Legal & Government Affairs Update June 2020
COVID-19 and online privacy
The COVID-19 pandemic has forced companies to adapt and overcome many obstacles, none more pressing than the transition to an entirely remote workforce. With this, companies must become aware of the increased risk of cyber-attacks to a more vulnerable dispersed workforce.
The increased use of cloud collaboration platforms
Security company McAfee have released a report claiming a 50% growth in the use of cloud services across all industries, which has led to 630% increase in the number of threats to cloud collaboration platforms. The researcher behind the report claims many of these attacks are opportunistic and essentially a scatter gun approach to attempting to access accounts using stolen credentials, but such a massive increase in attacks is certainly alarming.
Such uncoordinated attacks can be successful in the current environment while people are still getting used to remote working, but the McAfee report suggests these can be easily defended against by implementing a cloud-based secure gateway, which removes the employees from having to route their traffic through a VPN.
Link to the full McAfee Report: https://www.mcafee.com/blogs/enterprise/cloud-security/working-from-home-in-2020-how-cloud-use-changed/
GCHQ take down 2,000 online scams as criminals target public during lockdown
The National Cyber Security Centre (NCSC) have launched a scam reporting service in an attempt to raise awareness of the increased levels of criminal activity during UK lockdown. A NCSC spokesperson told the Telegraph that ‘the overall number of cyber-attacks targeting people in the UK has not increased during the lockdown, but that criminals have increasingly used the coronavirus crisis as a way to scam the public. This is evident by the various new scams which have arisen during this period, including many fake online shops attempting to sell ineffective hand sanitisers and face mask. So far the agency has taken down 2000 different scams, with many more still surfacing.
The fears over the cyber security of the Government’s contact-tracing app
According to the Health Service Journal, it has become apparent that the government’s coronavirus contact tracing app has failed various testing requirements for inclusion in the NHS app library, including cyber security. This has resulted in widespread concern regarding the use of individual’s data, especially when they have logged that they have coronavirus symptoms.
Security firm Anomali undertook a survey of 1000 customers to gauge public opinion on these concerns. The results indicated that 43% were concerned the app would open the floodgates for cyber criminals to attempt phising and smishing campaigns, 33% were concerned the government might use the app to track their whereabouts and 36% were worried the app will collect data on them.
In response to the, a NHS Digital spokesman has stated that apps were not normally assessed for his app store at this ‘beta’ stage and further reviews will be taking place after piloting: ‘We’re at an early stage of this work and expect them to submit the app for full assessment when they reach public beta’.
Case Law Update
The European Court questions the possibility of the exhaustion of rights in copyright for the digital marketplace
The CJEU ruling in UsedSoft,(C-128/11) confirmed that under EU law, copyright protection in software downloaded from the internet is “exhausted” on download, provided that the purchase of the software was tantamount to a sale. This permitted the person who purchased and downloaded the software to re-sell it in much the same way as a physical item. This has naturally raised the question of whether a similar interpretation in favour of the second-hand marketplace would be applied in the context of other forms of protected digital content.
The ECJ handed down a decisive judgement on this matter in Nederlands Uitgeversverbond v Tom Kabinet Internet BV (C-263/18), which centred on ‘whether exhaustion of the right of distribution, established in the real world of copies in the form of objects, can be transposed to the virtual world of copies in the form of digital files’. In other words, for the first time the court had to decide whether EU copyright law would facilitate the possibility of a second-hand market for copyright protected works in a digital format, such as E-books.
In this case, Dutch company Tom Kabinet allowed members to pay a subscription fee to read ‘second hand’ E-books purchased by the company or other members of the club. They could also exchange their E-books for a form of club currency which could be spent on other purchases through Tom Kabinet. Publishers owning the rights in these works sought an injunction to prohibit these re-selling practices on the grounds that they infringed copyright: Tom Kabinet was allegedly engaging in unauthorised ‘communication’ of E-books to the public.
A ‘communication’ or a ‘distribution’?
The court had to decide whether the original download of an E-book is a ‘communication’ or a ‘distribution’ for the purposes of the EU Copyright Directive (Directive). Under Article 4 of the Directive, a rightholder is able to prevent the ‘distribution’ of their works to the public. However, once a distribution of a work is made (either by the rights holder or with their consent), this right is exhausted after the first sale of the work by the ‘principle of exhaustion’. The rightsholder cannot benefit from or prevent subsequent sales. This mean that if you buy a CD or a work of art, the rightsholder cannot stop you from selling it on.
The Directive also establishes a contrasting principle of circumstances where the transmissions of a work is a ‘communication to the public’ under Article 3. In these circumstances the right to prevent distribution is not exhausted.
This distinction impacts whether Tom Kabinet’s practice of re-selling of E-books would require consent from the rightsholders. If the purchase of E-books by Tom Kabinet and its users is a ‘distribution’, then the rightsholders cannot stop Tom Kabinet’s practices because their rights are exhausted. If it is deemed a ‘communication’, no such exhaustion right applies and all sales will be subject to consent of the rightsholder.
Despite the court making remarks that recognised the exhaustion of copyright in digital material, the Grand Chamber ruled that ‘the supply to the public by downloading, for permanent use, of an e-book is covered by the concept of ‘communication to the public’… within the meaning of Article 3(1) of Directive’. This meant that consent would be required by Tom Kabinet for the re-sale of E-books.
EasyJet faces £18 billion pound class action following mass data breach
Class action law firm PGMBM have filed a lawsuit against Easyjet on behalf of 9 million customers who had their data exposed by unauthorised access to Easyjet’s systems. They are claiming £2000 per customer for the exposure of this data, resulting in a total potential liability of £18 billion.
Tom Goodhead, managing partner of PGMBM stated that “This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of 9m customers from all around of the world.”
Whether this will be settled out of court remains to be seen, but the fact remains this is one of the largest data breaches to date, at a time where EasyJet will be already be feeling financial pressure from Covid-19.
Read more about the data breach here: https://www.theguardian.com/business/2020/may/19/easyjet-cyber-attack-customers-details-credit-card
The Internet in Everything: Freedom and Security in a World with No Off Switch
This latest book by Laura DeNardis, one of the world’s leading Internet governance scholars, explains how the Internet has become so multi-faceted that it has extended itself into the physical world.
She explores the connection between the physical and virtual worlds in an engaging and eye-opening manner, highlighting the impact it will have on policy making, privacy, discrimination and national security amongst many other things. This is a great read if you are interested in the future of our rapidly changing technological world.