Amendment 138 falls out into the Grand Place…….

For some time the European Commission and the European Parliament have been in discussion in relation to the development of a new Telecoms Package, a raft of new laws with the intention of revising and updating the regulatory control of the telecoms industry. Included within the package were updates to the Privacy and Electronic Communications Directive that would impact on the receipt of cookies (commonly used by advertisers and others) by a web browser.

But, the passage of the Telecoms Package was held up by the introduction of an amendment, Amendment 138 which aimed to control the move towards the ‘3 strikes and you’re out’ approach to the regulation of peer to peer file sharing.

The rights industry has been pushing hard for national governments to adopt the ‘3 strikes’ approach as a way of trying to contol the use of file sharing and unlawful copying of rights protected materials. The idea is that users identified as engaged in unlawful filesharing will receive a letter from their ISP to advise that the sharing is unlawful and (in pretty much most cases) in contravention of the ISP acceptable use policy. Experience suggests that the first letter had some effect in about 50% of cases. Many of those responded to confirm deletion of infringing materials and that they would not engage in any further file sharing. For those that continue, a second, stronger letter would be sent before a third letter and then disconnection of internet service.

It is the disconnection that is the problem. Many now consider access to broadband as a basic human right - alongside access to water, power etc. There was political support for the view, including from Mdme Reding, European Commissioner for Information Society. The problem was (is) that disconnection would take place without judicial review and potentially without the option for the accused user to defend their position and argue their innocence. When the Telecoms Package came before the European Parliament it was amended by Amendment 138 to require judicial intervention and oversight before disconnection.

The Amendment provided the clear requirement for a judicial role and in so doing acted as a brake on the proposals by certain European governments to press ahead with legislation to enable ‘3 strikes’. Before any disconnection could take place a rights owner would have to go before a judge and plead a case for disconnection of the user. And, of course, the user would have the opportunity to defend his position. In France, President Sarkozy promoted the ‘Hadopi’ legislation and in the UK, the Digital Britain report and the Business Secretary, Peter Mandelson, engaged in discussions to push ahead with a ‘3 strikes’ approach. It is notable that Peter Mandelson appears to have come out strongly in favour of ‘3 strikes’ since a weekend meeting with a leading producer.

For the European bureaucrats and politicians the groundswell of public support for Amendment 138 provided a problem. Whilst the Amendment was debated it held up progress on the whole Telecoms Package and with the imminent arrival of the Lisbon Treaty conference there was a political need for progression.

Now, at the last minute and just before the conference, there has been agreement in Brussels to accept a watered down version of the amendment Pressure from national governments that will allow them to introduce disconnection for persistent file sharers (and who else the Crusher wonders?).

Jérémie Zimmermann, spokesperson for La Quadrature du Net,(quoted on ISPreview) said: “Amendment 138 was in haste dissolved into useless legalese and soft consensus. The Parliament hurried to get rid of the safeguards of citizens’ freedoms because it knew that with the imminent coming into effect of the Lisbon treaty, both institutions will soon share the legislative power in the field of judicial affairs. And the bad excuses we have heard these past few days to justify to abandon amendment 138 will then be totally obsolete. In the end, the Parliament was not brave enough to stand against the Council to defend citizens’ freedoms.

Ministers of Member States, who want to be able to regulate the Net without interference from the judiciary, were rushing to kill amendment 138 and put an end to the negotiations. It is a shame that the Parliament’s delegation, and especially rapporteur Catherine Trautmann, was not determined enough to use the political context to assert its authority in the European lawmaking process in order to protect European citizens. Even though it has been an interesting and constructive discussion, amendment 138 has turned, by the lack of courage of the delegation, into the emblem of the powerlessness of the Parliament.”

So, in the face of political pressure to reach agreement before the meeting of Heads of State/Prime Ministers to conclude ratification of the Lisbon Treaty and the appointment of a new President of Europe, the Council has over-ridden the European Parliament (which had previously voted substantially in favour of Amendement 138) which has now accepted the reduced version limiting the rights of the citizen.

The way is now clear for those member states who wanted to introduce ‘3-strikes’ to do so. In the UK, Lord Mandelson has now announced actions to be taken against repeat piracy offenders and procedures will be included in the Digital Economy Bill expected to be included in the Queen’s Speech (18th November) with passage through Parliament before the end of the current session.

Lord Mandelson met with Internet industry representatives before the announcement was made. Mandelson asked the Internet industry to consider the proposed ‘3-strikes’ process in the context of the wider business economy (in iother words, consider the impact of filesharing on the revenues of the music industry) and to realise the importance of creativity. The Crusher understands that Lord Mandelson was fairly combative in his approach to the Internet industry but that the industry did make him aware of their concerns about proportionality, cost, options for alternative modes of contents delivery, due process etc.

The devil, as they say, will always be in the detail so it remains now to see how the Digital Economy Bill is drafted in order to see exactly how the ‘3-strikes’ approach will work in the UK. It would seem likely that the rights industry will contribute to the costs of the ISP in communicating with users and that there will be a likely lengthy process before any disconnection take place. It is likely that Ofcom will set up a dispute panel procedure to hear appeals from consumers targetted for disconnection and that Ofcom will collate information relating to the issue of notifications.

But - time is now running out for this Government. A full General Election must be held before June 2010 at the latest. As we are now clearly in the run up to the election and campaigning has been going on for some time, The Crusher wonders whether the Govt. will actually be able to progress the Digital Economy Bill to the Statute Book before dissolution.

The other matter, of course, is in Brussels. The actions there point to the ineffectiveness of the European Parliament. The elected representatives of the European citizenry are over-ruled and kicked into touch by member states acting in the European Council. The European Parliament has no ability to initiate legislation and can only comment and amend - it seems now that their ability to amend has been curtailed in the face of opposition from member states.

Emergency, which service ……..?

Most people are familiar with the process for making an emergency call - whether it is to the Police, Fire Service, Ambulance or Coastguard. Pick up a phone and dial 999 - or 112 as the pan-European common emergency call number.

When the call is answered by the emergency service operator at the telco, the operator will ask you which service you require and will ask you to confirm the number you are calling from. No problems there.

The operator will see the calling line number displayed in front of them and can immediately cross-reference with reverse look up to identify the location. OK, no problems there - but hold on a minute, what happens if you are not using a land-line?

Technology has moved on and there can no longer be an assumption that all users are calling from a fixed land-line. Emergency calls can be made from a mobile number and, increasingly, from a Voice over IP phone (VoIP). Now, these latter two present something of a problem. Mobile numbers are not geographic (they do not have a specific regional location exchange code) and can be made from pretty much anywhere (except in my house where the mobile does not work!). Emergency operators can access data from the mobile providers to locate the cell where the call is being made from - and triangulation from a number of base stations can provide a fairly accurate geographic location of the calling phone. That’s what law enforcement do when they want to track a criminal or suspect target - the mobile phone is a very effective piece of electronic tracking gadgetry sitting in your pocket. You don’t have to make a call, the phone will register itself with the local cell whenever it is switched on and will thereby giveaway its position.

OK, again, no real problems there. Problems arise with VoIP. There may be a number associated with a VoIP call but it may be a geographic number and the geographic number assigned to the call may bear no relevance to the actual geographic location of the VoIP handset or software. This may be connecting through any IP link - perhaps a fixed line broadband circuit or perhaps a WiFi connection in a public place (cafe, pub, airport etc.).

The Ofcom General Conditions of Service require providers to make details of callers available to emergency service operators. For fixed line and for mobile calls that is fine - the provider has all the data and can cross-reference databases. For VoIP there is a problem - the VoIP service is likely to be provided by a different service provider to the underlying IP transport. The VoIP provider may have a record of the geographic number associated with the call and may be able to reference that to a customer - but cannot tell whether or not the customer is at the location they have. The IP address used for the call and included within the packet data will be allocated by the ISP providing the transport layer - there may be no quick look-up between the VoIP provider and the ISP to determine the location and user of the IP address. It is quite possible that the VoIP user could log in from a range of IPs during a single day - particularly if they are connecting using WiFi access points.

The problem can have tragic consequences. A Canadian family called the emergency services using a VoIP service - the trackback from their initial service registration indicated a location in Toronto so that was where the medical team was sent. Unfortunately the family were hundreds of miles away in Calgary and had not updated the location information held by the VoIP provider.

To overcome the problem the emergency services want to be able to make a quick look up request to ISPs to determine the telephone line reference (CBUK record) for the line on which the VoIP call originated. That might seem straightforward but the practicalities are much less so. There is no standard format for ISP customer service records and there is no standard interface that will allow an external agency to access and requues information from those databases. Emergency service developers have suggested that ISPs should install systems that will allow real-time look-up requests from the emergency service operator. The operator would identify the call as a VoIP origin, identify the associated IP address, refer that to a central look-up registry to identify the ISP (RIPE?) and then pass the request to the ISP who would be expected to return the CBUK reference for the line. All this in real-time and in no longer than it has taken you to read this last paragraph.

The implementation of the Data Retention Directive at a European level has meant that there have been developments to create a standardised form of data request - ETSI standards. Implementing these may be fine for the larger operators who have teams of developers and can bear the costs. But for the medium and smaller level ISPs there will be a real problem - substantial development costs and quite likely whole changes to back end and Internet facing systems. It is quite likely that the smaller ISPs will simply not have the resources to be able to comply.

The Crusher can see another problem here. Once an interface system is in place then a remote operator will be able to input an IP address and return a telephone line reference which can be used to determine a location. That is exactly the type of information that typical Section 22 notices issued under the Regulation of Investigatory Powers Act (RIPA) often require - law enforcement agencies can issue a notice requiring an ISP to provide details of a user. Requests often cite a date, time and IP address - and require the ISP to identify the user. If that can be done automatically by the emergency operator then it will not be long before other parts of law enforcement agencies (LEAs) identify the route as a rapid way to investigative data. Politicians will trot out the tired old lines about importance for public safety, citizens have nothing to fear etc. And will then introduce legislative changes that permit LEAs to process automatic data requests.

Any development for emergency use will have to be developed with extensive safeguards and strict controls. These must ensure that access can only be made in genuine emergency situations and that it is not possible to investigators to access for alternate purposes. Equally, it must not be possible for other organisations to attempt to access data - for example, for rights owners to try to identify end users flagged up as potential copyright infringers.

The emergency request is fairly self-explanatory. The problem is the likelihood and the inevitability of mission creep.