Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device.

Recently, the UK brought in some laws aimed at strengthening consumer protection - the Product Security and Telecommunications Infrastructure act (PSTI). There's a readable summary on the National Cyber Security Centre's website.

There are three interesting points to note in that blog post. The first is about passwords:

The law means manufacturers must ensure that all their smart devices meet basic cyber security requirements. Specifically:

1. The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared.

Secondly, is a question of jurisdiction:

Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence

Thirdly, what is actually covered:

The law applies to any ‘consumer smart device’ that connects either to the internet, or to a home network (for example by wifi).

Is a WiFi enabled printer a "consumer smart device"? One of the things that techies find confusing is that the law is not code. It usually doesn't enumerate a definitive list of what is and what isn't in scope. It gives a general outline and then allows case-law to develop. This means laws don't need to be updated when someone invents, say, an Internet connected tinfoil dispenser.

Let's move beyond the consumer-friendly summary and go to the actual law. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

2. Passwords must be—

   a. unique per product; or

   b. defined by the user of the product.

3. Passwords which are unique per product must not be—

   a. based on incremental counters;

   b. based on or derived from publicly available information;

   c. based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

   d. otherwise guessable in a manner unacceptable as part of good industry practice.

How does this apply to the printers? Rapid7, who discovered the vulnerability, have this to say about how it works:

[The vulnerability] allows an attacker to leak a serial number via the target's HTTP, HTTPS, and IPP services. However, should an attacker not be able to leverage [the vulnerability], a remote unauthenticated attacker can still discover a target device's serial number via either a PJL or SNMP query

So, yes. The default password is unique but it can be automatically derived from the serial number. That serial number is available to anyone with a network connection to the printer.

But, do printers fall under the scope of this act?

The Product Security and Telecommunications Infrastructure Act 2022 says:

4 Relevant connectable products

1. In this Part “relevant connectable product” means a product that meets conditions A and B.

2. Condition A is that the product is—

   A. an internet-connectable product, or

   B. a network-connectable product.

3. Condition B is that the product is not an excepted product (see section 6).

It goes on to define what Internet-connectable means, along with some other clarifying details. But is there a get-out clause here? Are printers an "excepted product"?

In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.

OK, let's look at the regulations. I've expanded out the relevant bit:

Schedule 3 Excepted connectable products

5. Computers

   1. Products are excepted under this paragraph if they are computers which are—

      a. desktop computers;

      b. laptop computers;

      c. tablet computers which do not have the capability to connect to cellular networks.

Nope! The Brother printers don't appear to be exempt¹. What's the maximum penalty Brother could be subject to?

The greater of £10 million or 4% of worldwide revenue.

Ouch!

Of course, much like GDPR fines, these are headline grabbing numbers. The prosaic reality is that the enforcement policy is much more likely to suggest remedial steps. Only the most flagrant transgressors are likely to be punished harshly².

So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.

In Brother's (slight) defence, unless the user has specifically connected the printer to the Internet this is only a local vulnerability. Someone on the same network would be able to monkey around with the printer but, similarly, they could plug in a USB cable for some illicit printing or break it with a hammer. Any damage is confined to the LAN.

Should users change default passwords? Yes. But manufacturers have a legal duty to ensure that people who don't are still protected.

The UK is currently prosecuting two men accused of a crime. Part of the prosecution's evidence is a video⁰. In showing it to the jury, the prosecution have said:

the two minute and 41 second-long video is "extremely dark" but the "unmistakeable" noise of a chainsaw can be heard followed by the sound of a tree falling.

Police experts have "enhanced" the video as much as possible but it has "not been interfered with", Mr Wright tells the jury.

BBC News

I think most reasonable people would agree that creating an AI "Deep Fake" by inserting the faces of the pair into the video, would be unacceptable.

What about boosting the brightness on the video? That seems pretty unobjectionable to me and, I suspect, most neutral parties.

Suppose the prosecutors used AI to enhance the image? Perhaps adding a background which wasn't there up maybe upscaling the video resolution and introducing elements which didn't exist before? I think that's a step too far. Algorithmic enhancement strays into manipulation territory.

But what if the police ran a face detection algorithm on the video and only boosted the visibility of those parts, rather than the rest of the video? Now I think we're haggling over price.

The photographer Paul Clarke has a wonderful blog post about enhancing photographs of MPs - take a look at those photos. Are they enhanced or manipulated? Do you feel differently if it is a photo of an MP from "your" side?

But just brightening and colour correcting is fine, right?

This is a well-known problem in legal circles¹. Boosting the colouring of a photo may make an injury seem more severe. Zooming or cropping an image may make someone seem closer to the action than they were.

The Crown Prosecution Service has this to say about video² evidence:

In terms of proving the authenticity of the video recording, the Prosecution must be able to show that the video film produced in evidence is the original video recording or an authentic copy of the original and show that it has not been tampered with.

CPS Legal Guidance - Exhibits

I suppose it's pretty easy to show that the produced evidence can be derived by taking the original and twisting the brightness and contrast knobs. I also guess that the defence could bring in an image manipulation specialist to show that the enhanced version introduces unacceptable changes.

Although that brings with it some problems about whether an expert in manipulation can say they're an expert about the contents of the media. (No, basically.)

I'll leave you with these words from a House of Lords report in 1998:

The existence of a technology that can be used to modify images in this way need in itself be of no great concern; even the widespread availability of the technology at low cost might not cause concern.

But an apparent lack of understanding of the implications of both these facts should cause concern and warrants further study. The public and all those in the legal profession should be made more aware of the technology, what it can do, and what its limitations are.

It was suggested that criminal convictions that were dependent on evidence captured by digital cameras could be at risk if defence lawyers began to realise how vulnerable such images are to manipulation.

Select Committee on Science and Technology Fifth Report

The trial continues.

Update!

The BBC reports:

The initial video was totally dark, with just the sound of wind and a chainsaw leading up to a giant crash.

A second version has now been shown to the jury, which has been enhanced by a Northumbria Police digital media examiner.

The contrast has been changed, a white border has been put around it and the image has been made brighter.

Here's a clip of the enhanced version:

If you were presented evidence of a completely dark video, how could you be sure that subsequent "brighter" version was derived from the original?

But if you read closely, you'll see there are a few instances where an errant question-mark pops up:

From context, it is pretty clear the word should be "flour" but is rendered as "?our" - why is that?

The original PDF judgement can be downloaded from the official Tribunals website (an ancient service which is long overdue for an update).

If you search the PDF the word "flour" and select it, notice what happens:

Looking at the metadata of the PDF, it appears the file was created with Office 365 which has "helpfully" used a typographic ligature - "fl".

Ligatures are handy for displaying characters in a pleasing manner - but they can really confuse some software.

One way to deal with this is to use a process called "Unicode Normalisation". It is rather dull and technical, but there are plenty of libraries which will split these characters.

Here's how it works for the "fi" ligature:

There are a few issues here.

Firstly, Office 365 should not be using Unicode ligatures. The text should have the letters "f" and "l" but it is the font which should display as a ligature.

Secondly, Bailii's processing of the PDF should either cope with normalisation or it should throw loud and explicit warnings when it runs into something it doesn't understand.

Thirdly, as well as Bailii and the Tribunal Service, the PDF is also available at the more modern Case Law service from The National Archive. Their HTML and PDF documents also have the ligatures, but have subtly different layouts because they have been re-rendered with LibreOffice 7.2.

I've reported the issue to Bailii via their contact form. I've also raised a bug with The National Archive.

And now I'm off to enjoy some tasty potato-based snacks which have been assessed at the correct level of tax!

Is that likely? Well, let's take a quick look at the evidence presented.

First up, Meta's LLaMA Paper. It describes how the LLM was trained:

We include two book corpora in our training dataset: the Gutenberg Project, which contains books that are in the public domain, and the Books3 section of ThePile (Gao et al., 2020)

OK, Gutenberg is out-of-copyright books. That seems like fair game. But what about Books3?

Let's look at The Pile Paper. Here's how that describes "Books3":

Books3 is a dataset of books derived from a copy of the contents of the Bibliotik private tracker made available by Shawn Presser (Presser, 2020).

Following that reference takes us to a Tweet by Shawn Presser where he describes Book3 as

Shawn Presser

@theshawwn

Suppose you wanted to train a world-class GPT model, just like OpenAI. How? You have no data.

Now you do. Now everyone does.

Presenting "books3", aka "all of bibliotik"

- 196,640 books
- in plain .txt
- reliable, direct download, for years: the-eye.eu/public/AI/pile…

thread 👇

---

And then he links to a 37GB file.

So, what is "Bibliotik"? The site itself isn't particularly instructive. But various Torrent forums describe it as:

Latest Free Indie Books – As a member of Bibliotik.me, you will not have to wait for a long time to get your hands on the latest free indie book or edition of a particular free indie series. The members of the community upload new free indie books every day to the website’s content library.

"Free indie books"? Mandy Rice-Davis applies, naturally! Taking a look at a sample file listing shows a number of books which appear to be commercially sold rather than being released for free.

There is a file listing available (20MB .txt file) - which appears to list the books written by the complainants.

I don't have the time and space to download the 37GB file. Nor do I want the legal liability if it is full of illicit material. But if those authors' books are in there... isn't this a slam dunk case?

Meta literally published a paper where they said "We trained this AI on Intellectual Property which we knew had been obtained without the owners' consent."

Now, you can argue all day about whether an AI being able to summarise a book is fair use. Or if reading a borrowed book is a crime. I'm even happy to hear arguments about whether it is legally binding to say "No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means without the prior written permission of the publisher".

But... come on! If a regular person published a confession about their piracy and how they're storing thousands of pirated works, the copyright goon squad would be knocking down their doors!

I suspect we're about to hear some arguments from AI-maximalists that LLaMA is sentient and that deleting it would be akin to murder - and wiping out AIs trained on stolen property is literally genocide. I don't believe that for a second.

I want to live in a future where Artificial Intelligences can relieve humans of the drudgery of labour. But I don't want to live in a future which is built by ripping-off people against their will.

How will law, regulation and ethics govern a future of fast-changing technologies?

Focuses on the practical difficulties of applying law, policy and ethical structures to emergent technologies both now and in the future. Covers crucial current issues such as big data ethics, ubiquitous surveillance and the Internet of Things, and disruptive technologies such as autonomous vehicles, DIY genetics and robot agents. Asks where law might go next and how to regulate new-phase technology such as artificial intelligence, 'smart homes' and automated emotion recognition. Uses examples from popular culture such as books, films, TV and Instagram - including Black Mirror, Disney princesses, Star Wars, Doctor Who and Rick and Morty - to bring hypothetical examples to life. Bringing together cutting-edge authors from academia, legal practice and the technology industry, this book explores and leverages the power of human imagination in understanding, critiquing and improving the legal responses to technological change.

This is a brilliant introduction to the way new technology will craft the need for new laws, and how new laws alter the way we craft new technology. It's a mish-mash of law, tech, and pop-culture - as per the Gikii way.

It starts with a barnstorming explanation of how GDPR relates to Disney® Princesses! It sounds daft, but it is an excellent way to discuss how a right to privacy can be beneficial - and the risks associated with automated data processing ("Mirror, mirror on the wall... What is your lawful basis for the processing of personal data in this manner?")

There's an fascinating section on how so-called smart contracts could be used to write a person's Last Will and Testament. Can automated decisions - and possibly AI - be used to represent a human after they die? If so, what are the legal and societal ramifications of that?

The essay on port mortem privacy was particularly thought provoking and troubling in equal measure.

Some of the essays are only tangentially related to geeky concepts. Including one weird essay where Boba Fett discussed how to use software vulnerabilities to catch Hans Solo!

A few of the essays were a little to lawyer-y for me. I had to skip over large chunks about sub-clauses of GDPR and old court cases. But that's the deal with any compilation - not everything will be to your taste, but there is something for everyone.

It's a great read for anyone interested in the intersection of new-tech and modern laws.

*nudge nudge wink wink*

Of course, everyone ignored that directive and used it for web-surfing after-hours.

Was that theft? Our employer paid the same amount whether we used it for a few emails during the day or for all-night Xbox sessions. Our extra-curricular use didn't cost the business any money. There may have been some tax implications for receiving a Benefit-In-Kind, but how do you apportion usage of a service?

Whatever the future brings, I think it's clear that lots of office workers are going to be working from home a few days a week now. So should your employer pay for broadband? If so, are you allowed to use it for non-work purposes?

It got me thinking about all the costs I already have to personally bear when working.

• Commuting. The big one! £3,000ish per year. Most large employers offer a loan to help offset the cost.
• Home office costs. Buying or renting a place with enough space to have an office is a significant expense.
• Clothing. I've worked jobs where I had to buy the uniform. While I wouldn't usually turn up to work naked, I occasionally have to buy smart-looking clothes.
• Lunch. Sure, I could pack sandwiches - but they're yucky after an hour-long commute. So I buy something overpriced from a local shop.
• Beer. No, it isn't mandatory to go to after-work drinks. But you want to be a team player, don't you?

I'm sure you can add your own examples.

In the UK, top price broadband maxes out at about £50 per month. I don't think that's a huge expense for a business - especially if they're saving on office costs.

Or, am I expected to pay for broadband myself in the same way that I'm expected to own a suit, tie, and sensible shoes?

If not, is it OK to use my work-provided broadband for watching Netflix?

A few years ago, someone was arrested for allegedly using someone else's unsecured WiFi. Is that theft?

"It is a bit like reading your book from the light coming out from someone's window"

Julian Baggini, Philosopher BBC News (2007)

My wife has written about this from a philosophical perspective - you should go read her eloquent take on the issue.

I don't want to go into detail about whether or not his punishment is adequate, but I would like to talk about this curious remark made by the Judge during his sentencing:

beginning today and lasting for two years, you are prohibited from using any device capable of accessing the internet unless it has the capacity to retain and display the history of internet use and you make the device available on request for inspection by a police officer. You are also prohibited from deleting such history.

R v Patrick Rock. Sentencing Remarks of HHJ McCreath - Southwark Crown Court - 2nd June 2016

On the face of it, this seems quite sensible - but what exactly is "accessing the Internet" and what do we mean by retaining "the history of Internet use"?

History

By "Internet history", I suspect most people think of a web-browser's "history" function. Silently recording every page that you've visited.

There are two flaws in this thinking.

1. All web browsers have an "incognito" mode which prevents a history being created.
2. History usually covers pages - not embedded media.

I don't know of any way - short of persistent monitoring of a connection - that you could tell if Incognito mode had been used. That's the whole point in it existing. It doesn't delete the history - it never records it in the first place.

Is it enough for the offender to say "just because Firefox has an incognito mode, that doesn't mean I've used it."? Or are they prohibited from using any browser with such a feature?

Secondly, your browser is recording a visit to this specific page in its history. But it is not recording a visit to the page hosting this image:

It would be possible to craft a page full of forbidden content, yet have the browser only record a visit to a seemingly innocuous site.

Similarly, a history may record that you visited a specific page on YouTube - but if the video is subsequently deleted, there's no way to know what its contents were.

The Internet is not the Web

It is a common misconception that the Internet is the same thing as the Web. It isn't.

There are many different ways to access the Internet on a device. For example, switching on your Internet connected lightbulbs doesn't use the Web.

• Suppose this person has an Internet connected thermostat. Does his smarthome have to retain every time he adjusts the temperature?
• What about email? Can he delete unsolicited spam messages? How about discarding drafts of emails?
• A games console can access the Internet. But generally doesn't record its Internet use. So can he play on an Xbox if it isn't connected to his WiFi?
• Most devices will not have access to the encrypted streams that an app requests. So are all apps out of the question unless they also retain a hstory?
• Consider a Skype video call. Is it enough to preserve the metadata (when was the call placed, who were the participants)? Or does the video and audio need to be preserved?

Thoughts

Is it impractical to completely ban someone from using the Internet given how much of modern life relies on it? If it is, how do you adequately craft an unambiguous order which allows an offender to be monitored without overwhelming complexity?

I'm (obviously) not a legal scholar. The spirit of this ruling seems to be "you can access the Internet only if we're allowed to inspect everything you do" - but the wording seems (deliberately?) vague and technologically naïve.

Does that embolden the guilty party to look for loopholes? Does it give the police too much power to arrest on a whim? Given that it is rarely the "device" which records Internet history, is there any way of practically complying with the order?

What are the alternatives?

• Directly monitor the offender's Internet connection? Wouldn't be able to see encrypted traffic. Doesn't stop someone buying a SIM card.
• Install surveillance software on all Internet connected devices? Impossible for Smart TVs, games consoles, eBooks, smart watches, etc.
• Only use approved apps on approved devices, and ensure that the phone/laptop/games console/etc can't install anything else? Complex and expensive.
• Ban the offender from buying a burner phone / SIM or using Incognito Mode? This seems to be what the Judge wants - but it is almost impossible to detect.

At this point, we're back where we started. The offender has to be trusted to comply with an order which is easy to unexpectedly break, and those supervising him have an almost impossible job detecting unauthorised use.

I'd welcome thoughts from people better informed than I am.

You can listen to it on their website - or, if it has expired, I've grabbed an audio clip for your listening pleasure.

I've asked the Direct Marketing Associate to create a "Do Not Text" list - so that people can opt-out of spam SMS. They already operate the Mail Preference Service and the Telephone Preference Service for opting out of junk mail and calls.

The DMA argues that there's no need for such a service because spam SMS are already illegal. That strikes me as odd. It is quite clear that there are networks of personal data brokers who are careless with your personal data. Creating a universal suppression file would allow text marketers to be sure that they are not inadvertently breaking the law.

The DMA know that there's a problem with SMS Spam - they have a whole page dedicated to it!

The DMA offers a service to opt-out of spam faxes! Surely it can't be beyond their wit to create a similar system for text messages, can it?

If you've received a Spam SMS, please complain to the DMA and ask them to add SMS to their list of preference services.

On that cheery note, let's consider Twitter's new image embedding functionality. If your friends post a photo onto Twitter, you will see it in your timeline automatically. No need to click on anything. (As an aside, that's a feature Dabr and other Twitter apps have had for years).

A few years ago, the Twitter account of Britney Spears was compromised. Attackers were able to send an email to her TwitPic account which contained a fake notice of her death.

Imagine, for a moment, if it had contained a pornographic photo. Everyone who followed Britney would automatically be exposed to explicit images. An annoyance for some, an employment disciplinary matter for others - and for some, a legal issue.

Suppose a some hacker takes over the account of a well followed Twitter user. They then upload images which are illegal in the UK - and possibly other countries. Now, everyone who follows them, has that image in their web browser. It's stored in their cache, it may even have been auto downloaded onto their phone.

That's what happened to me last week. A friend posted a photo of the new Beady Eye single.

True, it's not the most explicit image in the world, but it's not the sort of thing you want on your screen at work. Nor do you want it in your browser's cache should someone decide you need investigating.

All of a sudden, all of this user's followers have an (unwanted?) image on their computer. In this case, half a breast is unlikely to cause much offence - but this could easily have been the controversial Virgin Killer album cover.

This thrusting of potentially illegal images can also happen by accident - a Twitpic error caused the BBC's technology correspondent to appear to share a photo of a woman "in a pose that can only be described as extremely post-watershed."

So, what does this mean for Twitter and for strict liability laws? It's almost impossible for a computer to automatically detect whether an image is offensive or illegal. Humans aren't much better - and there's a massive cost for pre-emptive moderation.

A wave of spam on social media could be enough to see you convicted on some very nasty charges.

It's as though they think that people won't be able to use a proxy, circumvent the Cleanfeed block, or simply use a search engine to find another torrent site.

Build Your Own Pirate Bay?

Proxying is a very simple concept.

• Alice is forbidden from speaking to Bob.
• Alice can speak to Eve.
• Eve can speak to Bob.
• Alice, therefore, can use Eve to communicate with Bob.

So, a user who wishes to access The Pirate Bay would have to do something quite complex to use a proxy? No, this is all there is to it:

SELECT * FROM html
WHERE url="https://thepiratebay.se/search/ubuntu/0/7/0"
AND xpath='//tr'

This uses YQL and xpath to extract all the information from a Pirate Bay search (in this case, for Ubuntu - which is legally distributed through Bit Torrent).

Simply, this asks Yahoo (an American site) to contact The Pirate Bay (a Swedish site) to deliver information to a user in Britain.

You can play with the results yourself in the Yahoo Console.

This returns a JSON string which can then be easily parsed (e.g. using jQuery). Simple.

Aha! But What About Downloading A Torrent?

In the olden days (well, last year) there was a fly in the ointment. You had to download a .torrent file from the website. That meant that you needed a way to connect to, in this case, The Pirate Bay or find a proxy which was willing to transfer files.

Nowadays, people use the magnet protocol. Here's what a magnet link looks like:

magnet:?xt=urn:btih:fa692da0488aee23e5eb605a87be934ad7cec106

Short enough to fit into a text message and, handily, can be embedded in an HTML document with no need to download an extra file. Paste those 60 characters into your torrent client, and it will connect to the cloud and start downloading the file you requested.

So, a single web request to Yahoo and a line of JavaScript code is all it takes to circumvent this blockade.

Next Move

So, do the UK courts need to order ISPs to block Yahoo as well? Or play whack-a-mole with all the new torrent sites springing up? Let's not forget, in 2004 the huge Bit Torrent search engine Suprnova was sued out of existence. Just like with the Hyrda, a decapitation lead to multiple sites springing up.

Piracy is a problem of convenience. A pirated copy is

• Faster to download.
• Quicker to watch (no unskipable trailers).
• More convenient to transfer to different devices.
• Global availability (no artificial regional restrictions).
• Immense back-catalogue (Star Wars, for example).
• Cheaper.

The only downsides are that they are often of dubious legality, and occasionally of poor quality.

The entertainment industries have to compete on all these points. I'll admit, that they will almost certainly not be able to compete with "free" - although monthly unlimited subscriptions come close.

The rest are problems of their own making. I described how I downloaded The Phantom Menace back in 1999. 13 long years later and the movie industry still isn't even close to where it needs to be.

Amazon have done pretty well from selling raw MP3s - a simple web interface, pay a small bit of money, instant high-quality download which is DRM free. Where's the equivalent for films? Or for TV? Or radio?

The pernicious restrictions around geography also must end. I want to watch Veep just as much as the Americans do. Why do I have to wait even an hour, let alone a week?

Finally, Star Wars still isn't available to (legally) download. If I have a hankering for Jar Jar Binks at 3AM, I have to order a DVD and wait while it is physically transported from a warehouse. That's such a 19th Century way of thinking that it hurts my brain.

Get all that right and maybe - just maybe - the "piracy problem" will solve itself.

Of course, alternatively, it may be too late. For 13 years people have been used to downloading without paying. That's a long period of learned behaviour. How content providers can convince people to change the habit of a lifetime is beyond my knowledge.

I wasn't expecting a whole CD's worth of information - like Facebook provides users - but what I did get surprised me.

Twitter UK has no control or responsibility over the user information in the Twitter service and cannot respond to these sorts of requests.

So, I was rather surprised to see Privacy International telling people to contact Twitter's UK office.

I'm not sure whether PI are mistaken, or Twitter UK are.

I have reached a settlement with Sky.

Update: 16 March, 2011. They have finally paid up!

tl;dr

Sky News stole my copyrighted work and distributed it without credit or payment.

I asked them to pay £1,500.

They refused.

Full Story

During the recent O2 brouhaha I recorded a video showing how the issue could affect people. I deliberately gave it the standard YouTube licence rather than the Creative Commons licence.

Later that evening, I was alerted to the fact that Sky News had broadcast my video without first seeking permission.

Graham Cluley

@gcluley

Just did Sky News spot about the @O2 controversy. From sound of what came down my earpiece they also used @edent's vid youtube.com/watch?v=67b4GT…None

---

I grumbled a bit on Twitter and was contacted by a representative of Sky News. He was very quick in ascertaining that my video was used without my permission and arranged to prevent it being shown again.

I was not happy about this state of affairs. BSkyB and News International have been very vocal about digital piracy and copyright infringement. They have relentlessly pursued a copyright maximalist agenda which - I believe - is damaging to the creative industries. Not to mention rampantly hypocritical.

Sky News accept user generated videos, with this stern warning:

Copyright protects the interests of the people and companies who create these products. If the content or product or marks in your video are owned by someone else, you are infringing copyright and run the risk being prosecuted.

It is important that you understand that you cannot take other people's creations and use them as you see fit.

Uploading somebody else's video is no different to taking something from a shop without paying. Copyright infringement damages the music, film and television businesses and the future development of music, film and TV programmes.

From Sky News' Frequently Asked Questions about user videos. Emphasis added.

Sky News have a history of ignoring copyright and infringing the moral rights of authors.

Unfortunately, the Digital Economy Act doesn't allow me to sue Sky News for distributing my content for free without my permission. An individual can lose their Internet access for sharing a movie, however there don't seem to be any sanctions against a large company for sharing my copyrighted work without permission.

I don't have the resources to fight a legal battle against Sky. So I decided to settle for cold, hard cash.

Originally, Sky made the following offer:

For a short youtube video like that we would normally pay around £50 & would be more than willing to pay an extra £25 for the fact you weren't asked in the inconvenience it has caused you.

The NUJ publish a freelance rate card. The rate for freelance video should be around £300 per minute.

I farted in Sky's general direction. I wanted £300 for the broadcast of the video, plus £1,200. I calculated that as £400 for them failing to ask permission, another £400 for them infringing my copyright, and then £400 for them violating my moral rights.

Even if they didn't agree with the above reasoning, it is usual to charge four times time standard licence rate when a copyright owner is asked to assign all rights away. Effectively, Sky News had unilaterally assigned all my rights to them - so I felt justified asking for this sum.

Overall, I thought £1,500 was reasonable - especially when you consider that the Daily Mail paid £2,000 for using photographs without permission.

Sky came back with an offer of £300.

I pointed out that s107 of the Copyright, Designs and Patents Act 1988 had provisions for fines of up to £50,000, or a six month prison sentence. In comparison £1,500 seems modest.

Sky replied:

As I indicated, we do not yet agree on a sensible figure for this use.

Bearing in mind you are now invoking the Copyright Designs and Patents Act I have placed this matter in the hands of our lawyers.

This does not represent an unwillingness to come to an agreement between us but, unfortunately, it is likely to slow the progress slightly.

Now I'm waiting to hear back from their lawyers. I wonder what their hourly rate is?

I'll update this post when I know more...

A Settlement🔗

I have accepted an offer of £300. A few minutes ago, I received this email from Sky:

After consulting with our Sky lawyers our position is that we believe a £300 settlement is a fair and appropriate sum. Our position is:

• The £300 is in respect of what you describes as "infringement of copyright" rather than any "union rate";
• Contrary to what you claim, we did not act as if you had assigned us all rights. Specifically, we did not claim ownership nor seek to profit from it by licensing to others;
• Criminal liability will not attach in relation to an inadvertent use of footage;
• English law does not recognise violation of moral rights;
• There is no authority that an infringement in these circumstances attracts four times the usual licence fee. To the contrary, the usual measure is what the reasonable cost of licensing would have been.
• Our offer is generous for the reasons above and we will not increase it.

May I also stress that when you are relating this issue to third parties on whatever platform I would consider it unfair if you did not relay the fact that we immediately acknowledged your copyright and sought to bring redress. I stress, once again, that we take copyright and its infringement very seriously at Sky News.

I'm not a copyright lawyer, so am in no position to argue against their formidable legal might. I have invoiced them for £300. I must point out that - once I contacted them - Sky were very quick to take down the infringing content and have been unfailingly polite in their dealings with me.

I will be donating £100 to both The Open Rights Group and MySociety. And drinking the rest.

Thank you for all your comments, tweets, and messages of support.

Footnote

I'm currently on holiday - so comment moderation and updates may be delayed.

Listen to the call on iPadio. The iPadio service died several years ago. There are no backups.

I'll admit, it's not the most cutting edge piece of investigative journalism.  To create the recording, I placed the rep on hold, dialed iPadio, then conferenced the two calls together.  Hey presto - the call was recorded.

One thing bothered me though, I hadn't told the cold-caller that I was recording them.  At best, it was slightly unethical and rude - at worst it could be illegal.

I was reminded of this when I saw a tweet from Chris Applegate

Chris Applegate

@chrisapplegate

Replying to @edent@edent You can record a call for your own purposes, but not reveal to a 3rd party without consent of other caller http://is.gd/4RFDY

---

The site he mentions is hideously out of date - it talks about Oftel who ceased to exist in 2003.  So, I rang Ofcom who inherited most of Oftel's functions.

Ofcom were very helpful - recording telephone calls came under the ambit of the Information Commissioner's Office.

So, I rang them.  Success! The advisers there pointed me to Section 36 of the Data Protection Act.

Domestic purposes

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.

This, according to the ICO, meant individuals are not bound by the DPA. Of course, it may well be prudent to let people know that they're being recorded and inform them if you intend to publish the conversation - but there is no obligation for individuals to do so.

Martin Belam raises some points about the Sun broadcasting a phone conversation with Gordon Brown.  While individuals may make recordings and are under no obligation, the whole thing becomes slightly murkier when a company is involved - even if no money changes hands.   I think Martin is right; this sort of exploitation of privatley recorded material should be investigated by the PCC.