The EU Copyright Directive (2001/29/EC) controls copyright law, except for copyright over software. EUCD is the European equivalent of the infamous Digital Millennium Copyright Act (DMCA) in the US.
Article 6 mandates legal protection against "circumvention of any effective technological measure" which supposedly impedes access to copyright material. "Effective technological measure" is defined as anything which is designed to restrict (by means of encryption, scrambling, or any other access-control process) acts which are not authorised by the copyrightholder. This apparently includes fig-leaves such as rot13.
Member States may compel copyrightholders to make available the means of copying for the purposes of: photography; public libraries and museums; broadcasters' editing and archiving; and "social institutions" such as hospitals or prisons. Copyrightholders may also be compelled to facilitate copying and public performance of their works for the purposes of: teaching and research; adaptation for disability; and public security (including the administration of justice). Copying for private use is permitted, but copyrightholders can facilitate this by charging "fair compensation" and providing only another technological measure to limit the number of copies which can be made (presumably with a minimum of one).
Other users' rights may be granted by member States without compelling copyrightholders to lift a finger to help: news reporting; "fair use" quoting (for reviews etc.); political speeches; official celebrations; public art pieces; parody; library catalogue terminals; and other minor exceptions. In these cases, you may have a right (to use the protected work) without a remedy (of circumventing the protection).
Devices or programs which can help to circumvent any effective technological measure are made illegal, i.e. they cannot be manufactured, imported, sold, rented, advertised, or possessed for commercial purpose (although possession for non-commercial purpose is excepted). Devices which "have only a limited commercially significant purpose or use other than to circumvent" are ALSO outlawed, regardless of whether they are capable of actually circumventing anything, which seems to prohibit GNU Hello. There is no exception for the various users' rights mentioned above.
Copyright holders can sue the State if their rights are not adequately protected in full. Users have no such right (see Francovich vs. Italian Republic).
The Legal Protection of Computer Programs Directive (91/250/EEC) is implemented by the European Communities (Legal Protection of Computer Programs) Regulations, 1993, and covers copyright as it applies to software.
Programs written by an employee belong to the employer, unless a contractual term (of employment) specifies otherwise. Copyright holders have near-total control over the use of their programs. Copying (including installing, running, transmission on the data bus), adaptation (including disassembly, decompilation) and distribution (including all rentals and the first sale of each copy) are the exclusive right of the copyrightholder.
Regardless of licence terms, users have the right to make backup copies, conduct black-box testing, and decompile for interoperability. Black-box testing means that you can legitimately infer or deduce the (non-copyrightable) "ideas and principles" of the program while using it, and although the licence can restrict how you use the program, the licence cannot prevent you from making use of what you learn while using it. Decompilation is protected so long as (a) you are writing a program; (b) your program needs to interoperate with other programs; (c) you need specific information to write the program; (d) you can't "readily" get the information without decompiling; and (e) you are permitted to make at least some use of the program you want to decompile (i.e. you're a licensed user).
By default, the "lawful acquirer" of a copy of a program may install and run it "in accordance with the intended purpose, including for error correction" without explicit authorization to install, run, transmit between CPU and RAM etc. from the copyrightholder. However, contractual provisions can take this permission away (rendering the software effectively unusable and leaving the user no recourse). The "error correction" provision implies that the user can apply patches to the software without explicit permission from the copyrightholder.
Distribution of "any means" of removing or bypassing copy protection is illegal (a tort). Circumvention must be the sole intended purpose of the "means" (software? written instructions?).
The Privacy and Electronic Communications Directive (2002/58/EC), which must be implemented by Hallowe'en this year, contains an article which goes a long way to outlawing spam.
Article 13 prohibits unsolicited marketing messages sent via email, fax, or SMS message to natural-person "subscribers" without prior consent. A "subscriber" is defined as "any natural person or legal entity who or which is a party to a contract with the provider of publicly available electronic communications services for the supply of such services" (thanks to Susan McKiernan of Masons for this definition).
This means that subscribers to public ISPs such as IOL are protected, but users are not protected just because their site owner is a subscriber. This loophole will take a few trucks at least, and it wasn't obvious to me until it was explained at the "Spam, the law and on-line marketing" talk given by Masons on the 15th of May.
Unsolicited marketing may be sent to existing customers of a business (but always with an opt-out option) for the purpose of advertising more products or services from the same business, provided that they're similar to the products or services that the customer has already bought. Member states can change this from an opt-out to an opt-in requirement.
All marketing email must contain a valid opt-out address and must disclose the identity of the sender.
The Distance Selling Directive (97/7/EC) sets out rights for consumers who buy online and responsibilities for online vendors dealing with consumers. A consumer is a natural person acting outside the course of his/her trade or business.
Before concluding any sale, the vendor must present the consumer with a statement containing: the name and address of the vendor; the particulars of the goods being sold; the price including all taxes; any delivery costs; arrangements for delivery/payment/service; any premium-rate service costs; the period for which the offer or price is valid; and the minimum length of the service contract (if more than one year). The vendor must also explain the consumer's right of withdrawal during the 7-day "cool off" period.
After the sale is made, the vendor must supply the consumer with a paper copy of the above information plus: an explanation of how to withdraw; details of any guarantee or warranty; and the "conclusion for cancelling" a service contract (a phrase I haven't decoded).
The consumer may withdraw from almost any sale until 7 working days (not calendar days) after the goods/service are/is delivered. If the consumer does this, the only charge the consumer can be stuck with is the cost of physically returning the goods to the vendor. If the vendor doesn't provide all the required information, the consumer's right of withdrawal is automatically extended to three months.
The consumer has no right of withdrawal if: a service was bought and the vendor has begun rendering the service; the price fluctuates due to financial market conditions outside the vendor's control; the goods have been customized to the consumer's specification; the consumer has broken the seal on software or video/audio recordings; the goods are periodicals or gaming/lottery tickets.
The Criminal Damage Act, 1991 and section 9 of the Criminal Justice (Theft and Fraud Offences) Act, 2001 comprise the substantial criminal law on cracking in Ireland.
Section 5 of the CDA says:
A person who without lawful excuse operates a computer [with intent
to access any data, when either the data or the computer is within
the State] shall, whether or not he accesses any data, be guilty
of an offence...
The terms "operate", "access" and "computer" are not defined, and may
be interpreted broadly by a court. The term "data" explicitly includes
"programs", so messenger spam and unauthorised relay SMTP seem to count
as accessing data.
A lawful excuse is that you either: (1) own the data accessed; (2) have permission from someone who owns the data, or confidence that such an owner would grant permission in the circumstances; (3) need the access to avoid or deter damage to property of your own; or (4) have made a genuine mistake about whether you have any of the above excuses. The usual criminal defences (automatism, duress, etc.) are still available.
The rest of the Criminal Damage Act deals with damage to property, and considers alteration of data to be damage to property.
It should be obvious that any cracker who is caught and charged under s. 5 of the CDA is likely to claim "mistake" as a lawful excuse. The court will decide whether to believe that the mistake was honestly made. Prominent notices (in /etc/issue or the like) summarising authorisation for the benefit of users are probably a good idea.
Section 9 of the Criminal Justice (Theft and Fraud Offences) Act 2001:
A person who dishonestly, whether within or outside the State,
operates or causes to be operated a computer within the State with
the intention of making a gain for himself or herself or another,
or of causing loss to another, is guilty of an offence.
The word "dishonestly" means "without a claim of right in good faith".
Curiously, this section doesn't cover the situation where a fraudster in Ireland dishonestly operates a computer outside the State to effect the fraud.
The Safety, Health and Welfare at Work (General Application) Regulations, 1993, in implementing an EU Directive whose citation escapes me, specifies minimum criteria for video monitors used in computer workstations. All employers must ensure that their employees are protected by these regulations (self-employed people must protect themselves).
Employers must assess and remedy any safety risks from monitors, must provide safety information, training, and regular eye tests to employees, and must arrange to have employees regularly interrupted throughout the day in order to reduce workload at the display screen.
Monitors may not have flicker, glare, small or fuzzy or close-set font glyphs, or significant nonvisible radiation. They must have a user-accessible brightness or contrast control, must swivel and tilt, and must have either a separate base or an adjustable table.
Keyboards may not have glare or an awkward arrangement of keys. They must have easily-legible key caps, must be tiltable, must be separate from the monitor, must allow use from a comfortable position, and must have space on the desk for a wrist rest.
Work areas must have space to find a comfortable position, just enough light, no disturbing glare or reflections, no uncomfortable humidity.
Desks must be large enough to allow rearrangement of the screen, keyboard etc.
Chairs must be stable, with adjustable seat height, back height, and back tilt. They must allow easy freedom of movement. A footrest must be available.
Heat or noise from workstations must not be distracting or discomfiting.
Software shall be easy to use and, where appropriate, adaptable to the employee's level of knowledge or experience; no quantitative or qualitative checking facility may be used without the knowledge of the employees.
Software must display information in a way that suits the employee, and must provide feedback on input (e.g. shell prompts, keyclick, mouse cursor, error messages).
"The principles of software ergonomics shall be applied, in particular to human data processing." A dozen doughnuts to whoever first explains this to me.
If the police interview you in the course of any criminal investigation, don't let their notes be the only record of the interview: get it recorded and/or have your lawyer (your lawyer, not your employer's) present. Don't do what Randal Schwartz did: he tried to straighten out the misunderstanding, only to find that the police notes simply established the elements of criminal intent.
If someone posts illegal content on your system, and you don't have any control over the content before it gets posted (i.e. posting is unmoderated), you are not automatically liable unless you know it's there (or have good reason to suspect that it's there) and you do nothing to remove it. You are not required to search for such content unless something gives you a reasonable suspicion that there's something to find (e.g. a complaint).
The Data Protection Act, 1988 has now been updated with the Data Protection (Amendment) Act, 2003 (effective July 2003). The major difference is that export of personal data to countries with insufficient data protection law is now prohibited, except for the US. Export to US companies on the US Department of Commerce's Safe Harbor List is permitted. The US government has promised that it will enforce data protection principles on all those companies, honest, and that's cuttin' me own throat.
ISPs are now required to register under section 14 of the Data Protection Act, 1988.
Computer records are considered hearsay and are not normally admissible as evidence. The Criminal Evidence Act, 1992 allows computer records to be introduced if the record was created by a person familiar with the facts being recorded, and it was recorded in the normal course of business. For instance, an email MTA log contains admissible portions (the originator and recipient addresses, because they were personally known by the sender of the message) and inadmissible portions (the message-id and queue ID, which are personally known only to the nerdiest of the nerds). Computer records are rarely admissible in civil cases.