an enhanced product that enables it to cut its costs. Expect demand for semantic contracts and the applications that generate them.

Plain English vs. metadata

As we have seen, there are limits to the extent to which the plain-English meaning of legal propositions can be translated into formal rules. However, the considerations relating to these limitations are somewhat different in the case of contracts, because of their nature as private legislation between the parties. Here, rather than translating pre-existing laws, the parties are free to choose to draft their agreements using formalized terms and rules that lend themselves to automated analysis and processing. This raises the question of the relationship between the plain-English meaning of the contract (along with the plain-English laws that govern it) and the possibly divergent machine-readable meaning encoded in the metadata. Conceptually, a contract is an agreement between the parties, and the written contract is simply a memorandum or record of that agreement. The rules of contractual interpretation are concerned with ascertaining what rights and obligations the parties have consented to undertake. If I consent to be bound by a semantic contract, am I consenting to be bound by the plain-English terms only, or would the metadata, and the taxonomies the metadata refers to, also guide the interpretation of the agreement?

To put it another way, if I enter into a semantic contract, and the execution of the machine-executable parts of that contract is not what I expected on the basis of the plain English-wording of the contract, has the contract been breached? Suppose that there is no problem with the application that does the executing, but rather that the divergence is caused by differences between the logical implications of the semantic concepts used in the metadata on the one hand, and the positive laws as understood by lawyers and applied by judges on the other. The conservative answer is that the execution and the metadata that enables it are entirely distinct from the contract itself, and machine-execution is ultimately no different from a human agent performing the contract, properly or improperly. But the contrary viewpoint is that what semantic metadata does is to incorporate meaning by reference to definitions and rules external to the data itself. Is that so different from incorporation by reference in contract law, for example by referring to terms and conditions on the back of a parking ticket, or including Incoterms in international trade contracts? Why should the metadata not influence our interpretation of the contract?

Meaning vs. meaning

There are deeper questions at issue here, relating to the fundamental differences between machine-executable computer code and legal norms. The kind of “meaning” encoded using Semantic Web standards is deeply different from the kind of “meaning” you and I express when speaking about the law, or the kind expressed by law-makers in creating the law. I will leave these difficult questions hanging for now, but I will hazard to predict that, as machine-executable contracts gain currency and the idea of automated determination and processing of legal obligations becomes commonplace, those fundamental differences between code and law will begin to blur.

[2] See Siegel, p. 190.

What can you do with the Semantic Web that you can’t do without it?

The Semantic Web is a powerful way of structuring data and giving it a precise, machine-readable meaning. The most obvious and immediate benefit of semantic technologies is in organizing large quantities of information in a particular domain to make it easier to retrieve and analyze. This is reflected in the contexts in which these technologies have already been deployed, such as organizing large online databases of content (e.g. bbc.co.uk, see here); or facilitating the exchange and analysis of research data (e.g. drug research, see here). Given the problem of legal information expansion discussed in the first post in this series, using semantic taxonomies and rules to organize the vast universe of legal data is clearly a promising area.[1]

In this post I will go beyond merely identifying the benefits of better structured data. Rather, I want to consider what really distinguishes the Semantic Web from rival technologies by asking: what can you do with the Semantic Web that you can’t do without it? In attempting to answer this question, I will focus on two kinds of application of the Semantic Web which promise to deliver not just enhanced performance, but may even transform the nature of the legal service involved: semantic legal query systems and, in the next part, smart legal documents.

Lawyers as optimum retrieval intermediaries

One of the core tasks performed by lawyers is giving legal advice. Schematically, what lawyers do in carrying out this task is to:

1. identify rules in a vast corpus of laws that are relevant to a given legal query;
2. interpret their legal meaning, often by considering how different rules interact and how they have been interpreted in the past; and
3. consider how those rules apply to the specific query.

What distinguishes lawyers from the man on the street and what justifies both their holding a license to practice and their charging sizable fees for their services, is their (theoretically) superior ability to carry out each of these tasks. To quote the oft-repeated wisdom, the difference between a lawyer and a layman is not that the lawyer knows the law, but that he knows where to find it. I might add that the lawyer also knows whether there are legal rules for a given problem; how different rules interact (which rules preempt or modify other rules); how to check if a law is still in force or a precedent still good law; how to find an authoritative scholarly interpretation; and perhaps most importantly, the lawyer will have a wide experience through of different factual situations and contexts. In this sense, in the delivery of legal advice, a lawyer acts as an intermediary who ensures optimal retrieval of legal knowledge on behalf of his client.[2]

Semantic legal queries

We have seen how lawyers use search engines and commercial databases to deal with step 1 (identify) much more efficiently than was possible in the days of hard-copy statutes and law reports. However, even though researchers started working on expert legal systems as far back the 1970s (see here), in practice, steps 2 (interpretation) and 3 (applying the law to the query) are still largely carried out by the lawyer. This process is aided by technology only to the extent that the identification step 1 is repeated in sourcing secondary materials to guide interpretation and application of the rules. The smarter data generated on the Semantic Web will enable applications to dig deeper into steps 2 and 3.

Leveraging the higher degree of organization of legal data and the possibility of drawing inferences from the data, a semantic legal query system should be able to do more than merely retrieve information based on keywords selected by a human agent. In a world of perfect formalization, an application could carry out the interpretation and the application steps autonomously. But even in the absence of perfection, it is not unrealistic to suggest that within a few years, if enough smart legal data is available on the web, semantic legal query systems will be able to retrieve not just keyword-relevant documents but all or most of the information necessary to carry out steps 2 and 3. The application will know where to find the law (online); it will analyze the structure of the query and scour available data to determine whether there are applicable rules; it will determine what those rules are and suggest how they interact (perhaps retrieving the rules that govern the interaction); it will check whether the rules are up-to-date and retrieve any amendments or qualifications; and it will search for similar fact patterns, precedents and FAQ entries to clarify the application of the rules.

There are at least two major reasons semantic solutions have more potential than rival technologies to achieve these kinds of results. The first relates to the formal structure of Semantic Web standards: because the use of semantic metadata ensures that items of data have a precise meaning, semantic applications can make reliable inferences on the basis of the data. You need certainty to make inferences, because each step amplifies the uncertainty. Take this syllogism: Oracle is a Delaware Corporation; all Delaware Corporations are legal persons; therefore Oracle is a legal person. Now imagine each proposition in the syllogism is the result of a “best guess” data analysis process (e.g. through statistical analysis): There is a 90% percent chance that Oracle is a Delaware Corporation; there is a 90% chance that all Delaware Corporations are legal persons; therefore there is a 81% (90% of 90%) chance that Oracle is a legal person. This uncertainty compounds with each step, so beyond a few steps, any non-marginal uncertainty is fatal.

With the Semantic Web, if your query specifies a defined entity, the application will know precisely what you are referring to. In principle all instances of that object on the Semantic Web will refer to the same (online) definition, which specifies its properties and its relation to other entities. The second reason for the superiority of semantic applications relates to the openness of Semantic Web standards: the widespread adoption of standards for tagging and organizing legal data will ensure that more structured legal information is available than could possibly be achieved by a single provider of proprietary systems.

DIY and FAQs

An application that can deliver a page full of the kind of information described above will go a long way in assisting lawyers in carrying out steps 2 and 3 of legal advice delivery. In fact, if the application is good enough, it may even make the lawyer’s input redundant. How much additional specialist knowledge do you really need if all of the relevant information is right before you? Many consumers of legal services are happy to resort to “DIY” legal advice rather than incurring the costs of professional legal services. Online FAQs and other legal resources have proven popular as means of sourcing legal information without consulting a lawyer directly (often made available by legal professionals as a kind of loss leader to attract potential clients). Individual resources are inevitably limited in content, but in the aggregate the free World Wide Web (i.e. excluding subscription websites) is a fairly comprehensive source of legal information. The problem for the untrained is in finding relevant information and distinguishing the accurate and up-to-date sources from the incorrect and out-of-date. A semantic legal query application that enables laymen to access comprehensive, up-to-date legal information in response to their queries would satisfy much of the demand for simpler legal advice, reducing the demand for competing professional advice—if priced right. Even though these applications may not rival good lawyers in the quality of the service, not all consumers of legal services are concerned with getting the best quality. Good-enough might well do.

More than machines

Of course, many, if not all, lawyers would strongly resist being described as “optimum information retrieval” machines. Most would see their role as going well beyond merely delivering statements of what the law is to their clients. Rather, they are in the business of delivering solutions, offering advice on how to deal with certain situations, how to handle particular disputes, how to structure transactions, etc. Yet it is undeniable that lawyers, especially junior lawyers, spend much of their time searching for relevant information and assimilating it into bespoke legal advice. What the technological possibilities outlined in this post suggest is that simpler legal advice can likely be significantly automated, while for more complex queries, Semantic Web-based applications could considerably enhance fee-earner productivity in producing legal advice.

(Coming soon: Part 5 – Legal Documents.)

[2] See discussion of “optimum retrieval” in Part 1 of this series.

A machine-readable version of the law?

David Siegel, an entrepreneur and early blogger, recently published a book entitled Pull, The Power of the Semantic Web to Transform Your Business, the first “business” book about the Semantic Web. Siegel devotes one chapter to exploring the possible impact of the Semantic Web on the law and lawyers. An enthusiastic backer of the new technology, Siegel sees huge potential for the Semantic Web to transform the work of lawyers. He believes that work on legal taxonomies and formalized rules may result in “a set of semantic rules that can then serve as the machine-readable version of the law.”[1] This is the kind of structured legal data that would make the intelligent legal queries outlined above possible. It raises the question of the future utility of lawyers in a world where much of what they now do can be performed by computer applications. Why go to a lawyer if you can get an authoritative, complete and up-to-date statement of the law online? If the law can be fully specified as a formalized set of machine-readable rules, would we even need lawyers and judges, or could they be replaced with computers and Semantic engineers of the law?

A note of caution

I ought to sound a note of caution at this point. The idea of reformulating all of the rules of law as a formal system, with precise classifications of entities and rules governing their interactions, has been tried before. Most students of the law will, at some point in their studies, come across discussions of the German Civil Code (the BGB), which was drafted over a century ago with precisely that aim in mind. It failed. The law has proven too malleable, too changeable, and too subjective a system to codify with mathematical rigor. There is little reason to believe that the Semantic Web will succeed where others have failed, at least in the foreseeable future. Few fields of human activity are as centrally focused on interpretation of often conflicting texts, and as acutely concerned with the ambiguity of human language, as the law. Though the law may be a body of rules, those rules are not of the clear-cut variety that easily lend themselves to formalization.

How smart does “smart” need to be?

That does not mean, however, that the taxonomies and rules of the Semantic Web are useless when it comes to the law. Difficult exercises of interpretation may be required in deciding “hard cases” and creative thinking may be needed in handling more complex, high-level legal issues, but much of the daily practice of the law is far less complex or ambiguous. Is a high level of legal expertise really required in producing a first draft of simple terms and conditions or a memo setting out routine advice? The parameters of these kinds of tasks should be relatively easy to formalize. And even if the semantic formalization of the law were less than perfect, a system that understands the structure of legal queries and can achieve near-optimum retrieval could vastly increase the efficiency of legal researchers. [Unknown A1]

Again, taxonomies and rules need not be all-encompassing to be useful. The Semantic Web is not the latest incarnation of pie-in-the-sky artificial intelligence. At the heart of the SemanticWeb is the task of developing dictionaries of concepts and rules to make data smarter, and that is a task that can be done piecemeal. Making data smarter does not have to mean encoding all of the subtleties of human language into the data. If an area of legal practice is concerned with a reasonably small set of clearly defined rules, much of the relevant law may be susceptible to being translated into machine-readable standards. Consider an area of regulatory compliance such as food labeling, which involves rules prescribing particular information formats and content, lists of words that must, can, or cannot be used under certain conditions, and similarly well-defined rules. Translating most of these into a “machine readable version of the law” that could serve as the basis for automated compliance-checking systems hardly seems unrealistic. What about other, less straightforward areas of the law? Even where the area evades complete formalization, as will often be the case, semantic applications may significantly enhance the productivity of fee-earners by dealing with routine, low-skill work while leaving the subtler points of law to the flesh-and-blood professional. So, what kinds of application might achieve these efficiency gains?

(Coming soon: Part 4 – Smart documents and semantic contracts)

What is the Semantic Web?

The Semantic Web is a way of making data smart. The idea is, rather than building smart applications that can analyze “dumb” data, you make the data smart in the first place. The problem with dumb data is that the ability of applications to make sense of human language is limited. Currently, the information in most web pages and text documents is “human language,” encoded in data formats that tell computers nothing about their meaning. What the standards that make up the core of the Semantic Web do is to provide data formats that can be used to make the meaning of information explicit.

Dumb data vs. smart data

So how is this done? What differentiates smart data from dumb data? If you view the source code of this web page (try it – it’s in View > Source in Explorer; View > Page Source in Firefox, View > View Source in Safari), you will see some text and a lot of “tags” between angled brackets, such as “<p>” and “<div id=‘header’>.” This is HTML, the mark-up language in which most information currently on the World Wide Web is encoded. It tells your browser how to display the text and images, and where to redirect when you click on a link – but not much else. Information encoded in plain HTML is dumb data. Let’s consider an example. In HTML, you might have the following text:

<p>Sun is a subsidiary of Oracle.</p>

The HTML tells your browser that text enclosed between the opening tag “<p>” and the closing tag “</p>” should be displayed as a single paragraph, and nothing more. A simple search engine might hit on this sentence even if I intended to search for the “sun,” as in the sun in the sky, or an “oracle,” as in the Oracle of Delphi. An application with advanced language-processing abilities might be able to deduce from the absence of an article (“a” or “the”) that “Sun” and “Oracle” are names. It might also deduce from the mention of “subsidiary” that the sentence in fact refers to names of corporations. In the current state of technology, this is likely to be a hit-and-miss process.

Making data smart

The idea behind the Semantic Web is to attach machine-readable metadata (data about data) to information that can be interpreted by any Semantic Web application. To better understand what this involves, imagine a mark-up language that enables you to specify what the things being referred to are. Imagine that this mark-up language enabled you to add tags to your data to specify things like:

<item this is a corporation> Sun </item>

<item this is a legal relationship between two corporations> is a subsidiary of </item>

<item this is a corporation> Oracle </item>

Even better, imagine that, rather than just labeling things, you could refer to a source of information on the web that tells you more about each of these things, e.g.:

<item see http://www.dbpedia.org/resource/Oracle_Corporation> Oracle </item>

The link referred to is a “resource” – a bundle of data available online that describes something. This resource contains data, encoded in a machine-readable format, which might state that Oracle is a Delaware corporation, that it is headquartered in Redwood City, California, that the current CEO is Larry Ellison, etc.

Now let’s take this one step further, and imagine that, when that “Oracle” resource states that Oracle is a “Delaware corporation,” it in turn refers to an online resource that defines the term “Delaware corporation.” That definition might specify that a Delaware corporation is a kind of legal person, that it should have a certificate of incorporation, bylaws, a board of directors, etc. Of course, these statements would also be machine-readable, and could in turn refer to other resources (defining “legal person,” “certificate of incorporation,” “board of directors,” etc.).

Classifications and rules

Where does it all end? It ends with “thing.” That is, a “corporation” is a “legal person,” which is a kind of “person,” which is a kind of “thing.” A “certificate of incorporation” is a “legal document,” which is a kind of “document,” which is a kind of “thing.” Everything is a thing, and so every “resource” is a kind of thing, which fits into a classification of things (a taxonomy). One of the most important aspects of the Semantic Webs is defining taxonomies of different kinds of things using machine-readable formats. There is no need for a single, all-encompassing taxonomy which defines every possible thing: partial taxonomies can define a few terms by referring to other taxonomies, and all of these interlinked taxonomies ultimately refer to the most general standards (remember, this can be done because they are all online).

The Semantic Web also goes beyond mere classifications, allowing you to specify rules for each kind of thing. For example, you could specify that a “director” of a “Delaware corporation” can be a natural person, but cannot be a legal person. You could specify that the property (predicate) of “having a subsidiary” must have a corporation as its subject and another, different corporation as its object.

The foregoing does not purport to be a technical exposition of the Semantic Web, but I hope you get the idea. The core of the Semantic Web is a set of precisely defined standards that can be used to make data smarter by making explicit the underlying structure of the information.[1] Online classifications and rules enable applications to identify and analyze the data in much greater depth and with much greater precision than existing alternative technologies.

The state of the technology

Not all of the pieces of the system outlined above are in place. The basic standards of the Semantic Web, including the Resource Description Framework (RDF) and the Web Ontology Language (OWL), are by now reasonably mature and stable standards. However, there is still a good deal of work to be done and problems to be ironed out before the vision of the Semantic Web is fully made a reality (see here and here). Nevertheless, an increasing number of big names have been adopting Semantic Web standards to structure their data (New York Times, recovery.gov, BBC, Thomson Reuters). Identifying the real-world future implications of the Semantic Web is no longer science fiction, even for the legal industry.

(Next up: Part 3 – A Machine Readable Version of the Law?)

The problem: too much data

There are currently over 25 billion web pages on the World Wide Web. In fact, that figure covers only the indexable web, so those 25 billion pages may be only the tip of the iceberg (see this paper on the “deep web”). Looking beyond the web to total production of information, a study by International Data Corp carried out in 2008 predicts that 1,200 exabytes of data will be generated in 2010 (cited by The Economist here). To put this in perspective, note that one byte of information is a sequence of eight bits – a sequence of eight digits which can be either one or zero. One exabyte is 1,000,000,000,000,000,000 bytes (10¹⁸), or one billion gigabytes. The text of this blog post, in plain text format, takes up about 13,000 bytes. The challenge of identifying and retrieving relevant data in this ever-expanding universe of information is growing in step with the volume of the information itself. Achieving what Richard Susskind calls “information satisfaction” – getting the information you want, and only the information you want – in the face of this exponential expansion is an increasingly daunting task. This is even more true of the challenge of achieving “optimum retrieval” – for a given query, being confident that the single best document has been returned. Google’s “I’m feeling lucky” option may sometimes be surprisingly accurate, but not with any reliable degree of certainty.

Too much legal data

The problem of too much data will be familiar to law students, associates, and anyone else who has carried out legal research. The volume of legislation, case law, commentary on the law, and the like is no exception to the current phenomenon of information expansion. “Googling it” can provide a good first stab at some legal problems, but no lawyer who fears malpractice suits would rely exclusively on results from a general search engine. Commercial legal databases provide more structured and authoritative databanks of legal information, but they are expensive, difficult to use for the untrained, and the search is still conducted mostly by means of citations and keywords. Whether legal sources are identified by a search engine or using a commercial database, the actual task of analyzing and interpreting the texts is conducted by the lawyer – not the machine.

If I want to ascertain, say, what information I must provide in the certificate of incorporation of a Delaware Corporation, I can search “Delaware corporation law,” click through the link that looks most relevant, scan the text (perhaps with the help of the “find” function), identify the relevant section, and read through it to draw up a list of the requirements. If I am especially diligent, I might also check case law in a commercial database to see if judicial decisions have added to or qualified these requirements. Now imagine that, instead of proceeding by keyword searches and “manual” analysis, I could simply enter the query “What information must be provided in the certificate of incorporation of a Delaware Corporation?” and the search engine returned a complete, authoritative list of all of the requirements, along with any qualifications or additions made by the case law. That, in a nutshell, is the promise of the Semantic Web.

(Next up: Part 2 – What is the Semantic Web?)

The issue of international cooperation in the fight against cybercrime will be on the table at the Twelfth United Nations Congress on Crime Prevention and Criminal Justice, due to take place in Salvador, Brazil, from April 12-19, 2010 (see introduction and draft agenda here). The main theme of the Congress will be “comprehensive strategies for global challenges: crime prevention and criminal justice systems and their development in a changing world.” The Secretariat of the United Nations Office on Drugs and Crime (UNODC), in a working paper prepared in anticipation of the Congress, has suggested that “the development of a global convention against cybercrime should be given careful and favourable consideration” (see report by heise.de (in German),  Google translation here). Four regional preparatory meetings were held in advance of the Congress and, as the UNODC’s working paper notes, calls were made at all four for the development of an international convention to tackle cybercrime. The Latin American and Caribbean countries were strongly in favor, noting “the imperative need to develop an international convention on cybercrime” (see Latin American and Caribbean Regional Meeting Report, at para. 41). Will 2010 see the launch of negotiations for a UN Convention on Cybercrime?

A Transnational Problem

In its working paper, the UNODC notes that cybercrime is to a large degree transnational in nature. Issues of national sovereignty can impede criminal investigations in the absence of active cooperation between law enforcement agencies of the jurisdictions involved. The speed at which cybercriminals can inflict harm and move on to evade detection also puts enforcement agencies under heavy time pressures, making the need for international cooperation all the more pressing. The UNODC identifies legislative convergence as crucial to effective cooperation. This is because many countries base mutual legal assistance on the principle of dual criminality, which requires that the offense in question be punishable in both jurisdictions. Divergence in legislation can therefore undermine effective enforcement. Where a particular jurisdiction lacks comprehensive cybercrime legislation or enforces it poorly, it may turn into a safe haven for cybercriminals. This kind of divergence can only be tackled by concerted efforts to harmonize legal standards and enhance cooperation between jurisdictions.

Already On the Job: the Council of Europe’s Convention on Cybercrime

Currently, the leading international convention on cybercrime is the Council of Europe‘s Convention on Cybercrime, which was signed in Budapest in 2001 and entered into force in 2004. The Council of Europe, which is not an organ of the European Union, was founded in 1949 to promote human rights, democracy and the rule of law in Europe (see Wikipedia entry here). It current has forty-seven members, including the twenty-seven members of the European Union and Russia. As at December 2009, the Convention on Cybercrime had been signed by forty-six states and ratified by twenty-six (i.e. approved in accordance with domestic constitutional requirements and thus rendered enforceable). Though the Convention was drafted under the aegis of the Council of Europe, it is open to signature by non-members. Four non-members participated in the negotiations of the treaty and signed it (the United States, Canada, Japan and South Africa), and one non-member has ratified it (the United States). The Convention is not, therefore, strictly a regional agreement. Yet the fact that it has only been ratified by one non-European state suggests that it cannot at present be described as a global convention.

The Convention lists a number of crimes which signatories are required to implement in their domestic law, including hacking, child pornography offenses, and certain offenses related to intellectual property violations. It also sets out a number of procedural mechanisms which signatories must put in place, including granting the power to law enforcement authorities to compel Internet Service Providers to monitor a person’s online activities. Chapter III calls upon signatories to cooperate to the widest extent possible in the investigation and prosecution of cybercrime offenses (see the Electronic Privacy Information Center’s summary of the Convention and other resources here).

The Convention on Cybercrime: Can it Become a Global Standard?

The Council of Europe’s Convention on Cybercrime has now been in force for more than five years and has the widest coverage of any international agreement dealing with cybercrime (estimated to cover one third of current internet users). As we have seen, signature is open to countries which are not members of the Council of Europe, and four non-European countries have signed it already. Could the existing Convention on Cybercrime provide a global standard? If so, should the upcoming conference focus on generating the momentum for wider signature and ratification of the Council of Europe Convention?

In his Contribution to the upcoming Congress, the Secretary General of the Council of Europe, Thorbjørn Jagland, notes that the Convention on Cybercrime provides a “clear and comprehensive solution” and has received strong support from the Asia-Pacific Economic Cooperation, the European Union, Interpol and the Organization of American States, among others. Mr. Jagland concedes that it is understandable that, for political reasons, countries may be reluctant to accede to a treaty which they have not participated in drafting. He notes, however, that accession to the Convention guarantees a signatory membership of the Cybercrime Convention Committee and thus involvement in any further development of the treaty. Another downside of launching negotiations on a new, global convention is that it could have the effect of suspending the implementation of legislative reform already underway. Mr. Jagland further questions whether consensus could be reached within the framework of the UN on the kind of procedural law and cooperation measures which the current Convention provides.

Criticism

The Secretary General of the International Telecommunication Union (a branch of the UN), Hamadoun Touré, is reported to be critical of proposals to adopt the Convention as a global standard. The Convention was drafted mostly by and for European states, and is also now somewhat outdated  (see heise.de report here (in German), and Google translation here). Russia, which is a member of the Council of Europe but has not signed the Convention, reportedly backs Mr. Touré’s position. Brazil considered signing the Convention, but then declined to do so, voicing reservations about certain aspects of the Convention, including the provisions relating to the criminalization of intellectual property infringements (see here).

These reservations about the Convention on Cybercrime suggest that negotiating a new UN Convention could prove difficult: globally, there is clearly a divergence of views regarding the appropriate global standards. Furthermore, the procedural and cooperation commitments under the Convention could be difficult to scale up to a global level. The issues these commitments can give rise to are illustrated by the domestic criticisms directed at the government of the United States when it adopted the Convention. For example, it was alleged that the Convention could have the effect of requiring the United States to enforce foreign laws curbing free speech or to monitor the communications of political dissidents on behalf of foreign governments (see Ars Technica report here). Spurious as some of the criticisms may have been, it can be anticipated that attempting to reach a consensus on these matters in a global forum would be fraught with difficulty. Can crucial players such as the Russian Federation or the People’s Republic of China, which are widely suspected of sponsoring various forms of cyberattack for political purposes, be expected to agree to high standards of international cooperation in investigating and prosecution cybercrime? (See, e.g., the 2007 distributed denial of service attacks on Estonia, or the China-based attacks on Google). The UN has a long history of divisions between developed and developing countries, and the Brazilian reservations regarding intellectual property offenses suggest that these divisions could play out once again in negotiations on cybercrime.

A Global Solution Is Needed

Cybercrime does not only affect developed economies: there are now more internet users in developing countries than in developing countries, and one study suggests that emerging economies may be particularly at risk from cybercrime (see here). It is clear that effectively combating cybercrime will require global cooperation, involving a much broader group of countries than the current signatories of the Council of Europe’s Convention on Cybercrime. This will undoubtedly prove a challenge: going back to the drawing board to draft a global convention from scratch could involve years of diplomatic wrangling that may never bear fruit. Given that the existing Convention has proven reasonably effective and that signatories have gained valuable experience in implementing it, it seems wasteful to ignore it. Yet seeking to make the Council of Europe Convention a global standard in its current form is likely to prove no less controversial, as it would likely be seen as being thrust upon countries which have had no say in drafting it. But the Council of Europe has recognized that the nearly ten-year-old treaty could do with being updated, and it is already open to signature to non-members. Perhaps the upcoming Congress could provide an opportunity to suggest updating the Convention on Cybercrime with a view to extending its membership, building on what it has already achieved while addressing the concerns of non-members.

Ragbag security legislation

The bill is a ragbag of security-related provisions, spanning a diverse range of issues such as online identity theft, video surveillance, stadium violence, and dangerous driving. The law apparently also authorizes the French authorities to use malware to obtain evidence on criminal suspects, for example by covertly uploading software to their PCs to log their keyboard inputs. While the express purpose of the bill is to set out the framework for the operations of law enforcement agencies for the next five years, it focuses particularly on the technical means that can be employed by the police and judges.[2]

The provision that has proven most controversial is draft article 4, which provides for the filtering, on the authority of ministerial orders, of websites hosting child pornography. The 312 to 214 vote in favor by the Assemblée is unlikely to mark the end of the controversy, as the upper house, the Sénat (Senate) has yet to debate and approve the law. This post considers the text of the provision and the debates surrounding it, before comparing the proposal to similar proposals and existing filtering systems around the world.

Filtering by ministerial order

Draft article 4 is explicitly targeted at, and limited to, the “requirements of the fight against images or representations of minors” prohibited by the Code Pénal (Criminal Code), i.e. child pornography. There is no leeway under the current wording of the article for blocking sites other than those which provide access to child pornography. In terms of procedure, as pointed out by the Ministry of the Interior’s press release on the law, “the rule is simple: the Minister for the Interior communicates to ISPs a blacklist of sites and online content to be blocked, and it is the ISPs who prevent access to those sites and content from computers located in France.”

Legislative Debates

Article 4 was one of the main points of contention in the legislative debates over the bill. According to Le Monde, the (right wing) majority accused the left, which opposed the bill, of turning a blind eye to the kind of materials easily available online. The left, on the other hand, protested against the “diabolization” of the internet, a hostility which Green députée (Representative) Martine Billard sees as rooted in the government’s frustration with its inability to control the internet. The opposition further attacked the bill on the grounds that it fails to address either the victims of the crimes at issue or those who create the images, but rather focuses only on the means of transmission.

Procedural Safeguard

One crucial amendment to the bill was introduced during the debates in the Assemblée Nationale by député Lionel Tardy, a member of the majority UMP party. The amendment requires the approval of a judge before the ministerial order to block a given site can be put into effect. According to Le Monde, the bill sponsors expressed their reservations regarding this amendment (and in particular its potential to slow down the enforcement procedure), but in the end chose not to oppose it. This decision may have been based on a recognition of the validity of the opinion of the Commission des Lois (Law Commission), which was of the view that the absence of this procedural safeguard could lead to the law being struck down as unconstitutional (as happened to the HADOPI law last year).

Criticism

None of the critics of LOPPSI argue that child pornography ought not to be fiercely cracked down on. Rather, a leading theme of criticism of the bill is a concern that, by enshrining a ministerial power to order the blocking of internet sites, LOPPSI lays the foundations for a system of internet filtering that could easily outgrow its original purpose. French cybercrime expert Guillaume Lovet (quoted here), notes that the legislation gives the French government a “foot in the door,” and observes that it reflects a growing international trend of “legislate first, address accountability later.”

Blogger Jean-Michel Planche notes that, if the law is passed, the internet will become the first infrastructure network (e.g. roads, electricity, gas, postal services) to come under the control of the Ministry of the Interior, and wonders what implications this may have as the internet’s role as a platform for all kinds of social and economic exchanges grows.

A number of critics have also questioned the effectiveness of the bill, remarking that this type of ISP-level filtering would do little to prevent the determined and tech-savvy from accessing offending websites, for example through virtual private networks (VPNs) (see e.g. this online LOPPSI forum).

International trends

The explanatory notes to LOPPSI mention the fact that “neighboring democracies” such as Denmark, the Netherlands, Norway, Sweden and the United Kingdom have put in place technical measures enabling the blocking of access to specified sites from within their territories (though these have not been formalized in LOPPSI-like legislation; Le Monde provides a useful map which identifies various countries around the world which have adopted targeted filtering of child pornography sites). The experience of filtering in these countries is not encouraging with regard to the accountability of blacklisting systems.

The blacklists maintained by a number of countries, including Denmark, Norway, Australia and Thailand, have been leaked through Wikileaks over the last few years. The Thai government’s blacklist, aimed at child pornography, allegedly included 1,203 political sites which were thought to criticize the Thai king, in breach of Thailand’s strict lèse majesté laws (see ZeroPaid post here). But even in the case of western democracies, blacklists have been accused of being open to abuse: Forbes reported that the blacklist compiled by the Australian Communications and Media Authority, which is meant to target child pornography and terrorist websites, was found to include the websites of a tour operator and a Queensland dentist’s practice. The U.K. filtering system came under fire in 2008 when it was found that six major British ISPs had blocked access to a Wikipedia page which contained an image reproducing a controversial Scorpions album cover (see report from The Register).

An interesting contrast to LOPPSI is the fate of a recent German filtering proposal, the Gesetz zur Erschwerung des Zugangs zu kinderpornographischen Inhalten in Kommunikationsnetzen (Law on the Restriction of Access to Child Pornography Content in Communication Networks), which was initially approved in the summer of last year by the German lower house, the Bundestag (see Deutsche Welle report). Unlike the French bill, the German law would not have blocked access to the offending sites but would have thrown up a warning page displaying a large red stop sign. The stop sign would notify web users of the nature of the content they were seeking to access, but nevertheless allow the users to proceed if they so choose. The proposal met with considerable public opposition, including an online petition signed by more than 130,000 people (the biggest online petition in Germany to date). Elections in September 2009 resulted in changes to the governing coalition, and the liberal FDP made it clear, during the talks that led to it joining the government, that it would not support the filtering provisions. The filtering strategy was formally dropped on Feburary 8, 2010, in favor of a policy targeted at deleting offending websites rather than blocking them (see Opennet report).

Conclusions

Looking at the wording of article 4 of LOPPSI alone, the concerns of some of the bill’s critics may seem overblown. Few dispute the pressing need to fight the dissemination of child pornography online. Even if ISP-level filtering is unlikely to deter the most resourceful seekers of such content, what limiting effect it does have must surely be welcomed. Regarding the criticism that the bill focuses only on intermediaries, it is clear that other legislation targets the creators of child pornography. Furthermore, in many areas of law enforcement, targeting intermediaries often proves to be the most effective means of achieving effective enforcement. Regarding blacklists, there is a valid argument that releasing the blacklist publicly could compromise the aim of suppressing access to the sites concerned, as it would provide potential offenders with an “address book” of prohibited sites, which the more tech-savvy could then easily access. However, the patchy record even of liberal democracies suggests a strong need for accountability mechanisms in the administration of any kind of blacklist system. In this respect, the amendment introduced by Mr. Tardy is a welcome and necessary procedural safeguard. Nevertheless, there is little doubt that its sufficiency, and indeed the legitimacy of any kind of filtering strategy, will be much debated as LOPPSI makes its way through the French legislative process.

[2] Note that French criminal judges can be much more intimately involved in investigation and evidence gathering than their common law counterparts.

Authorizing infringement

In a nearly two hundred-page judgment, Justice Dennis Cowdroy found that the applicant companies had succeeded in proving that users of iiNet’s services had “made available online,” “electronically transmitted,” and “copied” certain films. However, the applicants had failed to show that iiNet had “authorized” those infringements. The case centered around the use by iiNet’s customers of the peer-to-peer BitTorrent protocol to share movie files, in breach of the studios’ copyrights. The critical issue in the case was whether iiNet, by failing to take any steps to stop infringing conduct, authorized the copyright infringement by its users. Under Australian copyright law, authorizing the infringement of copyright by another is itself treated as an infringement.

Three step reasoning

There were three main steps to Justice Cowdroy’s reasoning:

1. He found that, though iiNet had knowledge of the infringements and did not act to stop them, this did not lead to a finding of authorization. Under the Australian law of authorization, there is a distinction between providing the “means” of infringement, and providing a “precondition” for infringement. Justice Cowdroy distinguished the present facts from earlier cases, including a 2005 Federal Court ruling in a case brought against the licensors of the Kazaa file-sharing software. In the Kazaa case, the software provided the “means” for infringement, whereas in the case of internet services, there did “not appear to be any way to infringe the applicants’ copyright from the mere use of the internet.” Here, the means of infringements at issue was the BitTorrent system, which iiNet had no control over.
2. AFACT had pushed for iiNet to implement a system of notification, suspension, and termination of infringing customers, but the judge found that this would not have been a “reasonable step” for the purposes of Section 101(1A)(a) of the Copyright Act 1968. This section provides that, in determining whether a person has authorized infringement, a court must consider, among other things, (a) the extent of the person’s power to prevent the infringement; (b) the nature of any relationship existing between that person and the infringer; and (c) whether the person took “any other resonable to steps to prevent or avoid” the infringement. The judge noted that “[t]he applicants appear to premise their submissions on a somewhat binary view of the world whereby failure to do all that is requested and possible to co-operate with copyright owners to stop infringement occurring, constitutes approval of copyright infringement. Such view is not the law. It is possible to be neutral. It is possible to prefer one’s own interests to those of the copyright owners.” (para. 504). iiNet could therefore not be held to be authorizing the infringements on the basis that they had failed to adopt a system such as the one urged by the applicants.
3. iiNet could not be seen as sanctioning, approving or countenancing copyright infringement, as it had done no more than to provide an internet service to its customers. In the Kazaa case the respondents intended copyright infringements to occur, and the software was deliberately structured to achieve this result. By contrast, in this case there was no evidence that iiNet “favored” infringement in its provision of access to the internet.

A disappointing ruling

The judge noted that the applicants would be disappointed by the ruling, as it was clear that infringement of their copyrights was occuring on a large scale, worldwide (para. 19). Yet this fact did not compel him to find authorization of infringement merely because “something must be done.” Australian law recognizes no positive obligation to protect the copyright of others, and the judge found that iiNet provides a legitimate communication service which is neither intended nor designed to infringe copyright (para.20). Justice Cowdroy is also reported to have remarked that “[i]f the ISPs become responsible for the acts of their customers, essentially they become this giant and very cheap mechanism for anyone with any sort of legal claim.”

The battle may not be over, however, as reports from before the ruling was issued suggest that AFACT may appeal the decision to the High Court of Australia, which could take another two years.

ISP liability in the United States

In the United States, secondary liability for copyright is dealt with as a matter of vicarious or contributory infringement, rather than “authorization” (though the concepts involved are similar). However, ISPs are protected from copyright infringement claims by Section 512(a) of the Copyright Act, which provides that service providers will not be liable for “infringement of copyright by reason of the provider’s transmitting, routing, or providing connections for, material through a system or network controller or operated by or for the service provider.” This section provides strong protection for ISPs, and likely explains why a case such as the one brought against iiNet in Australia has not been brought against a U.S. ISP.

Google’s recent announcement that it is no longer willing to censor content on its China-based search engine, google.cn, has once again highlighted the difficulties U.S.-based online service providers face in the Chinese market. The reason given by Google for the move was a “highly sophisticated and targeted attack on [its] corporate infrastructure originating from China,” which was apparently aimed at accessing the gmail accounts of Chinese human rights activists. Though this has little to do with international trade or the World Trade Organization (WTO), a number of commentators have attributed much of Google’s loss of patience with the Chinese government as stemming from the government’s pattern of using of internet filtering and blocking against foreign service providers. Foreign Policy suggests that the Chinese government is using its “Great Firewall” as an instrument of online protectionism, by systematically excluding foreign providers in favor of domestic services. Thus, Google‘s search engine is being edged out by Baidu, Facebook by Ren Ren Wang and Kai Xin Wang, Youtube by Tudou and Youku, and so on.

Professor Tim Wu of Columbia University first made the case in a 2006 paper that there may be good grounds under WTO law to challenge certain aspects of internet filtering. The argument has since gained currency. In 2007, the California First Amendment Coalition (CFAC) drafted a briefing (pdf), alleging that China “is actively preventing U.S. internet companies from doing business in China while at the same time promoting Chinese internet companies engaged in the same or similar activities,” and setting out the legal basis for a claim. In February 2009, The European Parliament also adopted a resolution regretting “the increasingly abusive recourse to censorship in respect of online services and products which operates as a disguised trade barrier.”

What form would a trade challenge take? There may be a case under the General Agreement on Tariffs and Trade (GATT) (pdf), which covers trade in goods, with respect to digital content products (primarily in relation to audiovisual content), but the arguments most relevant to search engines and social networking services are those that arise under the General Agreement on Trade in Services (GATS) (pdf). While the GATT has been around since 1947 and provides relatively strong protections for free trade in goods, the GATS, which was signed in 1994, is widely perceived as a weaker instrument – and also one which is comparatively untested. One of the crucial structural differences between the GATT and the GATS is that the GATT applies to all categories of goods except those a Member (i.e. a signatory state) specifically excludes, whereas the GATS works on the basis of “positive lists”: Members assume obligations by making specific sectoral commitments (which may be limited and subject to conditions). Thus, for example, a Member might accept GATS obligations in relation to the cross-border supply of data processing services, but make no similar commitments in relation to financial services.

The applicability of GATS to online services such as Google’s search engine or Facebook’s social networking site is not a straightforward matter, as China’s commitments were formulated on the basis of a classification of services which was drafted at a time when the internet was still in its infancy. As Wu shows in his paper, there is a good case to be made that those categories could be interpreted as covering a range of online services. He also notes that paradoxically, despite having some of the most comprehensive internet regulations in the world, China has undertaken very significant commitments in the relevant sectors.

On the assumption that relevant online services, such as search engines and social networking sites, are covered by China’s sectoral commitments, what kind of arguments could be mounted under the GATS?

• Article III imposes on Members obligations of transparency, including a requirement to publish promptly all relevant measures of general application which may affect the operation of the GATS. The administration and technical details of the Chinese internet filtering system are notoriously opaque, and Article III could perhaps be invoked to compel the Chinese authorities to be more open about how the system works, and in particular how decisions to block particular sites are made.

• Article VI requires Members to ensure that, in relation to services for which specific commitments have been made, all measures of general application are administered in a reasonable, objective and impartial manner. There may be reason to doubt that filtering policies are administered on the basis of objective and impartial criteria, and it seems that there is little “due process” in decisions to block particular websites, which Article VI may be interpreted to require.

• Article XVI was invoked, with partial success, by Antigua against the United States in the U.S. – Gambling WTO case, which concerned US laws prohibiting the provision of online gambling services. Article XVI obliges a Member to provide market access to foreign providers in those sectors for which the Member has made sectoral commitments. One of the difficulties in invoking this provision is that the measures which it prohibits are quantitative in nature: Members cannot impose limitations on the number of service providers, on the total value of services, on the total number of operations, etc. In U.S. – Gambling, the WTO Panel, which was subsequently upheld by the WTO Appellate Body on this point, found that the U.S. ban on gambling services amounted to a “zero-quota,” and was effectively a quantitative measure in violation of Art. XVI. In the case of Chinese internet filtering, this argument may prove harder to advance, as filtering, though disruptive, would not appear to impose a total ban on any particular category of online services. Even where specific services are blocked, this affects particular service providers, and would not appear to amount to a quantative restriction.

• Article XVII sets out the national treatment obligation under the GATS. National treatment requires that Members accord services and service suppliers of other Members treatment no less favorable than it affords to domestic like services and service suppliers. It is clear that domestic suppliers of online services in China are also subject to filtering and onerous content monitoring obligations. Yet, for the purposes of the GATS, what matters is the de facto effect of these measures. If foreign websites are affected differently, for example, by being slowed down by filtering at the link between the Chinese internet and the outside world (as suggested by the CFAC’s Peter Scheer here), or being blocked even though similar domestic services are not (as appears to be the case with Facebook), then an argument could be made that China has modified “the conditions of competition” in favor of domestic services suppliers, contrary to Art. XVII.

One of the thorniest issues in a challenge to the Chinese internet filtering would be the applicability of the General Exceptions provided in Article XIV. Unless the measure at issue constitutes a means of unjustifiable discrimination, the GATS cannot be invoked to prevent the adoption of measures which are “necessary to protect public morals or to maintain public order” (among other justifications). Supposing that an argument could be made on the basis of one or more of the articles mentioned above, the Chinese government would undoubtedly seek to rely on Article XIV. This would compel the WTO Panel or Appellate Body to pronounce on whether internet censorship can or cannot be justified on grounds of public morals or public order. By international standards, it would seem clear that some measure of censorship is justified: governments around the world filter certain types of content, such as child pornography or content which incites racial or religious violence. Yet, even where a Member shows justification under an Article XIV general exception, the claimant Member may nevertheless prevail by showing that, though the measure was justified, there exists a reasonably available alternative which is less trade-restrictive. There is no doubt that Chinese internet filtering is a good deal more restrictive than the international norm (though this may be changing). The competence of the WTO is firmly rooted in “trade,” and ruling on this issue would in all likelihood drag it into more controversial territory.

It seems that there is a reasonably good case to be made that the Great Firewall of China is effectively being used as a trade barrier, and susceptible to challenge under the WTO framework. Yet the political fall-out that bringing such a claim would generate should not be under-estimated. Trade tensions between the U.S. and China are already simmering, as evidenced by last year’s U.S. safeguard measures adopted on Chinese-made tires and the Chinese anti-dumping and anti-subsidy investigations into certain “Detroit Three” vehicles launched shortly after. Striking directly at the internet censorship system, which the Chinese government sees as vital to national political stability, would undoubtedly amount to a declaration of trade war. In fact striking at the political heart of another Member’s system would be a move unprecedented in the history of the GATT and the WTO. In the wake of the Google announcement, the English-language Chinese publication, the Global Times (often described as voicing the more stridently nationalistic end of the Chinese official line) has already denounced U.S. attempts at “imposing” a freer flow of information as a form of “information imperialism.” There is a deep historical distrust in China of “Unequal Treaties” imposed by Western powers, and it could be that a WTO claim would compromise China’s future commitment to the WTO system itself, as well as causing deep and lasting resentment. Hilary Clinton’s speech of last week on internet freedom suggests that the U.S. government is still committed to dialogue and a negotiated solution. Yet, merely knowing that WTO law provides grounds for a statable claim could prove a significant bargaining chip in negotiations, which might at least result in the toning down of some of the more discriminatory aspects of Chinese internet filtering policy.

“Most entertaining video”

The case relates to the uploading to Google Video of a mobile-phone video showing an autistic high school student being bullied by his classmates. The video was allegedly uploaded to  the Italian-language Google Video on September 8, 2006, and not removed until November 7. According to the prosecutors, the video appeared in the site’s “most entertaining videos” section, ranked as the twenty-ninth most viewed. The video was only taken down after Down-syndrome advocacy group Vivi Down appealed to the Italian authorities, who in turn demanded that Google take down the video (it would appear that though the victim was in fact autistic and did not have Down Syndrome, Vivi Down’s involvement was prompted by derogatory references to Down Syndrome in the offending video). According to Google, it did everything that was required of it under the applicable laws, and removed the video within hours of being notified. The four Turin youths involved in the bullying were subsequently tracked down (with the help of Google), and sentenced to one year community service with a center for children with Down syndrome.

Google: ISP, content provider, or something else?

The issue of knowledge appears to be precisely what the Milanese prosecutors are focusing on: they argue that Google must have known of the existence of the video well before November 7. According to their submissions, in light of comments posted to Google Video voicing outrage at the video, “[i]t is reasonable to imagine that comments like this were followed by requests by these same people that the video be removed” (quoted in the New York Times article). If it were indeed the case that Google had actual knowledge of the video (which they vigorously deny),  and delayed in taking it down, then a finding of liability would not be particularly inconsistent with web hosting liability laws on either side of the Atlantic.

Calls for filtering?