21 January 2012

Losses

The UK Information Commissioner (ICO) has highlighted responses to three data breaches.

In the first former health worker Juliah Kechil has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers. She had been a Health Care Assistant in the Royal Liverpool University Hospital's outpatients department. She was fined £500 and ordered to pay £1,000 towards prosecution costs, along with a £15 victim surcharge following conviction under s 55 of the Data Protection Act at Liverpool City Magistrates Court. The Commissioner notes that -
Royal Liverpool University Hospital began an investigation in November 2009 when the defendant’s father-in-law contacted the hospital after receiving nuisance calls which he suspected had been made by his former daughter-in-law. Having changed his phone number in July 2009 following unwanted calls from Ms Kechil, he was immediately concerned that there had been a breach of patient confidentially.

Checks by the hospital revealed that all of the patients whose details had been compromised were not at any time under the medical care of Ms Kechil and she had no work-related reasons to access their records. She accessed the information for her own personal gain without the consent of her employer. The accesses were traced through audit trails which were linked to the defendant’s smartcard ID.
The Commissioner noted that the ICO - somewhat more positive than the Australian OAIC - "continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information".

In the second response Praxis Care Limited, a care provider with offices in the Isle of Man and Northern Ireland, has "taken action to improve its data protection practices" following a joint ruling by the ICO and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man.

Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man in August last year. Some of the data was sensitive and related to individuals’ care and mental health. The stick has not been recovered.

Praxis has "now committed to making sure that all portable devices used to store personal data are encrypted", with personal information that is no longer needed being disposed of securely in line with the company’s updated data security guidance. The Commissioner commented that -
Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.

The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.
A separate undertaking has been signed by the Chartered Institute of Public Relations (CIPR), the organisation whose practitioners tend to advise on the thing to say when clients let personal information go feral.

The CIPR has made a formal undertaking with the ICO over the loss of up to 30 membership forms on a train in May last year. The Institute - nothing like looking ahead, given the frequency of data breaches - did not have a policy in place for handling personal data outside of the office. It has agreed to review its data protection policy and "make sure that it is communicated to staff" by the end of February.

Blundr

Another day, another data breach.

This time it's a warning from the Australian Securities & Investment Commission (ASIC) and exposure of a weakness in the Grindr and Blendr social network services, with claims in the SMH that -
A popular "meat-market" smartphone app that spawned a sexual revolution in Australia's gay community has been compromised by a Sydney hacker, potentially exposing intimate personal chats, explicit photos and private information of users.
Grindr, with a reported 100,000 Australian users in mid 2011, and the straight Blendr, combine geospatial awareness with personal profiles. In essence participants can use a mobile phone or other wireless device to view the profiles of other participants within a particular proximity and exchange information. It's discussed in studies such as 'There’s an App for that: The Uses and Gratifications of Online Social Networks for Gay Men' by David Gudelunas in 16 Sexuality & Culture (2012), Gaydar culture: gay men, technology and embodiment in the digital age (Ashgate 2010) by Sharif Mowlabocus and 'Queer theory, cyber-ethnographies and researching online sex environments' by Chris Ashford in 18(3) Information & Communications Technology Law (2009).

The SMH reports that -
The hacker discovered a way to log in as another user, impersonate that user, chat and send photos on their behalf.

The vulnerabilities are also present in Blendr, the straight version of the app, according to a security expert who said both apps had "no real security" and were "poorly designed". Fairfax Media is not aware that Blendr has been hacked but the potential was there, according to the security expert.

The founder of the apps, Joel Simkhai, conceded both were vulnerable and he was rushing to release a patch to address the issues. He said he had originally been waiting until new architecture was built "within weeks" but was now releasing an update to both apps "over the next few days".

In a telephone interview about the vulnerabilities last Friday he said it was news to him about the potential for text chats to be monitored and claimed the company had never experienced a "major breach" in which a large portion of users were affected.
"We [do] get people trying to hack into our servers," he said. "That's something that I am aware of and we certainly have a team in place that are working to prevent that."

But by Tuesday Mr Simkhai admitted that he was "aware of some vulnerabilities" but he would not talk about them in detail to avoid a hacker exploiting them.

"We are certainly aware of a lot of these vulnerabilities and ... they will be fixed as fast as humanly possible," he said.

He could not say how many people had attempted to take advantage of the vulnerabilities but said a website created by the hacker had exploited some of the flaws in Grindr. That website was shut down after Friday's interview with Fairfax Media after he sought legal action.

The website, registered on July 14 last year, allowed the hacker to search for any Grindr user regardless of their location, and capitalised on the vulnerabilities to offer other services not designed by the apps. ...

At one point, according to sources who saw the website before it was taken down, it listed users' Grindr pseudonyms, passwords, their personal favourites (bookmarked friends) and allowed them to be impersonated, and thus have messages sent and received without their knowledge. At one point, the website also allowed users' profile pictures to be replaced.

It is understood the hacker changed the profile picture of numerous Sydney Grindr users to explicit images. One user who was targeted confirmed they had been banned due to a perceived terms of service violation.

It is understood the hacker took advantage of the fact the apps used a personalised string of numbers known as a hash, instead of a user name and password, to log in. The hash is exchanged between users' smartphones so they can communicate with each other but the hacker discovered it could be replaced with another users' hash to enable the hacker to:
• Log in as any user
• See the user's favourites
• Change their profile information and profile picture
• Talk to others as the user
• Access pictures sent to the user
• Impersonate a user's "favourite" and talk to them as a friend
A security expert - who did not wish to be named because he didn't have Mr Simkhai's permission to analyse his systems - said that the Grindr and Blendr apps "had no real security".

They are "very poorly designed ... [with] poor session security and authentication", the expert said. "It wouldn't be too hard to secure this."

The security expert demonstrated with permission of a user how he could log in as them and take over the app.

In a statement Mr Simkhai said keeping his platform secure from hackers was a "number one priority".
What are consumer expectations about privacy and data protection in such services? What are service operator responsibilities? I'm reminded of the iBill data breach several years ago.

In 2006 it was revealed that personal information for over 17 million customers of the online payment service iBill (the dominant payment intermediary in the online adult content industry) was available on the net, being used by spammers and identity theft criminals. The data included consumer names, phone numbers, addresses, email addresses, IP addresses, credit-card types and purchase amounts. It appears to have been taken by an iBill employee. I've noted elsewhere that the iBill data breach was not disclosed by the company. Given that the data did not include Social Security, credit-card or driver's-license numbers, no US laws required iBill (or the adult content companies for which they provided payment services) to warn people. A year after the FBI first learned of the loss they had also failed to issue any public warnings.

ASIC has meanwhile "advised clients of online stockbroking firms to urgently review their account security". Its media release states that -
During regular surveillance of the Australian financial markets, ASIC has become aware of several stockbroking account intrusions involving unauthorised access and trading.

ASIC recommends that as soon as possible users of online stockbroking accounts:
• ensure their computer virus software is up-to-date;
• change their passwords; and
• check their transaction history.
ASIC also recommends users do this regularly, as with bank accounts.

If you become aware of any unauthorised trading on your account, you should contact your stockbroker immediately. This will help to ensure that any further unauthorised activity can be prevented.

ASIC is working with online stockbroking firms to help those clients who have been impacted.

ASIC is also working with other authorities to identify the source of the intrusions and pursuing a line of enquiry consistent with similar incidents in overseas markets.

Seduction

'Marriage as Punishment' by Melissa E. Murray in 100(2) Columbia Law Review ( 2012) 101-168 comments that -
Popular discourse portrays marriage as a source of innumerable public and private benefits, happiness, companionship, financial security, and even good health. Complementing this view, our legal discourse frames the right to marry as a right of access, the exercise of which is an act of autonomy and free will. However, a closer look at marriage’s past reveals a more complicated portrait. Marriage has been used - and importantly, continues to be used - as state-imposed sexual discipline.

Until the mid-twentieth century, marriage played an important role in the crime of seduction. Enacted in a majority of U.S. jurisdictions in the nineteenth century, seduction statutes punished those who 'seduced and had sexual intercourse with an unmarried female of previously chaste character' under a 'promise of marriage.' Seduction statutes routinely prescribed a bar to prosecution for the offense: marriage. The defendant could simply marry the victim and avoid liability for the crime. However, marriage did more than serve as a bar to prosecution. It also was understood as a punishment for the crime. Just as incarceration promoted the internalization of discipline and reform of the inmate, marriage’s attendant legal and social obligations imposed upon defendant and victim a new disciplined identity, transforming them from sexual outlaws into in-laws.

The history of marriage as punishment offers important insights for contemporary discussions of marriage. It reveals the way in which our current discourses of marriage are na├»ve and incomplete, emphasizing marriage’s many attributes while downplaying its role as a vehicle of state-imposed sexual discipline. In view of this history, our contemporary jurisprudence on the right to marry can be reread to reveal the disciplinary strains that continue to undergird marriage and the right to marry. Most importantly, this history reveals that state regulation of sex and sexuality has been a totalizing endeavor, relying on marriage and criminal law as two essential domains for disciplining and regulating sexuality.

With this in mind, the recent struggle for marriage equality seems unduly narrow. While achieving marriage equality is important, this history underscores an equally important interest in defining and preserving spaces for sexual liberty that exist beyond the disciplining domains of the state.
Murray concludes that -
In January 2010, Theodore Olson, one of the lawyers litigating Perry v. Schwarzenegger, outlined “The Conservative Case for Gay Marriage.” Speaking to social conservatives who have resisted efforts to expand civil marriage to LGBT individuals and those who are undecided about marriage equality, Olson argued that “same-sex unions promote the values conservatives prize,” including accountability, social stability, and economic partnership. For Olson, the allure of marriage equality is obvious: Marriage is a disciplinary institution and its expansion to include same-sex couples would necessarily include more people within the ambit of the state’s disciplinary reach.

Olson’s account of marriage’s disciplinary possibilities accords with marriage’s history. As this Article recounts, from the mid- nineteenth century to the mid-twentieth century, marriage played an integral role in the enforcement and administration of criminal seduction statutes. Recovering this history of marriage and seduction not only reveals the complicated relationship between criminal law and family law, it also makes clear that family law, through the institution of marriage, was, no less than criminal law, an important disciplinary force in the lives of men and women.

The history of criminal seduction offers useful lessons for the contemporary practice of marriage. Though the popular discourse of marriage focuses on the institution’s many salutary benefits, it elides more substantive discussion of its disciplinary content and punitive history. As this Article argues, marriage, like the criminal law, continues to be one of the technologies of discipline that is deployed by the state in the project of constructing and replicating a disciplined citizenry.

Recognizing and acknowledging marriage’s disciplinary qualities complicates the extant jurisprudence of rights that, most recently, has focused on the right to marry. As this Article has argued, marriage’s role as a technology of discipline requires us to reconsider the marriage right as more than simply a right of access, but rather a right of access to the disciplinary force of the state.

Reframing the right to marry and the institution of marriage along these lines would allow a more accurate depiction of marriage—one that is transparent and forthright about marriage’s disciplinary character. Greater transparency and accuracy in our discourses of marriage is important for those who seek marriage, and for those who would avoid it. Transparency not only helps illuminate what marriage is — it prompts us to think seriously about alternatives for those who would prefer to live their lives outside of the state’s disciplinary domains. Accordingly, this Article strives not only toward a more accurate understanding of marriage, but toward the possibility of sexual liberty untethered to marriage.

Upstairs

Posts in this blog over the past two years have noted the misadventures of self-described "eerily accurate, profound clairvoyant" and witch Eilish De Avalon, a person whose supposed ability to see the future didn't save her from a traffic dispute with the police and whose claim that a Victorian court had no jurisdiction over witches was - quelle horreur - not accepted by that court.

The Northern Star reports that -
A mother and daughter told a court only God had the authority to order them to pull down an illegal extension to their South Golden Beach property, but the magistrate took a different view.
So far God apparently hasn't endorsed the statement by afflicting the magistrate with boils, a plague of toads and scorpions, or other indications of His displeasure.

The item indicates that
In a hearing at Mullumbimby Local Court on Thursday, Byron Shire Council argued the downstairs area of the property was not approved to live in as part of the original development consent and it should be demolished.

The council's governance manager, Ralph James, said despite several requests over the past two years, the property owner had not taken any reasonable steps to get the downstairs development approved or cease use of the area.

"Of concern was the fact that the house was located in an area that is subject to flooding," he said.
It's unclear whether the property owners are unfussed about inundation, welcoming floods as a God working in the same mysterious ways that include affliction with cancer, freckles, a taste for Elvis or ability to make cheap gibes in a blog.

The NS goes on to note that -
The council was originally notified of the illegal extensions by a community member and the matter was listed for December 1, 2011 but the defendants failed to attend.

When the matter was heard, the women submitted a written argument stating they did not have to submit to the jurisdiction of the court, or the council

God was only jurisdiction they recognised, she told the court.
No sign, alas, of whether non-recognition of Australian jurisdictions purportedly obviates the need to pay tax, observe the road rules, refrain from the keeping of slaves or burning witches, and other niceties.

Ms De Avalon's meanwhile out of custody, after two months in prison, and delighting the mass media with headlines such as "Witch ritual in church incites Father's fury". The Herald Sun - where would we be without it - reports that -
A witch who went to jail for dragging a policeman 190m with her car has hijacked a wedding ceremony being performed by the reverend Father Bob Maguire.

Father Maguire said he felt like the "devil took over me" when Eilish De Avalon conducted a Pagan Handfasting Ceremony at a Brighton Catholic church.

Father Maguire said he had warned the woman to tone back her scripts for the January 7 wedding but was "taken for a ride" on the day.

Ms Avalon, who was jailed for two months last June after pleading guilty to recklessly causing serious injury, dangerous driving, driving while suspended and using a mobile phone while driving, yesterday confirmed to the Herald Sun it was the first time she had performed the ceremony in a church, but declined to speak further.

Handfasting ceremonies are performed for same-sex couples, opposite gender couples and for multiple partners.

The bride and groom's hands are tied during the ceremony and vows are usually taken for a year and a day.

At the end of some services, the couple jump over a broomstick. ...

Fr Maguire said: "She is using me as an endorsement to blow her own trumpet. She took an opportunistic advantage of the parish.

"I was taken for a ride and blindsided. Once in the saddle she took over the place. It was like the devil got a hold of me.

20 January 2012

Cybertravel

'The Future of Cybertravel: Legal Implications of the Evasion of Geolocation' by Marketa Trimble in 22 Fordham Intellectual Property, Media & Entertainment Law Journal (2012) considers geolocation questions.

Marketa comments that -
Although the Internet is valued by many of its supporters particularly because it both defies and defeats physical borders, these important attributes are now being exposed to attempts by both governments and private entities to impose territorial limits through blocking or permitting access to content by Internet users based on their geographical location – a territorial partitioning of the Internet. This article, as opposed to earlier literature on the topic discussing the possible virtues and methods of raising borders in cyberspace, focuses on an Internet activity that is designed to bypass the territorial partitioning of cyberspace and render any partitioning attempts ineffective. The activity – cybertravel – permits users to access content on the Internet that is normally not available when they connect to the Internet from their geographical location. By utilizing an Internet protocol address that does not correspond to their physical location, but to a location from which access to the content is permitted, users can view or use content that is otherwise unavailable to them. Although cybertravel is not novel (some cybertravel tools have been available for a number of years), recently the tools allowing it have proliferated and become sufficiently user-friendly to allow even average Internet users to utilize them. Indeed, there is an increasing interest in cybertravel among the general Internet public as more and more website operators employ geolocation tools to limit access to content on their websites from certain countries or regions.

This paper analyzes the current legal status of cybertravel and explores how the law may treat cybertravel in the future. The analysis of the current legal framework covers copyright as well as other legal doctrines and the laws of multiple countries, with a special emphasis on U.S. law. The future of the legal status of cybertravel will be strongly affected by the desire of countries and many Internet actors to erect borders on the Internet to facilitate compliance with territorially defined regulation and enjoy the advantages of a territorially partitioned cyberspace. This paper makes an attempt to identify arguments for making or keeping certain types of cybertravel legal, and suggests legal, technical, and business solutions for any cybertravel that may be permitted.
She suggests that -
If we accept the premise that cybertravel, or the capability of a user to use the Internet as if he were located in a location other than where he is physically located, is socially valuable and worth permitting in some form, the question turns to the conditions under which cybertravel could be legal. ... the existence of this capability does not depend on permitting anonymity on the Internet; anonymization and cybertravel need not go hand in hand.

Thinking about the possible future of cybertravel requires a consideration of all the various policies and business motives that lead website operators to limit access to their content on the Internet. First, website operators design content limitations to enhance user convenience by localizing accessible content, for example by showing advertisements for local businesses. Second, website operators may have contractual obligations with content providers, for example to limit access to video programs that a provider has licensed only for certain countries or regions. Third, the operators may limit access to content to comply with laws that prohibit certain types of content in certain countries, for example by blocking gambling when it is outlawed by some countries; prohibitions may also apply, however, for less-maligned content that may be made inaccessible because of countries’ legal requirements – for instance, countries’ consumer protection laws may require certain products to be offered only if they have been certified for use in the country. Fourth, website operators may decide voluntarily to limit access to content to avoid being exposed to personal jurisdiction and liability in certain countries where they wish to avoid litigation, taxes, regulation or some other type of obligation. Finally, website operators may implement access limitations for security reasons; for example, a bank will not allow a user from outside the account holder’s country of residence to log into the account holder’s account because the bank assumes that such a login is a fraudulent attempt to access the account.

The first type of restriction – content localized for advertising or for user convenience – should cause the least difficulty. There should be no reason for prohibiting users from viewing this type of content as if they were sitting in another country. In fact, website operators such as Google and Lufthansa offer links to allow users to switch easily among different country versions. This switching may not be completely without cost to the website operator, however; if users regularly escape the “convenience” of localized content and use other country versions in lieu of their own local versions, it may diminish website operators’ advertising revenues because they lose some of the advantage that a partitioned cyberspace provides in allowing them to charge premium advertising rates for advertisements that target local consumers.

Cybertravel that is used to evade the other types of access limitations listed above is problematic. It is unrealistic to expect countries to allow users connecting to the Internet from their territory to bypass any prohibitions against certain content or activities by cybertraveling to another country where such content or activities are expressly or implicitly permitted. Allowing cybertravel for these purposes would defeat the public policies behind the prohibitions and undermine national sovereignty. Similarly, it is difficult to defend cybertravel that is used for the purpose of bypassing geolocation tools employed by website operators who are complying with contractual obligations, seeking to avoid personal jurisdiction and liability, or protecting themselves and others against criminal activities. The question is whether there is a way to permit cybertravel when it is conducted to avoid these types of limitations but the conduct has a legitimate goal, such as accessing one’s own bank account from a foreign country. The method of cybertravel is not important, because the tools for its implementation will change; what is important is that travel to another portion of cyberspace be possible.

There are three perspectives from which possible solutions for the future of cybertravel will arise: legal, technical and business. As has been shown by other examples in the Internet environment, a combination of solutions from all three perspectives seems most likely to succeed. For example, laws that prohibit copyright infringement have not stopped online music piracy, and neither have filters that have been imposed by Internet service providers or automatic warnings that are generated by college campus service providers. Although these measures and laws addressing piracy have probably slowed online music and film piracy, the solutions had to be assisted by business solutions, such as iTunes and Netflix, to offer a legal and viable alternative to piracy.

As discussed earlier ... a number of legal doctrines cover issues potentially associated with cybertravel; however, because these doctrines were neither created for nor shaped with cybertravel in mind, court interpretation will be required to determine to what extent the doctrines may make illegal all or some instances of cybertravel. Whatever the status of cybertravel will be, it will be beneficial to clarify the applicability of existing laws to cybertravel and possibly draft specific regulations to govern cybertravel further. If IPv6 makes IPv4 obsolete and a transition actually occurs to permanently assigned or embedded IP addresses, the transition could provide momentum for the creation of cybertravel-specific legislation, and perhaps even for an agreement on a legislative solution at the international level.

Within some permitted extent, cybertravel, as an equivalent to physical international travel, could be subject to reasonable limitations; traditionally, the obligation to carry a passport is considered one such limitation, and a digital passport could serve this purpose for cybertravel. The passport could either be a virtual equivalent to a physical passport and carry the same personally identifiable data of the holder/Internet user, or be a document with only limited information, such as the user’s location. The location identified in either type of passport could be either the current physical location of the user or the place of residence or domicile of the user, depending on the criterion that was set as the factor determining the accessibility of the Internet content.

Although intuition seems to dictate the selection of the user’s current physical location as the determining factor, the other option – place of residence or domicile – should not be excluded summarily. The prevailing principle of territoriality of law suggests that current physical location be the correct solution; under the principle, laws apply territorially, or alternatively stated, the prescriptive jurisdiction of a country extends only to the country’s borders – and outside its borders only to the extent that the country’s jurisdiction covers acts that have effects within its borders. Another principle, the principle of personality of law, exists as well, but with less applicability because the principle of territoriality of law applies to the vast majority of the legislative activities of a country. The use of residence or domicile as the determinative factor for access to Internet content would present a remarkable opportunity to introduce the principle of personality of law for activity on the Internet. Under this principle countries legislate for their own nationals and permanent residents and the laws follow those persons wherever they travel. An analysis of the issues surrounding personality of law on the Internet is beyond the scope of this paper and deserves a separate study, but is worth mentioning.

A law for digital passports cannot exist without a technical implementation. It is not difficult to imagine such a system if the IPv6-related vision of permanently assigned or embedded IP addresses that would identify specific devices (or even persons if the devices were embedded in human bodies) becomes a reality; the law could make it illegal to change or reroute an IP address because that act would be equivalent to forging a physical passport. The digital passport would inform each website operator about the location of the user, or the user’s residence or domicile, depending on the information in the passport.

Knowing exactly how many cybertravelers are connecting to a website and from what locations could assist intellectual property owners, for example, in the creation of tailored licensing schemes; if information about cybertravelers were to include personal identifiers, the system could become what Paul Goldstein described in 1994 as the “celestial jukebox” – a service that would allow on-demand access to copyrighted works from anywhere in the world for a fee. The digital environment is perfectly equipped to implement this system; in such a world, each user could access copyrighted works from anywhere in the world and be charged only for works that the user accessed. This is where a technical solution would prompt the need for a business solution.

What hampers progress towards a celestial jukebox are the significant transaction costs associated with the identification and location of right holders and the negotiation of licenses with multiple right holders. The magnitude of these costs must be addressed in order for global licensing to be feasible, and there are initiatives being developed in this area to pave the way for this type of solution; for example, experts have proposed that the World Intellectual Property Organization create and administer an international repertoire database, and other experts are exploring possibilities for cross-border collective management of rights in the digital environment.

Even without a celestial jukebox solution that would cover all works globally, and even without digital passports, there is clearly space for smaller-scale business solutions to meet the challenges of cybertravel. If content is limited because of the contractual obligations of website operators, cybertravel could be enabled by global or regional licensing schemes that would allow operators to offer selected content either worldwide or in selected countries. Instead of paying cybertravel providers to facilitate cybertravel, users would pay for access directly to website operators, who would then bear any licensing costs and any other costs associated with the content, such as a public television licensing fee.

Of course, these solutions are directed only towards access to content that is restricted because of contractual limitations; any content that is illegal in a country will continue to be inaccessible to users accessing the Internet from that country, and potentially to nationals or permanent residents of that country even when they are temporarily present in another country, if digital passports are used. For certain types of content – and the instances of these types of content are likely to be limited – countries may reconsider the legal status of content in light of the possibilities afforded by digital passports. For example, some countries might reconsider their stance on online gambling if they have the ability to tax users located in their country who use foreign online gambling sites.

The solutions also fail to address cases in which access to content is limited by a website operator’s or content provider’s choice; these cases arise because of issues of jurisdiction, taxation or online security. When website operators or content providers decide sua sponte to restrict their content to certain viewers, users have minimal recourse; only in rare circumstances will a government direct private entities to make content more widely available than it already is. Here a system of digital passports could prove useful; for example, if access to content were based on a user’s permanent residence, content could be made available to a qualified user while he was temporarily located in another country, without exposing the website operator to jurisdiction or taxation in that country.

Finally, knowledge of the numbers and physical locations of cybertravelers could make possible not only sophisticated licensing arrangements but also agreements – either private (meaning between individual content providers and website operators) or international (meaning among countries) on an acceptable level of free spillover. In the physical world, it is accepted that due to international travel, some content limited to a certain country will be available to those who travel to that country. For example, when distribution rights under copyright are licensed for one country, it is understood that some of the copyrighted works will land in the hands of persons who are present in the country only temporarily and those persons may carry the work with them to other countries; laws provide exceptions for individual users to do this because it is considered natural spillover. Exceptions for a similar reasonable spillover could be permitted for cybertravel. However, without information about the extent of cybertravel, it is impossible to find arguments to support the exceptions for the spillover; a passport system would allow the collection of such information.

Abuse

The Australian Institute of Health & Welfare has released its 150 page Child Protection Australia 2010-11 report [PDF], indicating that the number of notifications of child abuse or neglect to state/territory child welfare departments continued to fall in 2010–11, although the number and rate of children in substantiated cases remained stable.

There was a 13% fall in the number of children subject to notifications of possible child abuse or neglect compared with the previous year. During the same period, the number of children in substantiated cases (ie where a govt agency "concluded that the child has been, is being, or is likely to be abused, neglected, or otherwise harmed") was stable - rising by less than 1%.

In 2010–11, there were 237,273 notifications of potential child abuse or neglect involving 163,767 children. Of these notifications, over half were investigated and just over a third were substantiated.

There were 31,527 children involved in substantiated cases during 2010–11, ie 6.1 for every 1,000 Australian children aged 0–17. The report notes that -
Children aged under 12 months were most likely to be the subject of a substantiation of child abuse or neglect. However, over the past five years we have seen a large fall in reported rates of abuse and neglect for those under 12 months of age, from 17 to 12 per 1,000 children
The number of children on care and protection orders at 30 June 2011 rose by 4% from the previous year. The number of children in out-of-home care at 30 June 2011 rose by 5%. Although the total number of children on care and protection orders and in out-of-home care has increased, the number of new admissions into out-of-home care per year has fallen, suggesting that children on existing orders may be staying longer in out-of-home care.

As in previous years, the vast majority of children in out-of-home care lived in home-based care, primarily in foster care (45%) or with relative/kinship carers (46%).

The report states that -
Aboriginal and Torres Strait Islander children continue to be over-represented within the child protection system. Aboriginal and Torres Strait Islander children were 7.6 times as likely as non-Indigenous children to be the subject of a child protection substantiation, and 10 times as likely to be in out-of-home care.

The most common type of substantiated abuse for Indigenous children was neglect, which made up 38% of all substantiated cases, compared with 23% for non-Indigenous children.

Reality

Early year law and justice studies students would benefit from reading the short 'Uses and abuses of crime statistics' (NSW Bureau of Crime Statistics and Research) [PDF] by Don Weatherburn

Weatherburn, with understandable exasperation, comments that "Large sections of the media habitually distort, misrepresent and exaggerate the facts on crime". He goes on to note that -
Between 2000 and 2009, the Australian national murder rate fell by 39 per cent, the national robbery rate fell by 43 per cent, the national burglary rate fell by 55 per cent, the national motor vehicle theft rate fell by 62 per cent and all forms of other theft fell by 39 per cent. Australia is now into its 11th straight year of falling or stable crime rates. Property crime rates in some States are lower than they’ve been in more than 20 years. You might think this a cause for celebration but the vast majority of Australians still think crime is going up. The reason for this is fairly clear. Most people get their information about crime from the media—and large sections of the media habitually distort, misrepresent and exaggerate the facts on crime.

The abuse of crime statistics is so common it has in some quarters engendered great skepticism about them. The saying there are ‘lies, damned lies and statistics’ is probably nowhere more frequently uttered than in the context of crime statistics. Yet whether we like them or not, crime statistics are here to stay. We have to make judgments about the prevalence of crime, about trends in crime, about the distribution of crime and about the impact of Government efforts to prevent and control crime. We cannot base these judgments on personal experience and anecdote. They have to be based on statistical information. The challenge facing those who produce and use crime statistics is how to do so in a way which is not misleading and which helps rather than hinders our understanding of crime. This bulletin is designed to help those unfamiliar with crime statistics to understand their uses and abuses.

19 January 2012

Crunching Breaches

'Empirical Analysis of Data Breach Litigation', a paper by Sasha Romanosky, David A. Hoffman & Alessandro Acquisti for the 39th Telecommunications Policy Research Conference (TPRC) 2011, comments that -
Legal privacy scholarship typically emphasizes the various ways that plaintiffs fail when bringing legal actions against entities when their personal information is lost or stolen. However this scholarship often considers only a small set of published judicial opinions from large-scale data breaches. And so, little is actually known about the characteristics and disposition of a representative set of data breach lawsuits.

Using a unique sample of anually-collected data from Westlaw and PACER, we analyze the court dockets of over 200 federal data breach lawsuits from 1998 to 2011, making this, to our knowledge, the first empirical examination of data breach litigation. We use discrete outcome regression models to estimate the probability that a data breach will result in a lawsuit, and the probability that, once filed, the case will reach settlement. We find that breaches resulting from the unauthorized disclosure or disposal of personal information are 6.9% more likely to result in lawsuit, relative to breaches caused by lost or stolen hardware, whereas breaches caused by cyber-attack are only 2.9% more likely to result in lawsuit.

These results suggest that plaintiffs respond more to the careless or negligent handling by a firm of their personal information, than to the firm’s inability to withstand a cyber-attack or misfortune of losing a laptop. However, while these properties may explain the probability of lawsuit, we find that breach characteristics (size, cause and types of information lost) do not significantly predict the outcome of a data breach lawsuit. Instead, the probability of settlement appears to be driven by the presence of actual financial loss, and class certification.
The authors conclude that -
The proliferation of data breach disclosure laws has heightened awareness of data breaches and catalyzed a flurry of lawsuits by alleged victims of identity theft. These disputes have arisen from the vigorous debate surrounding the use, and dissemination of personally identifiable consumer information. On one hand, collection of both public and private consumer information spawns innovation and reduces consumer costs. For example, data aggregators such as Choicepoint provide valuable services both to retail consumers (facilitating low-cost insurance premiums and lending rates) and corporate or government entities (employee background checks, assisting law enforcement, etc.). On the other hand, consumer advocates argue that the aggregation and storage of this personal information pose great risk to consumers, and its inadvertent or negligent disclosure can lead to many forms of identity theft, fraud, and abuse.

While most legal scholarship has highlighted the difficulties that plaintiffs face when bringing lawsuits because of these data breaches, to our knowledge, there has been no empirical research that has systematically and rigorously examined these suits. Using a hand-collected dataset of over 200 lawsuits, we provide a first-ever empirical analysis of federal data breach litigation in the United States. Our results suggest that individuals are more likely to file suit when the breached is caused by careless or negligent disclosure of personal information, relative to lost or stolen hardware. We also find that disclosure of financial information, though not social security numbers, also significantly increases the probability of suit. Moreover, while these characteristics of the breach (size, cause, types of information lost) were found to be strong predictors of the probability of lawsuit, they were not found to be significantly correlated with the outcome of the suit. Instead, specific instances of identity theft or fraud, class certification and multi-suit litigation were each found to significantly increase the probability that a data breach lawsuit would result in settlement.

The unconditional probability that any given data breach will result in a lawsuit is very small, 5.5%. Nevertheless, conditional on being filed, lawsuits settle almost twice as often as they are dismissed (51% versus 27%, respectively). While this result is still somewhat lower than current literature would predict (Eisenberg and Lanvers; 2009, table 4), it represents a novel insight because legal scholarship typically only emphasizes the failures of data breach claims. However, despite the large proportion of settled cases, the overall probability that any given data breach will settle is still only around 3%. Defendants, however, are surely not immune to the threat and expense of litigation: public actions brought by government entities are very successful, and legal fees can reach millions of dollars.

But is litigation the proper solution? Recall how we identified 86 unique causes of action alleged by plaintiffs for essentially the same event: the unauthorized disclosure of personal information. Does this huge diversity suggest that the current legal system is ill-equipped to efficiently resolve modern data breach harms? Does it expose the limitations of common law and statutory claims brought by individuals seeking redress from data breaches and resulting harms, be they actual, emotional, or anticipated harm?

In an attempt to address these questions, the US Department of Commerce (Department of Commerce, 2010) the Federal Trade Commission (FTC, 2010) have each crafted guidelines for a comprehensive privacy framework identifying best practices for the collection, use and protection of personal information. In particular, the Department of Commerce specifically asks, “should baseline commercial data privacy legislation include a private right of action?” (Department of Commerce, 2010, 30). That is, what role should a private right of action have in redressing harms from privacy intrusions? The outcome of such a proposal, presumably, would allow private individuals to bring legal actions, and obtain redress, for a firm’s mere violation of new data protection or consumer privacy statute. However, the tensions generated by such a proposal are grueling: on one hand, the threat of private class-action litigation may be necessary in order to induce firms to protect personal information, especially in light of the limited resources of public enforcement agencies such as the FTC, SEC, state attorneys general. On the other hand, such a liability regime could impose socially excessive costs on firms as a result of potentially massive damage awards and legal fees.

First Peoples

The Panel on Constitutional Recognition of Aboriginal and Torres Strait Islander peoples has presented its 303 page final report [PDF] to the Australian Government.

The Panel was appointed by the Government in December 2010. It was tasked with "leading a broad national consultation program to seek views from across the Australian community about ideas for recognising Indigenous people in our nation's Constitution". In formulating its recommendations it adopted four principles to guide its assessment of proposals for constitutional recognition of Aboriginal and Torres Strait Islander peoples, namely that each proposal must:
• contribute to a more unified and reconciled nation;
• be of benefit to and accord with the wishes of Aboriginal and Torres Strait Islander peoples;
• be capable of being supported by an overwhelming majority of Australians from across the political and social spectrums; and
• be technically and legally sound.
The report states that -
Current multiparty support has created a historic opportunity to recognise Aboriginal and Torres Strait Islander peoples as the first peoples of Australia, to affirm their full and equal citizenship, and to remove the last vestiges of racial discrimination from the Constitution.
The Panel accordingly makes several recommendations for changes to the Constitution, which would be achieved through a constitutional referendum.

The Panel recommends that section 25 of the Constitution, be repealed. That section, dealing with the House of Representatives, states that -
... if by the law of any State all persons of any race are disqualified from voting at elections for the more numerous House of the Parliament of the State, then, in reckoning the number of the people of the State or of the Commonwealth, persons of the race resident in that State shall not be counted.
The Panel also recommends that section 51(xxvi) be repealed. That section deals with the powers of the Parliament. It reads -
The Parliament shall, subject to this Constitution, have power to make laws for the peace, order, and good government of the Commonwealth with respect to ... The people of any race, for whom it is deemed necessary to make special laws
Alongside those repeals a new ‘section 51A’ should be inserted. The Panel recommends that the section be along the following lines:
Section 51A Recognition of Aboriginal and Torres Strait Islander peoples

Recognising that the continent and its islands now known as Australia were first occupied by Aboriginal and Torres Strait Islander peoples;

Acknowledging the continuing relationship of Aboriginal and Torres Strait Islander peoples with their traditional lands and waters;

Respecting the continuing cultures, languages and heritage of Aboriginal and Torres Strait Islander peoples;

Acknowledging the need to secure the advancement of Aboriginal and Torres Strait Islander peoples;

the Parliament shall, subject to this Constitution, have power to make laws for the peace, order and good government of the Commonwealth with respect to Aboriginal and Torres Strait Islander peoples.
The Panel further recommends that the repeal of section 51(xxvi) and the insertion of the new ‘section 51A’ be proposed together.

A new ‘section 116A’ should be inserted, along the following lines:
Section 116A Prohibition of racial discrimination

(1) The Commonwealth, a State or a Territory shall not discriminate on the grounds of race, colour or ethnic or national origin.

(2) Subsection (1) does not preclude the making of laws or measures for the purpose of overcoming disadvantage, ameliorating the effects of past discrimination, or protecting the cultures, languages or heritage of any group.
Additionally, a new ‘section 127A’ be inserted, along the following lines:
Section 127A Recognition of languages

(1) The national language of the Commonwealth of Australia is English.

(2) The Aboriginal and Torres Strait Islander languages are the original Australian languages, a part of our national heritage.
The Panel makes recommendations on the process for the referendum
a. In the interests of simplicity, there should be a single referendum question in relation to the package of proposals on constitutional recognition of Aboriginal and Torres Strait Islander peoples set out in the draft Bill (Chapter 11).

b. Before making a decision to proceed to a referendum, the Government should consult with the Opposition, the Greens and the independent members of Parliament, and with State and Territory governments and oppositions, in relation to the timing of the referendum and the content of the proposals.

c. The referendum should only proceed when it is likely to be supported by all major political parties, and a majority of State governments.

d. The referendum should not be held at the same time as a referendum on constitutional recognition of local government.

e. Before the referendum is held, there should be a properly resourced public education and awareness program. If necessary, legislative change should occur to allow adequate funding of such a program.

f. The Government should take steps, including through commitment of adequate financial resources, to maintain the momentum for recognition, including the widespread public support established through the YouMeUnity website, and to educate Australians about the Constitution and the importance of constitutional recognition of Aboriginal and Torres Strait Islander peoples. Reconciliation Australia could be involved in this process.

g. If the Government decides to put to referendum a proposal for constitutional recognition of Aboriginal and Torres Strait Islander peoples other than the proposals recommended by the Panel, it should consult further with Aboriginal and Torres Strait Islander peoples and their representative organisations to ascertain their views in relation to any such alternative proposal.

h. Immediately after the Panel’s report is presented to the Prime Minister, copies should be made available to the leader of the Opposition, the leader of the Greens, and the independent members of Parliament. The report should be released publicly as soon as practicable after it is presented to the Prime Minister.
In discussing the contentious issue of sovereignty the report comments that -
The four principles agreed to by the Panel for its assessment of proposals for constitutional recognition include that a proposal 'must be of benefit to and accord with the wishes of Aboriginal and Torres Strait Islander peoples'. For this reason, the Panel has recorded the voices of those who have raised questions about the continuing sovereign status of Aboriginal and Torres Strait Islander peoples.

As the National Indigenous Lawyers Corporation of Australia noted in its submission, recognition or attribution of sovereign status is unlikely to be given any serious consideration in this round of reform. It counselled, however, that it would 'be remiss of the Panel not to state clearly in its report that recognition of our sovereign status is an aspiration of Aboriginal people and Torres Strait Islanders and an issue that will need to be confronted at some stage in the not too distant future'.

Advice received by the Panel is that the sovereignty of the Commonwealth of Australia and its constituent and subordinate polities, the States and Territories, like that of their predecessors, the Imperial British Crown and its Australian colonies, does not depend on any act of original or confirmatory acquiescence by or on behalf of Aboriginal and Torres Strait Islander peoples. It derives from the majority view of the High Court in Mabo v Queensland (No 2) that the basis of settlement of Australia is and always has been, ultimately, the exertion of force by and on behalf of the British arrivals. Advice to the Panel is that recognition of Aboriginal and Torres Strait Islander peoples in the Constitution as equal citizens could not foreclose on the question of how Australia was settled. Nor should constitutional recognition in general have any detrimental effect, beyond what may already have been suffered, on future projects aimed at a greater place for customary law in the governance of Australia.

Any proposal relating to constitutional recognition of the sovereign status of Aboriginal and Torres Strait Islander peoples would be highly contested by many Australians, and likely to jeopardise broad public support for the Panel's recommendations. Such a proposal would not therefore satisfy at least two of the Panel's principles for assessment of proposals, namely 'contribute to a more unified and reconciled nation', and 'be capable of being supported by an overwhelming majority of Australians from across the political and social spectrums'.

While questions relating to sovereignty are likely to continue to be the subject of debate in the community, including among Aboriginal and Torres Strait Islander Australians, the Panel does not consider that these questions can be resolved or advanced at this time by inclusion in a constitutional referendum proposal.

Qualitative research undertaken for the Panel in August 2011 found that 'sovereignty' and 'self-determination' were poorly understood concepts. Given the apparent diversity of current understanding in relation to the meaning of sovereignty and its significance, any such proposal is also unlikely to satisfy the fourth of the Panel's principles, namely the requirement that it be 'technically and legally sound'.

16 January 2012

Rich and strange

One of my more affluent friends quips that you can tell what God thinks about money by the people he gives it to.

I'm reminded of that aphorism in reading Ashton v Pratt (No 2) [2012] NSWSC 3, a dispute over the wealth of colourful entrepreneur Richard Pratt.

The ABC reports that -
A former Penthouse Pet and mistress to the late cardboard mogul Richard Pratt has lost her multi-million-dollar claim on his estate.

The New South Wales Supreme Court ruled that Madison Ashton and her billionaire lover did not intend to enter into a legally binding relationship.

It also found a $100,000 payment she accepted from Mr Pratt finalised any deal made between the pair.
The judgment is more interesting, bother for its affirmation of a range of legal principles and for reported conversations that on occasion read as bad soap opera. Do people really speak that way?

The Court indicates that -
Between about 1995 and 1997, the plaintiff Madison Ashton provided what are euphemistically called escort services to the late Richard Pratt, a married man of exceptional wealth, from time to time, for reward. This came to an end when Ms Ashton married a third party in April 1997. Following the breakdown of her marriage, and of a subsequent de facto relationship, contact between Ms Ashton and Mr Pratt resumed in October 2003. Ms Ashton contends that in a conversation between them in November 2003, Mr Pratt promised her that, in consideration of her not returning to the escort industry but providing services (non-exclusively) to him as his mistress on occasions when he was in Sydney (which was typically one and sometimes two nights per week), he would settle $2.5 million upon trust for each of her two children, pay her an allowance of $500,000 per annum, and in addition pay her $36,000 per annum for her rental accommodation and $30,000 per annum for travel expenses in connection with her proposed business. Ms Ashton now sues Mr Pratt's widow, as the executor of his estate, on those promises, in contract and alternatively equitable estoppel. The main issues are:
1) Whether (as a matter of fact) Mr Pratt made the alleged promises;

2) If so:

(a) whether the promises were sufficiently certain to amount to a contract;

(b) whether they were intended to create legal relations; and

(c) whether they are unenforceable for public policy reasons;

3) If not enforceable in contract, whether the promises are enforceable by way of equitable estoppel; and

4) Whether Ms Ashton's claims are not maintainable by reason of having been previously compromised and released, in February 2005 or November 2005.
Fans of 'lives of the rich & famous' will presumably enjoy passages such as
Ms Ashton was adamant that her obligations to Mr Pratt did not require that her relationship with him be exclusive, so that she was at liberty to bestow her favours on others also. In about February 2004, Ms Ashton commenced - she says with Mr Pratt's concurrence - a sexual relationship with one Mr Sean Bowman, a bodyguard of Mr Pratt who had apparently intimidating qualities, which relationship continued, at varying degrees of intensity, until mid to late 2005.
I am more enthused by the restatement of law, such as -
Save for tendering some documents, the defendant called no evidence. Mr Gray had sworn an affidavit which had been filed and served, but ultimately was not read. Ms Ashton's evidence therefore was, although strongly challenged, uncontradicted. In these circumstances, it is worth recording the approach of the court to the finding of facts.

The plaintiff bears the onus of proof. In a civil case such as this, the standard to which she must prove her case is the balance of probabilities, but this nonetheless involves "actual persuasion" [Watson v Foxman (1995) 49 NSWLR 315, 319].

18In the case of a claim against a deceased estate founded on the oral utterances of the deceased, which only the deceased could have denied, the Court scrutinises the claimant's evidence closely [Plunkett v Ball (1915) 19 CLR 544, 548-549 (Isaacs J); Bovaird v Frost [2009] NSWSC 337, [45]; Varma v Varma [2010] NSWSC 786, [418]-[422]], and although there is no absolute legal requirement for it, ordinarily looks for some corroboration [Re Hodgson (1886) 31 Ch D 177; Weeks v Hrubala [2008] NSWSC 162, [20] (Young CJ in Eq)].

19In certain circumstances, a court may infer from a party's failure to call a relevant witness that the evidence such a witness would have given would not have assisted the party's case, so as to enable the more ready drawing of adverse inferences otherwise available on the evidence [Jones v Dunkel (1959) 101 CLR 298]. This does not arise unless it is established that the relevant witness has relevant knowledge to put before the Court, and is under the control of the party who might be expected to have called that witness, or at least is not practically available to the other party [Payne v Parker [1976] 1 NSWLR 191, 196, 197].

There are many reasons for doubting the reliability of Ms Ashton's version. These include that she (orally) denied having had a drug habit in late 2004 and 2005, when her affidavit evidence referred to "my habit at that time" - which she incredibly explained as a reference to her not having a drug habit at the time; that she denied any knowledge of Mr Bowman seeing a woman by the name Michelle, when in a statement to police in early 2006 she had asserted that he was doing so; and that she was unable to explain why her claim included $500,000 per annum allowance for some years after Mr Pratt's death. Further, for reasons that will appear, I have found myself quite unable to accept Ms Ashton's claims to have had a telephone conversation as she claims with Mr Pratt on 11 February 2005.

More fundamentally, while Ms Ashton's Statement of Claim pleaded that the relationship came to an end in 2004, and her affidavit evidence was to the same general effect, her oral evidence was that their relationship continued, albeit much more sporadically, until late 2005. However, the telephone records of the parties provides strong evidence that their "relationship", such as it was, had concluded by about April 2004, which corresponds with when Mr Pratt resumed his relationship with Ms Hitchcock, and Ms Ashton commenced a relationship with Mr Pratt's bodyguard, Mr Bowman. Between 7 May and 19 July 2004, there was telephone contact between them on only three days. Thereafter, the next telephone contact was on 17 January 2005. The tenor of Ms Ashton's 19 January 2005 letter is against there being an on-going "mistress" relationship at that time. The records evidence one short (1 minute) telephone call by Ms Ashton to Mr Pratt on 19 January 2005, another (2 minutes) on 25 January, and several on 7 February 2005, but none thereafter. As well as the telephone records being devoid of any evidence of later contact between them, Ms Ashton was unable to name any person who saw them together after mid 2004 - which was not assisted by her unconvincing resort to Mr Pratt's driver and concierge, when she was later to say that they did not in any event meet at his apartment at that time. I therefore do not accept her assertion of an on-going relationship with Mr Pratt after mid-2004.

Moreover, as was pointed out on behalf of the defendant, there were some differences between the version in Ms Ashton's affidavit, and the version in her verified pleading. The pleaded version was that Mr Pratt promised to establish a trust fund of $2.5 million for each of her two children "to be managed by the plaintiff for the benefit of the said children who are presently minors" - not that he would make the arrangements for setting up of the trust, as her affidavit version describes. Secondly, it was pleaded that Mr Pratt would pay the rent on her rented apartment, when the affidavit version was that he would pay rent for her if she moved out of that apartment. But I do not find those discrepancies particularly telling. Reference was also made to the circumstance that the pleading referred to a "retainer of $500,000 nett of taxation", while the affidavit referred to it being "tax free"; I see no significance at all in this supposed discrepancy.

On the other hand, in the context of the extraordinary wealth involved and the extraordinary circumstances of this extraordinary case, including the evidence bearing on Mr Pratts' relationship with Ms Hitchcock, I do not accept that Ms Ashton's account is inherently incredible. Some corroboration, albeit not independent, of Ms Ashton's version of the critical November 2003 conversation is provided by her letter of 19 January 2005. About it, the following observations must be made. First, it does not refer to the alleged allowance of $500,000 per annum, which - at least on one view - was the most significant of the alleged promises. Ms Ashton says that she raised this in her subsequent telephone conversation with Mr Pratt, and described its omission from the letter as a "huge mistake". Secondly, the letter does not assert an entitlement to be paid in accordance with the promises, but seeks a "payment figure" by way of "financial help"; it asks for a payment in the light of damage to Ms Ashton's reputation said to have been inflicted by Ms Hitchcock. This tends against a view that the promises were intended to be legally binding and enforceable.

Similarly, some further corroboration is afforded by the circumstance that Ms Ashton consulted solicitors with a view to initiating the present claim in January 2009, while Mr Pratt was alive, at a time when she could not have known that he would soon die, although it was not formally asserted until December 2009, after his death. Nonetheless the claim had been raised by Ms Ashton against Mr Pratt during his lifetime, in the 19 January 2005 letter, at a time when he was able to answer it, and in circumstances in which, even after his death, Mr Gray became sufficiently appraised of it to be able to answer it. At least to an extent, this distinguishes her claim from those which typically attract the rigours of Plunkett v Ball and Re Hodgson. ...

I therefore find, on balance, that Ms Ashton and Mr Pratt had a conversation in or about November 2003 substantially to the effect deposed to by Ms Ashton, in which he told her that he would establish trusts of $2.5 million for each of her two children, pay her an allowance of $500,000 per year, pay up to $36,000 per annum for rental accommodation for her (or buy her a house in the eastern suburbs), and pay $30,000 per annum for her business expenses, particularly travel.
In considering claims regarding a contract between the cardboard czar and Ms Ashton the Court comments that -
I do not accept that the terms of the arrangements discussed in the November 2003 conversation are too uncertain and incomplete to make a contract. Nonetheless, I am unpersuaded that Mr Pratt and Ms Ashton intended to make a contract. In the absence of express statement that their arrangements were or were not intended to be legally binding, intention to create legal relations is an inference of fact, determined objectively; accordingly, Ms Ashton's subjective intentions in that respect are not relevant [Ermogenous v Greek Orthodox Community of SA Inc (2002) 209 CLR 95, 105-7, [24]-[28]; Darmanin v Cowan [2010] NSWSC 1118, [204]-[215]].

Family, social, and domestic arrangements do not normally give rise to binding contracts, because the parties lack the necessary intention [Teen Ranch Pty Ltd v Brown (1995) 87 IR 308, 310 (Handley JA, referring to Balfour v Balfour [1919] 2 KB 571)]. In Balfour, a husband's promise to pay his wife an allowance of 30 per month until she could rejoin him in Ceylon was held not binding for lack of intent that it be legally enforceable. In Cohen v Cohen (1929) 42 CLR 91, Dixon J (as he then was) held an arrangement between intending husband and wife as to a dress allowance to be not a contract (at 96):
The parties did no more, in my view, than discuss and concur in a proposal for the regular allowance to the wife of a sum which they considered appropriate to their circumstances at the time of marriage.
In Jones v Padavatton [1969] 2 All ER 616, a mother's promise to maintain her daughter at a specified rate if she would go to England and read for the Bar with a view to later practising in Trinidad was held not legally binding, notwithstanding that performance would necessitate the daughter abandoning secure accommodation and employment in Washington and her teenage son's education there. The court found that the arrangement between the mother and daughter was a family arrangement depending on the good faith of the parties in keeping the promises made and was not intended to be a binding agreement. The daughter's claim thus failed. Salmon LJ said (at 621):
Did the parties intend the arrangement to be legally binding? This question has to be solved by applying what is sometimes (although perhaps unfortunately) called an objective test. The court has to consider what the parties said and wrote in light of all the surrounding circumstances, and then decide whether the true inference is that the ordinary man and woman, speaking or writing thus in such circumstances, would have intended to create a legally binding agreement.
As Ward J has recently explained in Darmanin (at [206]), there is a rebuttable presumption of fact that arrangements or agreements made in a family are not intended to have legal force, the rationale being that, at the time of making the alleged promise, the parties would not have regarded their arrangements in terms of legal consequences. As her Honour also explained (at [207]), this presumption has been applied beyond the family context to other social and domestic arrangements [citing, as examples, Coward v Motor Insurer's Bureau [1963] 1 QB 259; Buckpitt v Oates [1968] 1 All ER 1145; and Parker v Clark [1960] 1 All ER 93].

As I observed in Bovaird v Frost (at [52]), there are of course many examples of cases involving promises to confer benefits on a friend or relative, in consideration of the latter taking up residence with the former or rendering household or personal services, in which the requisite intention to create legal rights and obligations has been found - particularly where implementation of the arrangement involved the promisee leaving existing advantages or selling an existing residence [Wakeling v Ripley (1951) 51 SR (NSW) 183; Todd v Nicol [1957] SASR 72; Parker v Clark; Schaefer v Schumann [1972] AC 572; Tanner v Tanner [1975] 1 WLR 1346; Raffaele v Raffaele [1962] WAR 29; Re Gonin (deceased) [1979] Ch 16]. In Wakeling v Ripely, the act of the plaintiff in leaving a salaried position in Cambridge on the faith of a promise to take up accommodation in Bowral, was considered so serious that it would have been obvious to the defendants that the plaintiffs were relying upon what was considered a definite assurance and a definite agreement, such that it could be inferred that there was an intention to create legal relations; this may be contrasted with Jones v Padavatton, supra. But in this context it is also recognised that a sacrifice might be made in reliance upon a promise on the basis simply of trust in the promisor to honour the promise of support, not because of an intention to create legally binding relations [see Jones v Padavatton, 625 (Fenton Atkinson LJ); Darmanin, [209]].

In the present case, the intent of the arrangements was to establish the basis of the relationship of "mistress". The context was social. Although Ms Ashton agreed not to return to the escort industry, she had already left it and was already embarked on establishing an alternative business, so it was not as if it was obvious that she was relying on an enforceable promise. The parties neither sought legal advice, nor recorded their agreement in writing. Ordinary people in their position would not have intended that in the event that either did not fulfil their respective promises, the other could enforce the promise in a court. There is considerable force in the defendant's submission that it would not have been envisaged that, if Ms Ashton returned to the escort industry, Mr Pratt could obtain an injunction to restrain her; nor that if she did not fully perform the role of "mistress", he could claim damages for disappointment. ...

While in my view this is a case in which the presumption applies and is not rebutted, I am in any event satisfied that the parties did not in November 2003 intend to make a contract. The conclusion which I have reached below on the public policy issue also favours the view that the parties did not intend to create legal relations.
What about public policy?
The defendant did not plead a defence that any such contract as was asserted by the plaintiff was void, illegal or unenforceable on grounds of public policy. However, in my opinion, where a court forms the view that a contract may be void, illegal or unenforceable on public policy grounds, it is bound to address the issue, even if the parties prefer to ignore it [cf Hyde Park Residence Ltd v Yelland [2001] Ch 143, 160 [44]]. In this case, the attention of the parties was drawn to the matter and submissions on it invited; and although not adopted by the defendant, senior counsel for the plaintiff in response made oral and written submissions and referred to some relevant authorities on the issue ...

One of the heads of public policy under which contracts have traditionally and conventionally been held void and illegal is that they are sexually immoral and/or prejudicial to the status of marriage. In Girardy v Richardson (1793) 1 Esp Cas 13, 170 ER 275, Lord Kenyon CJ held that where the wife of the plaintiff - who managed the business of his house in letting the lodgings - let rooms to the defendant who was a "woman of the town", knowing of the defendant's mode of life, the contract for use and occupation of the rooms upon which the plaintiff sued was " contra bonos mores " and could not found an action. The classic case is Pearce v Brooks (1866) LR 1 Exch 213, in which the plaintiffs let on hire to the defendant, a prostitute, a new horse-drawn vehicle, with knowledge that it was to be used in the course of her trade. The contract was held illegal on the ground of sexual immorality. In Upfill v Wright [1911] 1 KB 506, the plaintiff by his agent let a flat to the defendant for a term of three years, the agent knowing that the defendant was the mistress of a certain man, and assuming that the rent would be provided by that man on account of her being a "kept woman". The court held that as the flat was let for an immoral purpose, the plaintiff was not entitled to recover the rent.

In more modern times, the House of Lords in Fender v St. John-Mildmay [1938] AC 1 held that a promise made by a spouse, after a decree nisi for the dissolution of the marriage had been pronounced, to marry a third person after the decree became absolute, was not void as being against public policy. But Lord Wright explained (at 42) (emphasis added):
The law will not enforce an immoral promise, such as a promise between a man and woman to live together without being married, or to pay a sum of money or to give some other consideration in return for immoral association . But nothing of the sort was suggested in this case. On the contrary, the promise, if carried out, would have regularized an immoral association. English law recognises the right of divorced people to marry though their former consorts are alive. The law has furthermore sacrificed a rigid idea of morality to the idea of making reparation by enforcing obligations under seal by a man to pay money to a woman in respect of past immoral cohabitation, though it might have been said that to enforce such obligations tended to encourage immorality.
... Changes in social mores have resulted in a more liberal attitude to contracts providing for or relating to extramarital cohabitation, such that a contract is no longer to be regarded as contrary to public policy merely because the parties are living together in a de facto relationship [Carter Peden and Tolhurst, Contract Law in Australia, 5th ed, [25-32]]. But the old rule has not been completely obliterated. The question is, what is its remaining content?

In Queensland, in Andrews v Parker [1973] Qd R 93, the parties lived together in a de facto relationship. Subsequently, the man agreed to transfer title in his house to the woman subject to terms including that she reconvey the title if she returned to her husband. In due course she did, and asked the plaintiff to leave the house, offering to pay $4,000. The man left but the woman failed to pay. Stable J held that the original agreement to transfer the house was not contrary to public policy as it did not bring about a state of extramarital cohabitation , because one already existed. His Honour said that the court was not to judge the actions of the parties in the light of the 19th century cases, and was bound to apply the public policy of the day and to consider contemporary moral standards. An important point, however, is that the contract did not bring about a state of extramarital cohabitation: it already existed.

In England, in Horrocks v Forray [1976] 1 WLR 230, the defendant - the mistress of a man - bore him a daughter, whom the man thereafter wholly maintained and supported providing living accommodation, clothing, holidays and day-to-day expenses. He subsequently bought a house and told the solicitor that it was for the defendant and her daughter, whom he installed in it, though not conveying it to her. Upon his death in a motor vehicle accident, by his will all his estate devolved on his wife; neither she nor his executors had known of his association with the defendant nor of the purchase of the house. The executors brought an action for possession of the premises on the ground that the defendant's licence terminated on the man's death. She contended that she had a contractual licence to live there for life or while her daughter was of school age. The Court of Appeal upheld the County Court judge's decision that the circumstance that the man intended to provide some security for the defendant was insufficient to bring into existence a binding contract in the nature of a licence, and in all the circumstances there was no evidence justifying the inference that she had a contractual licence. This result was reached without reliance on public policy considerations, but Scarman LJ said (at 239):
When an illegitimate child has been born, there is certainly nothing contrary to public policy in the parents coming to an agreement, which they intend to be binding in law, for the maintenance of the child and the mother. Parents of an illegitimate child have obligations towards the child. So far from its being contrary to public policy that those obligations should be regulated by contract, I would have thought it was in the public interest that they should be so.
... The New South Wales Court of Appeal held, in Seidler v Schallhofer [1982] 2 NSWLR 80, that an agreement which provided for the continuation of a de facto relationship for a specified period and thereafter for marriage or separation was not void as being contrary to public policy, because the "immorality" of the relationship was already in existence when the agreement was executed, so that the agreement merely formalised what was to happen to the financial aspects of the relationship once the cohabitation came to an end. Further, it was said that the concept of public policy had changed - as appeared from, amongst other factors, Commonwealth and State legislation which ameliorated the consequences of extramarital associations - at least to the extent of allowing such an agreement to be enforced. ...

In Nichols v Nichols (Supreme Court of New South Wales, Needham J, 12 December 1986, unreported) the plaintiff who lived principally with his wife and family had a sexual relationship with the defendant, whom he supported including by paying her rent; they had children, whom he also supported. He purchased a flat and installed the defendant and their sons in it, where he spent at least one night per week. ...

It is now provided by statute that notwithstanding any rule of public policy to the contrary, two persons who are not married may enter into a domestic relationship agreement or termination agreement which is enforceable in accordance with the law of contract [(NSW) Property (Relationships) Act 1984, s 45, s 46]. But as the relationship between Mr Pratt and Ms Ashton did not contemplate cohabitation, it was not a domestic relationship within the Act.

In the more recent cases to which reference has been made, there are two notable features that have saved the relevant contract from illegality on the grounds of immorality: the first is that the contract did not bring about a state of extramarital cohabitation, but made provision in respect of one that already existed; and the second is that it did not involve meretricious sexual services, but a sexual relationship as part only of a wider relationship that included cohabitation and aspects of mutual support. As Hope JA pointed out in Seidler v Schallhofer (at 87), the effect of what Lord Wright said in Fender was that the agreement was not illegal as tending to encourage sexual immorality because the immorality already existed, and although the effect of the promise would be to continue it, the purpose of the promise was to bring it to an end after the divorce decree became absolute.

So far as I can tell, no case stands contrary to the proposition that it is still the law that a contract to provide meretricious sexual services is contrary to public policy and illegal. Seidler v Schallhofer said as much in 1982, as did Marvin v Marvin in 1976 in California. While social mores have no doubt continued to change, as authority stands such a contract remains contrary to public policy and illegal. This view of the law is confirmed by Markulin v Drew (New South Wales Supreme Court, Young J, 12 August 1993, unreported), which bears considerable similarity to the present case. The plaintiff (woman) alleged a contract whereby she was "to see the deceased every three months as well as telephoning him occasionally, and the deceased would pay her $40,000 clear per year, purchase her a 'top' car and a beautiful home anywhere in Sydney she'd like to live, as well as providing a large sum of money which would be sufficient for the plaintiff to live on for the rest of her life without working for a living". Illegality (for promoting sexual immorality) was pleaded as a defence. Young J (as his Honour then was) reviewed the authorities, and, adopting the statement in Treitel on Contracts, 8 th ed, 390-392, that "a distinction is now drawn between contracts with purely meretricious purposes and those which are intended to regulate stable extra marital relationships", accepted that neither in England nor Australia did the law now refuse to enforce as illegal contracts which involved cohabitation between people who are not married to each other - even if one or both of them is married to someone else - but also observed that the former rule had not been completely deprived of content. His Honour explained:
Accordingly the distinction that Treitel is making is between a man and a woman who are sharing a life together though not married including sexual relations on the one hand and a man and a woman who are living independent lives but the man is rewarding the woman for sexual services which she provides from time to time. Indeed, in this modern age it may be that it is the woman who is rewarding the man for sexual services he provides from time to time.

It should be remembered, however, that traditionally there were in fact three classes of cases: (i) a contract of cohabitation; (ii) a contract by a man with a woman to provide occasional sexual services; and (iii) an agreement with a common prostitute. Cases such as Bainham v Manning (1691) 23 ER 756 suggest that while relief would not be given to a man against a bond he had given to a common strumpet or prostitute, equity would not countenance a transaction whereby a man had given a bond to a housekeeper to secure a sum of money to her if she provided "secret services", presuming attending on her master for sex if required. Accordingly, "meretricious" probably means not a contract with a prostitute, but a contract treating a woman as if she were a prostitute.
The arrangements between Ms Ashton and Mr Pratt involved none of the saving graces which enabled a different result to be reached in the cases to which I have referred. Those arrangements were not made to facilitate continuation of an existing cohabitation, but to establish the "mistress relationship". The evidence does not reveal a relationship, or consideration, beyond "meretricious sexual services". In my view, on the current state of the authorities, the arrangements were contrary to public policy and illegal in the relevant sense. Had they otherwise constituted a contract, it would have been void as contrary to public policy.
The Court's conclusion is that -
Ms Ashton and Mr Pratt had a conversation in or about November 2003 substantially to the effect deposed to by Ms Ashton, in which he told her that he would establish trusts of $2.5 million for each of her two children, pay her an allowance of $500,000 per year, pay up to $36,000 per annum for rental accommodation for her (or buy her a house in the eastern suburbs), and pay $30,000 per annum for her business expenses, particularly travel.

However, Ms Ashton's case in contract fails - although the terms of those arrangements were not too uncertain and incomplete to amount to a contract - first because Mr Pratt and Ms Ashton did not intend to enter into binding and enforceable legal relations, and secondly because public policy denies enforceability to any such contract as alleged.

Ms Ashton's estoppel claim also fails, first because she incurred no relevant detriment, and secondly because of the same public policy, the operation of which is not limited to contractual claims.

Moreover, Ms Ashton's claims are not maintainable, because they were the subject of an accord and satisfaction in February 2005, when she accepted $100,000 in full and final satisfaction of all her claims against Mr Pratt; and they were again released in November 2005.