The ISPAs 2010

Thursday night (8th July) was a glittering night for the Internet industry - the annual ISPA Awards bash at the Marriott Hotel in Grosvenor Square. After all the testing and all the submissions it was time to hear the judges verdict.

The awards are the Internet industry’s chance to recognise good practice and good performance. Over the last 12 years they have changed with new categories and new means of assessing performance in the ISP Division. The ISP Division recognises best practice across hosting, customer service, consumer and business broadband etc. The Times noted that the ISPAs were, ‘The awards that could have the most direct bearing on your life’ and the Daily Mirror called it, ‘The Internet event of the year’. Whatever, it is without doubt keenly awaited by those in the industry and keenly commented by customers and others.

Congratulations to all those who won. The Crusher was pleased to see the team at NewNet picking up another piece of acrylic to add to the two previous awards - this year in the class of Best Dedicated Hosting. Well done to the NewNet team and to all those who won in the ISP Division.

But, it is the Special Awards that arise more interest. New categories here for digital inclusion (Bolton Literacy Trust) and for Internet Safety (Childnet), Access Innovation (The Alston, Cumbria, CyberMoor project with a special commendation to SW Internet CIC) and Corporate Social Responsibility (Orange).

At the end of the evening there are two awards that evoke much wider interest - the Internet Hero and the Internet Villain award. Now, in years past The Crusher was pleased to nominate someone who was then awarded the Internet Villain prize so there is always a little more than minor interest here.

What was interesting this year was that both awards recognised different sides of the same thing - the passage through Parliament of the Digital Economy Bill to become the Digital Economy Act. ISPA Council members bestowed the Internet Hero Award upon Tom Watson MP for leading the opposition to the parliamentary fight against the Digital Economy Bill and continuing the campaign to ensure an informed approach to the Act. Well done Tom - your actions in the House of Commons and your speech in the final parts were an inspiration and made it clear that there was not a common cross-party consensus.

The passage of the Digital Economy Bill was fraught and was not helped by changes being made during the consultation period and then by inclusion within the final ‘wash-up’ stages before the end of the parliamentary session and the General Election. There were a number of nominations for the Internet Villain award, all in their own right quite worthy recipients, but in the end, the winner was a shoe-in for the award. It was the Dark Lord himself, Lord Mandelson, formerly Secretary of State for Business and Skills, who had steered the Digital Economy Bill through the various processes. The change that was made during the consultation phase coincided with a weekend meeting with a major rights owner and the final stages were a sham, forcing through legislation that was deeply unpopular and which made fundamental changes to the due process of law.

So, a worthy villain. Sadly, Lord Mandelson was not available to collect his award in person. What a shame - would have been a great appearance and a great acceptance speech!

The new coalition governement has now invited the public to suggest law that should be removed, replaced or amended. Inviting the public to comment is always a risk (a request to introduce a law ‘to allow me to marry my horse’) but sometimes shows popular unrest and resentment. No surprises really to see that some of the largest number of comments and requests related to repeal of the Digital Economy Act. So, it is over to you government, you asked and now you have been told. DEA must go!

Tempus fugit II …..

Time flees as the Latin tag says (perhaps more commonly recognised as ‘Time Flies’) and it certainly seems to be the case with Data Retention.

It seems just a short time ago that we were watching the progress of the Directive through the European parliamentary system, from introduction through discussion (is that really the right word for the actions of the UK Presidency in 2005?) to amendment and then to final acceptance and transposition to national law.

In the UK we were there at the beginning, transposing the first parts to apply to fixed line and mobile telephony. 18 months later came the inclusion of Internet data. The interesting bits were the differences between national transpositions - some elected for retention for as little as 6 months, others for 12 and some for as long as 24 months (but would have liked longer). The UK opted to allow for reimbursement of capital expenditure and the provision in relation to Internet data seems to pay only slight compliance - requiring retention of data only where the national authorities deem that it is necessary.

Some member states have only brought data retention within national law in recent months - Portugal in August 2009, Italy at the end of 2009 and Poland only at the beginning of 2010 (UK, 1st phase Sept 2006, 2nd phase March 2008). There remain a number of member states where data retention has still not been applied - Austria, Belgium, Greece, Ireland, Luxembourg, Romania, Sweden - so much for the idea of ensuring a common approach to law enforcement.

But, time flies. The implementation of the Data Retention Directive provided for an evaluation of the Directive. The time has now come for that evaluation and a number of conferences and meetings have taken place. The results of evaluation will be published later in the year, probably in October 2010. After that, the Commission will begin the processes that will lead to proposals for a revised Directive, probably by the end of 2011 with expected implementation by 2014.

It is too early to say what that new Directive may include, but undoubtedly there will be pressure to expand the range of retained data to include a wider range of Information society services - The Crusher would expect to see pressure for the inclusion of social networking data and web site access. There may be some agreement on a reduction in the range of the approved time scales -although as most members currently retain for 12 months this is unlikely to affect the majority (including the UK).

The evaluation report from the Commission does include some interesting data relating to the number of requests for access to retained data in 2008.

Clearly there are wide variations in the raw number of requests with France and the UK heading the number of actual requests. Of course, both have fairly high populations so it is reasonable that there should be a large number of requests. But, when the figures are compared against the national populations the data requests become more interesting. the right hand column shows the number of data requests per 100,000 of population. Under this order, Lithuania shows a massive 2239 requests per 100K with the UK behind France at a much lower 769. Yet Cyprus only requests data at the rate of 3 per 100,000!

Of course, there will be variations in what is perceived as relevant crime and the use of data to locate rather than to determine specific use. It may well be that the larger number of requests are being used more as a location tool than as a more detailed investigatory procedure. But, the figure for Lithuania is so much greater than others it does rather beg the question what use is being made of retained data in that small state? Perhaps there remains an investigatory throwback to a prevous regime - although the lower (far lower) figures for neighbouring Estonia and Latvia may negate that suggestion.

Interesting data - it will be interesting to watch what comes out of the Commission in late summer/autumn 2010.

Tempus fugit …..

Where does the time go? It seems only just a few weeks ago that we were discussing the ramifications of the proposal for a European Data Retention Directive. The reality is that this was now five years ago and the major discussions took place during the UK Presidency of the European Union in the second half of 2005.

We are now fast approaching the date set within the Directive for the European Commission to report to the European Parliament and the Council on the working of the Directive and its impact on the economic operators and consumers. The date for the submission of the evaluation is 15th September 2010 - just 6 months away now. As a result of the evaluation, the Commission will determine whether it is necessary to amend the provisions, particularly in relation to the nature of the data to be retained and the period of retention. The results of evaluation must be made public.

In the background to the imminent evaluation there are some interesting developments and it is clear that the Directive has not yet been applied across all member states of the European Union.

On March 2nd, the German Constitutional Court ruled that the implementation of the Directive in Germany was in contravention of the German Constitution. Der Spiegel reported on Wednesday 3rd March that the Court had ruled that data collected and retained under the (now unconstitutional) law was to be deleted with immediate effect and that strict controls were to be brought into place before the law could be re-introduced. The case has taken some two years to progress but was brought as a class action on behalf of some 35,000 German citizens who argued that the new law went too far.

The court agreed and said that there was insufficient clarity in the reasons for the retention of data and that there were insufficient safeguards on the data once retained. A key point here is that the Constitutional Court has struck down the German implementation of the Data Retention Directive, not the Directive itself. The German government must now look at the decision of the Court and consider the safeguards that must be put into place before it can draft a new law and introduce that. It is certain that there will now be intense public scrutiny.

Belgium also faces an interesting period, particularly as it is scheduled to take over the rotating Presidency later in the year and will be ‘in the hot seat’ when the evaluation of the Directive is due to be presented. The transposition of the Directive into national (Belgian) law has taken some time and there has been considerable and vocal opposition to the Government proposals. The proposals went much further than provided for within the Directive including banking data and use of the data beyond what may be determined as ’serious crime’. The Belgian proposals also called for the retention of data at the maximum period (24 months) provided for within the Directive. The initial proposals attracted a negative response from the Belgian data protection agency, an almost unheard of situation - although that eventually was turned around to a more positive response when the proposals were watered down time scales pulled back to a more standard 12 months.

The Belgian proposals have not yet completed the parliamentary process. In the last couple of months, Belgian ministers have been trying to reach consensus with stakeholder groups to see if they can bring forward a new law before June. That is an important date - the rotating Presidency comes to Belgium on 1st July and the government wants to prevent the country from critiscism about their failure to implement whilst they are also supposed to be leading discussions on evaluation.

It is clear that some Belgian politicians had been awaiting the outcome of the case before the German constitutional court. That is now clear - it remains to be seen how this may affect the Belgian transposition.

Disconnection or Suspension?

What’s in a word? Is there really a difference between ‘disconnection’ and ’suspension’? Are we now approaching an end game in which the Government will want to make small changes to the Digital Economy Bill in order to ensure that it passes through the Parliamentary process with the minimum of problems before the Prime Minister calls the General Election?

Well, the PM is the only one who knows the date of the election - or so we are led to believe. Smart suggestions have tagged the 6th May as the day, coinciding with the district council elections, but there have been suggestions in mid-February that the PM may decide to call the election earlier, particularly if there appears to be a double dip within the recession.

The Digital Economy Bill has been progressing through discussion in the House of Lords with a succession of amendments being laid before the House, withdrawn or incorporated. The Bill has now been through the Committee stage and will move on to the Report stage with further line by line examination on 1st March. After completion of the Lords stage, the Bill will move on to the Commons for further stages - 1st and 2nd readings, Report stage, 3rd reading and consideration of amendments. The Crusher continues to think that these stages have the possibility of taking more Parliamentary time than will be available.

However, it is noticeable that there have been changes to the Bill. Much trumpeted at the beginning of the process was the inclusion of powers to allow the disconnection of internet service for those found to have been engaged in file-sharing. There had been some suggestion, maybe incorrect but widely publicised at the time, that changes were introduced by the Secretary of State following a weekend meeting with a Hollywood producer, changes that would have hardened up the response to potential file-sharing.

Now, it seems that the Government is back-tracking. A response to a No 10 Petition sets out the Government’s position and that it considers there should be economic recompense for those engaged in creative production. No problem there, and the response goes on to indicate, “that [the Bill] require[s] ISPs to write to their customers whose accounts had been identified by a rights holder as having been used for illegal down loading of their material. In the cases of the most serious infringers, if a rights holder obtains a court order, the ISP would have to provide information so that the rights holder can take targeted court action.” Little difference there to the current procedures where most ISPs pass on notifications of potential abuse and discuss with their customers and where some (ISPs) have been the subject of court action to release details of customers to rights owners.

The interesting line comes later, “We will not terminate the accounts of infringers - it is very hard to see how this could be deemed proportionate except in the most extreme – and therefore probably criminal – cases.” This appears to be a step back from the previous position and may have more than a passing nod to the discussions emanating from Brussels - where it is clear that access to broadband internet is seen as a basic right.

“We will not terminate” - that is the interesting bit and really comes back to ‘disconnection.’ What’s in a word? If you terminate or disconnect an ADSL circuit then the ISP puts an order to the wholesale provider to physically disconnect the circuit at the exchange, to remove the inter-connect on the frame between the PSTN and the ADSL mux. BT raise a charge for this, a charge that is now passed on by most ISPs to end-users. Terminate and you will be charged - ISPs will not want to bear the costs of this and will probably find it difficult to recoup costs from either end user or from rights owner. When the end user wants to re-connect there will be a standard connection charge applied by the wholesale provider. Now, suspend and the link to the internet is removed at the ISP (block the authentication request) but the physical link remains in place. To the end user there is still no access but there is no charge for disconnection and no charge for re-connection (add those two together and you are talking about quite a susbtantial penalty) and the ISP only needs to permit the authentication again when the suspension is served. Depending on the terms of the service agreement, the end user could find themselves liable for on-going circuit charges during the suspension (the wholesale provider will continue to levy these).

In terms that the end user will understand there may be little effective difference (until the charges roll in), they will still be unable to access the internet. French legislation (the ‘Hadopi’ law) suggests that suspension may be applied for up to 12 months - that will pretty much seem like termination to the user - there does now need to be some indication within the UK process as to what the terms of suspension may be.

There do appear to be movements in other areas. An end user may wish to appeal against a decision to apply ‘technical measures’. There does now seem to be some change to the appeal process and to the way in whcih the measures will be applied by Ofcom. This may be particularly important where an end user has a wireless network and someone unknown accesses the network and uses it for file-sharing. If the subscriber can show that they took reasonable measures to prevent access (although the exact nature of ‘reasonable measures’ is not explained) then they may well have a good case for appeal.

There is now no option for the introduction of immediate suspension - technical measures will not be able to be introduced for at least 12 months after the coming into force of the initial obligations code. No suspensions until April 2011 at the earliest (and then likely to be another Government that will take the hit!).

It may well be that the politicians are playing with words before an election - but there are differences between termination and suspension. What we now need is some clarity as to what the intention is in relation to length of suspension - 1 week for first offence, 1 month for second etc.

Whither ‘mere conduit’?

‘Mere conduit’ is a defence - laid down within the European e-Commerce Directive and transposed to UK law within the Electronic Commerce (EC Directive) Regulations 2000 - that allows an intermediary, typically an Internet Service Provider, to limit liability for illegal activity. This follows on from the accepted position that a mail carrier (Royal Mail etc.) is not liable for the contents of mail that it carries - provided that it does not know what is in the package.

Article 12 of the European Directive sets out the position:

‘Mere conduit’

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:

(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.

2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.

So, that seems reasonably clear. An Internet Service Provider (ISP) is an intermediary - they carry traffic across their network, they do not initiate the traffic, they do not select the recipient and they carry it without selection or modification. Provided they adhere to the conditions then they may claim a defence of mere conduit and cannot be held liable for, say, the transmission of illegal criminal content (child abuse content) or unlawful content (Peer 2 Peer file sharing). The problem for the ISP comes when they are told about the traffic or otherwise become aware. Once an ISP is ‘put on notice’ then they must take action.

OK, so why is there a question mark over ‘mere conduit’, what appears to be a well established point of law. The problem, as so many affecting ISPs today, has derived from the peer 2 peer discussion. We know that pressure from the industry has resulted in the ‘3-strikes and you’re out’ process - shortly to be incorporated within the UK Digital Economy Bill. Now it seems that the rights industry has been able to exert pressure in other areas and the outcome of this could be important for the intermediary.

The problem area is ACTA. AC what you say - ACTA stands for the Anti-Counterfeiting Trade Agreement. OK, what has that got to do with ISPs. Governments have been engaged in a series of discussions, the most recent of which have taken place in Seoul, South Korea, to look at the updating of laws to protect intellectual property. Most readers will be familiar with actions brought against online auction houses (e-Bay) alleging collusion in the sale of counterfeit goods diluting the trademark interests of well known luxury brand names. Other actions have been taken by Customs and Trading Standards officers to confiscate counterfeit goods - sunglasses, handbags, rip-off DVDs etc. That all seems fairly straight forward and expected.

The problem comes with the extension of the counterfeiting argument to copyright infringement in the electronic environment. Hints of the nature of the Seoul discussions appeared in leaked preparatory papers. An European Commission (DG Trade) document in September indicated that the EU and US had engaged in discussion in Washington as part of the Intellectual Property Rights Work Group. Within those discussions, a side meeting had been held to discuss the US preparation of the future Internet Chapter of the ACTA. At that time the US delegation indicated that they had been working for some while on the chapter and had engaged in discussion with other Govt. agencies and with interested private stakeholders (not defined or named as these were bound by NDAs). The US delegation gave an oral presentation to the EU Trade group. It is now clear that discussions in Seoul have followed the inital oral advice and that the US drafted chapter appears to follow the provisions of the US Digital Millennium Copyright Act (DMCA)

ACTA requires that ACTA members (Government/member state signatories) have to provde for third-party liability; Safe-harbours for liability regarding ISPs to be based on Section 512 of the Digital Millennium Copyright Act and to benefit from safe-harbours, ISPs will need to put in place policies to deter unauthorised storage and transmission of IP infringing content (these might include making changes to customer contracts to allow a graduated response - ie, ‘3-strikes and you’re out’).

The European Parliament has now voted against the ‘3-strikes’ approach - there is development within the new Telecoms Package to be agreed between the European Council and the European Parliament. That is likely to reach consensus with provisions to allow a ‘3-strikes’ approach but perhaps subject to appeal or judicial oversight.

There is more amongst the discussion from Seoul. It would appear that rights owners will be able to initiate proceedings against intermediaries alleging that they have allowed their networks to be used for unlawful activities. European ISPs have long known that US based rights owners would like to see the European protection removed and brought into line with the US DMCA practice. In order to claim safe-harbour protection the European intermediaries would need to ensure that they, ‘put in place policies to deter unauthorized storage and transmission of IP infringing content.’ That is a wholly different approach to the current status, transferring the onus to the ISP. The EDRI newsletter notes, “European citizens should be concerned and indignant. As reported, the ACTA Internet provisions would also appear to be inconsistent with the EU eCommerce Directive and existing national law, as Joe McNamee, the European Affairs Coordinator of EDRi notes: “The Commission appears to be opening up ISPs to third party liability, even though the European Parliament has expressly said this mustn’t happen, ACTA looks likely to erode European citizens’ civil liberties.”

There has been real concern about the nature of the discussions - and the secrecy within which they have been conducted. The EU leaked paper noted, ‘As agreed among ACTA participants, the negotiating papers are not public documents’. The Washington Post noted that civil rights organisations had written to President Obama to complain about the lack of transparency.

The Washington Post article noted. ‘The groups, which include Public Knowledge and the Sunlight Foundation, wrote in a letter that the secrecy of the process – and on an issue that could have broad implications for Web users – could unfairly the benefit content providers that are most actively involved in the process.

“We applaud your promise of a more transparent, collaborative and participatory government,” the groups wrote. “However, multiple aspects of ACTA fail to meet these standards.”

The Swedish Presidency has published a note about the 6th round of negotiations. The Swedish note notes, ‘discussions at the meeting were productive and focused on enforcement of rights in the digital environment and criminal enforcement.’ The note continues, ‘Participants also discussed the importance of transparency including the availability of opportunities for stakeholders and the public in general to provide meaningful input into the negotiating process.’

The opportunity for the public to ‘provide meaningful input’ is important. The next stage of the ACTA negotiations will take place in Mexico in January 2010. With the Lisbon Treaty in full force from 1st December, the EU will represent all member states and any decisions accepted will be implemented for all. The current (Swedish) presidency of the European Union notes that ACTA hopes to reach agreement and implementation early in 2010 - there is not much time left before we might see major changes that will affect ISPs and other third parties. Where will be the opportunity for public consultation and input in this timescale?

Amendment 138 falls out into the Grand Place…….

For some time the European Commission and the European Parliament have been in discussion in relation to the development of a new Telecoms Package, a raft of new laws with the intention of revising and updating the regulatory control of the telecoms industry. Included within the package were updates to the Privacy and Electronic Communications Directive that would impact on the receipt of cookies (commonly used by advertisers and others) by a web browser.

But, the passage of the Telecoms Package was held up by the introduction of an amendment, Amendment 138 which aimed to control the move towards the ‘3 strikes and you’re out’ approach to the regulation of peer to peer file sharing.

The rights industry has been pushing hard for national governments to adopt the ‘3 strikes’ approach as a way of trying to contol the use of file sharing and unlawful copying of rights protected materials. The idea is that users identified as engaged in unlawful filesharing will receive a letter from their ISP to advise that the sharing is unlawful and (in pretty much most cases) in contravention of the ISP acceptable use policy. Experience suggests that the first letter had some effect in about 50% of cases. Many of those responded to confirm deletion of infringing materials and that they would not engage in any further file sharing. For those that continue, a second, stronger letter would be sent before a third letter and then disconnection of internet service.

It is the disconnection that is the problem. Many now consider access to broadband as a basic human right - alongside access to water, power etc. There was political support for the view, including from Mdme Reding, European Commissioner for Information Society. The problem was (is) that disconnection would take place without judicial review and potentially without the option for the accused user to defend their position and argue their innocence. When the Telecoms Package came before the European Parliament it was amended by Amendment 138 to require judicial intervention and oversight before disconnection.

The Amendment provided the clear requirement for a judicial role and in so doing acted as a brake on the proposals by certain European governments to press ahead with legislation to enable ‘3 strikes’. Before any disconnection could take place a rights owner would have to go before a judge and plead a case for disconnection of the user. And, of course, the user would have the opportunity to defend his position. In France, President Sarkozy promoted the ‘Hadopi’ legislation and in the UK, the Digital Britain report and the Business Secretary, Peter Mandelson, engaged in discussions to push ahead with a ‘3 strikes’ approach. It is notable that Peter Mandelson appears to have come out strongly in favour of ‘3 strikes’ since a weekend meeting with a leading producer.

For the European bureaucrats and politicians the groundswell of public support for Amendment 138 provided a problem. Whilst the Amendment was debated it held up progress on the whole Telecoms Package and with the imminent arrival of the Lisbon Treaty conference there was a political need for progression.

Now, at the last minute and just before the conference, there has been agreement in Brussels to accept a watered down version of the amendment Pressure from national governments that will allow them to introduce disconnection for persistent file sharers (and who else the Crusher wonders?).

Jérémie Zimmermann, spokesperson for La Quadrature du Net,(quoted on ISPreview) said: “Amendment 138 was in haste dissolved into useless legalese and soft consensus. The Parliament hurried to get rid of the safeguards of citizens’ freedoms because it knew that with the imminent coming into effect of the Lisbon treaty, both institutions will soon share the legislative power in the field of judicial affairs. And the bad excuses we have heard these past few days to justify to abandon amendment 138 will then be totally obsolete. In the end, the Parliament was not brave enough to stand against the Council to defend citizens’ freedoms.

Ministers of Member States, who want to be able to regulate the Net without interference from the judiciary, were rushing to kill amendment 138 and put an end to the negotiations. It is a shame that the Parliament’s delegation, and especially rapporteur Catherine Trautmann, was not determined enough to use the political context to assert its authority in the European lawmaking process in order to protect European citizens. Even though it has been an interesting and constructive discussion, amendment 138 has turned, by the lack of courage of the delegation, into the emblem of the powerlessness of the Parliament.”

So, in the face of political pressure to reach agreement before the meeting of Heads of State/Prime Ministers to conclude ratification of the Lisbon Treaty and the appointment of a new President of Europe, the Council has over-ridden the European Parliament (which had previously voted substantially in favour of Amendement 138) which has now accepted the reduced version limiting the rights of the citizen.

The way is now clear for those member states who wanted to introduce ‘3-strikes’ to do so. In the UK, Lord Mandelson has now announced actions to be taken against repeat piracy offenders and procedures will be included in the Digital Economy Bill expected to be included in the Queen’s Speech (18th November) with passage through Parliament before the end of the current session.

Lord Mandelson met with Internet industry representatives before the announcement was made. Mandelson asked the Internet industry to consider the proposed ‘3-strikes’ process in the context of the wider business economy (in iother words, consider the impact of filesharing on the revenues of the music industry) and to realise the importance of creativity. The Crusher understands that Lord Mandelson was fairly combative in his approach to the Internet industry but that the industry did make him aware of their concerns about proportionality, cost, options for alternative modes of contents delivery, due process etc.

The devil, as they say, will always be in the detail so it remains now to see how the Digital Economy Bill is drafted in order to see exactly how the ‘3-strikes’ approach will work in the UK. It would seem likely that the rights industry will contribute to the costs of the ISP in communicating with users and that there will be a likely lengthy process before any disconnection take place. It is likely that Ofcom will set up a dispute panel procedure to hear appeals from consumers targetted for disconnection and that Ofcom will collate information relating to the issue of notifications.

But - time is now running out for this Government. A full General Election must be held before June 2010 at the latest. As we are now clearly in the run up to the election and campaigning has been going on for some time, The Crusher wonders whether the Govt. will actually be able to progress the Digital Economy Bill to the Statute Book before dissolution.

The other matter, of course, is in Brussels. The actions there point to the ineffectiveness of the European Parliament. The elected representatives of the European citizenry are over-ruled and kicked into touch by member states acting in the European Council. The European Parliament has no ability to initiate legislation and can only comment and amend - it seems now that their ability to amend has been curtailed in the face of opposition from member states.

Joined up thinking?

The Parliamentary Internet Conference held at Portcullis House, House of Commons, on 15th October was an interesting day - not just an opportunity to hear Ed. Richards (CEO Ofcom), Martha Lane Fox, Stephen Timms and others but also the opportunity for the All Party Communications Group (apComms) to release its report into its inquiry, ‘Can we keep our hands off the net?’

apComms called for evidence and submissions over the summer (during the Parliamentary recess - a period that most people link with lack of work and extra long foreign holidays for our elected servants) and has now put together a report and a series of key recommendations. There are 11 recommendations on a wide range of topics, from Privacy to dealing with illegal (or ‘unlawful’ as the noble Lord, the Earl of Erroll corrected) file sharing, from behavioural advertising to eSafety tuition in schools.

But, The Crusher was rather taken with two recommendations that appear to be at opposite ends of an argument.

There has been much discussion about the likelihood of Government mandating the filtering of child abuse sexual imagery at the network level by ISPs. In 2007, Ministers set a target of 100% consumer broadband circuits to be filtered - so far that target has not been reached although there is suggestion that the proportion of consumer circuits that are now subject to filtering is in the mid to high 90s% range.

Recommendation 7 is that the Government does not legislate to enforce the deployment of blocking systems based on the IWF lists. This has the potential to damage future attempts to fix problems through self-regulation and will thus, in the long term be counterproductive.

The thinking here is that all major ISPs already block access to child abuse images and that any action to force others to take action will be counterproductive as it militates against attempts to find self-regulatory solutions to other problems.

OK, that is fairly clear although there may be some issue with the perception of the extent of current filtering practice. Whilst the number of consumer circuits with filtering in place may be in the mid to high 90% range, these may well be as a result of the actions of fewer than 10 large ISPs. The Crusher understands that the number of ISPs currently implementing child abuse filtering may well only be in the order of 20 to 30 - with some 270 plus mainly medium to small ISPs not currently implementing any form of network level filtering.

The report then goes on to consider the problem of malware infected machines. Now machines that are infected with malware makes them likely to become part of a large scale ‘botnet’ and potential distributed sources of junk email and denial of service attacks. The problem is that the infected machines are not on the ISP network and are machines owned and used by end users who may have greater or lesser understanding of the security implications or needs of always on broadband Internet connectivity.

Recommendation 10 is that there should be a voluntary code for ISPs relating to the detection of and effective dealing with, malware infected machines in the UK. If this voluntary approach fails to yield results in a timely manner, then Ofcom should unilaterally create and impose sich a code on the UK ISP industry.

The report notes that ISPs have systems in place to proactively filter incoming junk mail but do not take actions to filter outgoing junk. The report continues, ‘a reduction in compromised end user machines is essential to make the Internet a dafer place, so the ISPs need to act voluntarily as a group to improve the situation ….. if the ISPs cannot voluntarily agree to act, the report sees Ofcom as the appropriate regulator to impose a compulsory regime.

Interesting stuff. Filtering out material from infected machines will not be easy and will not be cheap - so additional development and application costs for the ISP (and, ultimately the end user). But, note the sting in the tail here - if self-regulation does not work then a compulsory regime should be imposed.

The Crusher sees some lack of joined up thinking here. On the one hand the report suggests that mandatory child sexual abuse imagery filtering should not be applied as it militates against self-regulation in other areas - and then recommends a compulsory regime for filtering the output of malware infected machines, albeit in the event of a failure of self-regulatory approaches.

The Crusher is intrigued: a self regulatory approach has seen pretty well all ISPs implement filtering to identify and remove incoming junk mail and virus infected items. For most that has been a commercial decision but there is undoubtedly a cost for the ISP. Self regulation is now being proposed to require ISPs to filter and remove outgoing junk and infected items. There may also be actions in relation to unlawful (thank you Merlin!) file sharing. But, the one thing that is illegal is to view child sexual abuse imagery (it is a Criminal offence under the Sexual Offences Act to view obscene images of children) - there is self-regulation but mandatory filtering is not recommended. Yet it is for dealing with malware - and as far as I am aware it is not yet a criminal offence to leave one’s Internet connected computer unsecured, without anti-virus or firewall protection.

The apComms group seems to have have worked on elements individually and with application of specific evidence - but the linkage of items from one part to another seems to have failed. Joined up thinking in the final output would have been helpful.

The full copy of the apComms report can be found here

Third strike?

The French ‘3 strikes and you’re out’ approach to Peer to Peer regulation is back in the news again. After the previous version was ruled unconstitutional by the French Constitutional Court the law passed back for further discussion and amendment.

Now, the amended version of the ‘Hadopi’ law has been passed by a vote in the French National Assembly - voting was 285 for, 225 against. However, that is not the end of the process. Although the law has now been cleared in the National Assemby it must still be approved by a commission drawn from both senators and deputies. The majority UMP voted in favour of the law which has the strong backing of President Sarkozy but the opposition Socialist Party has already indicated that it will make a further referral to the Constitutional Court.

The major problem, and the basis for referral, is the provision for withdrawal of Internet access on the order of a ‘‘Haut Autorité’ rather than by order of a judge in court. Opponents argue that a person charged with file sharing and subject to a third notice should be able to defend themselves in court and to challenge evidence presented by rights owners.

This is important as Internet access is now becoming regarded as a human rights issue. The European Parliament is investigating whether or not a withdrawal of Internet access is a breach of human rights - if that is upheld and, particularly, by the ECHR, then proposals such as the French ‘Hadopi’ law willl be ruled out. But the issue is much more fundamental than human rights - if a person is accused of carrying out an activity with a potential penalty then they must be given the right to defend their position and to challenge any evidence brought against them. That is a fundamental position for the courts and it should not (must not) be diluted through the creation of specialist agencies that may not provide the same level of protection for the accused.

Now, the French position is being carefully watched by others. Perhaps no more so than here in the UK where the Secretary of State for Business (Lord Mandelson) has made it clear that he favours a ‘three strikes’ and you’re out approach. Now this was initially rejected by the Digital Britain report and in previous Ministerial pronouncements but it is now back on the agenda. Sad to see that the re-launch of ‘3 strikes’ was as part of an amendment to documents under consultation - there really should be no option of moving the goalposts during consultation.

The outcome of the commission discussion and of the next referral to the Constitutional Court will be interesting and key to future progress of the ‘Hadopi’ law. 3 strikes may have risen again but may yet be pushed back down.

The word of a Minister should not be taken as binding ……

It is clear that the word of a Minister should not be regarded as binding, perhaps merely an expression of the state of policy at the time that he (or she) opened their mouth but nothing more than that.

Back in April, the then Minister with responsibility for Intellectual Property, David Lammy, made it clear that the option to implement a ‘three strikes and you’re out’ policy for peer to peer filesharers had been dropped from Government plans incluyding the Digital Britain report. The Minister said that ‘cutting off users was not “the right road” for UK law makers’. David Lammy told ‘The Observer’ that, ‘”It is for the French to determine what is right for them, (referring to the Hadopi law) but for us here we do not believe that would be the right road to go down.”

Then, in June, came the publication of Stephen Carter’s Digital Britain report. This discussed the issue of perceived piracy and the problems of file sharing and suggested that Ofcom should be tasked with the setting up of technical measures to combat persistent filesharers including restricting access etc. At this time, Stephen Carter’s report reflected the thinking espoused by the Minister.

It is now a couple of months later and it would appear that Government policy has taken something of a ‘U’ turn. It would seem that this Government is for turning with the announcement of policy changes that would see Ministers given the power to order the cutting off of Internet access for identified file sharers.

Now this is a major step in a different direction and completely at odds with previous announced policy. Clearly a Minister’s word counts for little (did we really think that it did anyway?). An announcement by the Department for Business Innovation and Skills (Tuesday 25th August) suggests that thinking in relation to policy has now changed and there is a requirement for a faster process than previously discussed together with the addition of the option to cut off Internet access as part of the technical measures. The announcement says, ‘Accordingly a thorough examination of the proportionality and effectiveness of the measure (as with any of the other measures) would have to be undertaken before ISPs would be required to implement it, even if the decision to move to technical measures is taken. As ever we would need to ensure any such measure fully complied with both UK and EU legislation.’

Now this is where we get interesting. Any decision to cut off Internet access could remove access for entirely innocent parties - such as other members of a family using a circuit. The European Parliament and the Commission have made it clear that they view Internet access as an essential human right. Commissioner Redding responding to questions in Brussels said, “The fourth element I would like to underline is the recognition of the right to Internet access. The new rules recognise explicitly that Internet access is a fundamental right such as the freedom of expression and the freedom to access information. The rules therefore provide that any measures taken regarding access to, or use of, services and applications must respect the fundamental rights and freedoms of natural persons, including the right to privacy, freedom of expression and access to information and education as well as due process?”

Now that seems to have made the Commissioner’s view quite clear. Internet access is a fundamental right and any rules must respect fundamental rights and freedoms. Any action to restrict Internet access must be taken by a judge in a court procedure - at which the end user will be the defendant with the right to defend his position and any proposed actions. It cannot be that removal of access is the result of an order by a Secretary of State or by Ofcom without the right of the affected user to challenge the decision. At present, any evidence to suggest illegal activity seems to be based on the detection of an IP address by automated systems operated by or on behalf of rights owners. There are well publicised indications that systems may be open to abuse and that not all IP addresses may be users engaged in illegal activity. There may well be circumstances where the person carrying out infringing activity is doing so using an unsecured wireless connection without the knowledge or permission of the actual circuit owner. Yet, if evidence based on the detected IP address were to be used it would be the innocent user subject to cut-off rather than the actual perpetrator.

So, it appears to be European policy that Internet access is a fundamental right. That cannot be removed without due process - and the process suggested in the revised consultation would not appear to give sufficient safeguards for those not involved in the infringing activity. Any actions taken would seem to face the immediate possibility of a challenge under UK Human Rights legislation and then action in the European Courts.

There is another interesting facet to this new disclosure. A few weeks ago BIS announced consultation on the proposals of the Digital Britain report. The consultation paper was produced and a deadline set for responses. Now, the Dept. has announced that it wishes to change the consultation during the period set for stakeholders and others to respond and has suggested that an extended response period should now be allowed. To change the nature of the consultation after publication would seem to fly in direct contravention of the Government advice and code of practice for consultation.

‘The Crusher’ has to ask why this change has come about. The Government will deny that there is any relation between this announcement and a private dinner at which the Secretary of State, Lord Mandelson, met with US film mogul David Geffen. Geffen is known to have views on piracy and the effects of file sharing on the creative industries. It remains somewhat disconcerting that such a major policy change announcement comes just a few days after such a meeting. Coincidence or just bad planning?

Whatever the real reason this is a real policy blunder by the Government. It is almost certain that any actions to remove Internet access for alleged file-sharing, and by order of the Secretary of State or by Ofcom, would be seen to be highly disproportionate and likely to impact on he human rights of the end user and others. It would appear that the Government has now decided to announce policy changes in the midst of a consultation exercice - contrary to its own guidelines.

This is guaranteed to annoy large swathes of voters - and in the last few months running up to a general election that really is a rather silly thing to do. Perhaps this demonstrates the arrogance of the politicians responding to the views of a rich business interest over those of the electorate. That will be determined no later than June 2010.

However, all of this may be irrelevant - except for the verdict of the electorate on the conduct of this Government - with the imminent decision at the European Court of Justice in a case referred from the UK involving L’Oreal and eBay. The legal news site ‘Outlaw.com’ reports that this case may make any proposed actions by Ofcom irrelevant if it orders that a rights owner can bring an action to injunct an innocent party. The case centres around a possible injunction brought by L’Oreal against eBay to require that party to remove access to infringing materials. If the ECJ is in favour of L’Oreal then it is likely that a music rights owner would simply apply to the UK courts for an injunction against the ISP providing service to an end user. Any costs in defending their position would then fall on the ISP - I suspect that many would simply accept the injunction without the end user having any involvement.

IMP - an overview

A significant paper from the LSE provides an overview and substantial critique of the Government plans for review of the interception of communications traffic data - currently under consultation.

The paper, which can be downloaded here provides a review of UK intercept law, changes in communications and the technological limitations of the proposals for high levels of deep packet inspection (DPI). This is a paper that is informative and a useful contribution to the debate. It notes that there are significant privacy issues although these are for others to discuss. What it does do is to point out the limitations of the core technology concepts behind the Intercept Modernisation Programme (IMP) and ‘Mastering the Internet’, the GCHQ programme aimed at collecting and analysing data within the UK’s Internet traffic.

Every MP and member of the House of Lords should read this - and should then be made to sit an examination on its contents with passage to permission to debate only granted on being able to demonstrate a satisfactory understanding of the content. Well, pigs might fly!

The Home Office Consultation, ‘Protecting the Public in a Changing Communications Environment’ can be downloaded here.