The ISPAs 2010

Thursday night (8th July) was a glittering night for the Internet industry - the annual ISPA Awards bash at the Marriott Hotel in Grosvenor Square. After all the testing and all the submissions it was time to hear the judges verdict.

The awards are the Internet industry’s chance to recognise good practice and good performance. Over the last 12 years they have changed with new categories and new means of assessing performance in the ISP Division. The ISP Division recognises best practice across hosting, customer service, consumer and business broadband etc. The Times noted that the ISPAs were, ‘The awards that could have the most direct bearing on your life’ and the Daily Mirror called it, ‘The Internet event of the year’. Whatever, it is without doubt keenly awaited by those in the industry and keenly commented by customers and others.

Congratulations to all those who won. The Crusher was pleased to see the team at NewNet picking up another piece of acrylic to add to the two previous awards - this year in the class of Best Dedicated Hosting. Well done to the NewNet team and to all those who won in the ISP Division.

But, it is the Special Awards that arise more interest. New categories here for digital inclusion (Bolton Literacy Trust) and for Internet Safety (Childnet), Access Innovation (The Alston, Cumbria, CyberMoor project with a special commendation to SW Internet CIC) and Corporate Social Responsibility (Orange).

At the end of the evening there are two awards that evoke much wider interest - the Internet Hero and the Internet Villain award. Now, in years past The Crusher was pleased to nominate someone who was then awarded the Internet Villain prize so there is always a little more than minor interest here.

What was interesting this year was that both awards recognised different sides of the same thing - the passage through Parliament of the Digital Economy Bill to become the Digital Economy Act. ISPA Council members bestowed the Internet Hero Award upon Tom Watson MP for leading the opposition to the parliamentary fight against the Digital Economy Bill and continuing the campaign to ensure an informed approach to the Act. Well done Tom - your actions in the House of Commons and your speech in the final parts were an inspiration and made it clear that there was not a common cross-party consensus.

The passage of the Digital Economy Bill was fraught and was not helped by changes being made during the consultation period and then by inclusion within the final ‘wash-up’ stages before the end of the parliamentary session and the General Election. There were a number of nominations for the Internet Villain award, all in their own right quite worthy recipients, but in the end, the winner was a shoe-in for the award. It was the Dark Lord himself, Lord Mandelson, formerly Secretary of State for Business and Skills, who had steered the Digital Economy Bill through the various processes. The change that was made during the consultation phase coincided with a weekend meeting with a major rights owner and the final stages were a sham, forcing through legislation that was deeply unpopular and which made fundamental changes to the due process of law.

So, a worthy villain. Sadly, Lord Mandelson was not available to collect his award in person. What a shame - would have been a great appearance and a great acceptance speech!

The new coalition governement has now invited the public to suggest law that should be removed, replaced or amended. Inviting the public to comment is always a risk (a request to introduce a law ‘to allow me to marry my horse’) but sometimes shows popular unrest and resentment. No surprises really to see that some of the largest number of comments and requests related to repeal of the Digital Economy Act. So, it is over to you government, you asked and now you have been told. DEA must go!

Tempus fugit II …..

Time flees as the Latin tag says (perhaps more commonly recognised as ‘Time Flies’) and it certainly seems to be the case with Data Retention.

It seems just a short time ago that we were watching the progress of the Directive through the European parliamentary system, from introduction through discussion (is that really the right word for the actions of the UK Presidency in 2005?) to amendment and then to final acceptance and transposition to national law.

In the UK we were there at the beginning, transposing the first parts to apply to fixed line and mobile telephony. 18 months later came the inclusion of Internet data. The interesting bits were the differences between national transpositions - some elected for retention for as little as 6 months, others for 12 and some for as long as 24 months (but would have liked longer). The UK opted to allow for reimbursement of capital expenditure and the provision in relation to Internet data seems to pay only slight compliance - requiring retention of data only where the national authorities deem that it is necessary.

Some member states have only brought data retention within national law in recent months - Portugal in August 2009, Italy at the end of 2009 and Poland only at the beginning of 2010 (UK, 1st phase Sept 2006, 2nd phase March 2008). There remain a number of member states where data retention has still not been applied - Austria, Belgium, Greece, Ireland, Luxembourg, Romania, Sweden - so much for the idea of ensuring a common approach to law enforcement.

But, time flies. The implementation of the Data Retention Directive provided for an evaluation of the Directive. The time has now come for that evaluation and a number of conferences and meetings have taken place. The results of evaluation will be published later in the year, probably in October 2010. After that, the Commission will begin the processes that will lead to proposals for a revised Directive, probably by the end of 2011 with expected implementation by 2014.

It is too early to say what that new Directive may include, but undoubtedly there will be pressure to expand the range of retained data to include a wider range of Information society services - The Crusher would expect to see pressure for the inclusion of social networking data and web site access. There may be some agreement on a reduction in the range of the approved time scales -although as most members currently retain for 12 months this is unlikely to affect the majority (including the UK).

The evaluation report from the Commission does include some interesting data relating to the number of requests for access to retained data in 2008.

Clearly there are wide variations in the raw number of requests with France and the UK heading the number of actual requests. Of course, both have fairly high populations so it is reasonable that there should be a large number of requests. But, when the figures are compared against the national populations the data requests become more interesting. the right hand column shows the number of data requests per 100,000 of population. Under this order, Lithuania shows a massive 2239 requests per 100K with the UK behind France at a much lower 769. Yet Cyprus only requests data at the rate of 3 per 100,000!

Of course, there will be variations in what is perceived as relevant crime and the use of data to locate rather than to determine specific use. It may well be that the larger number of requests are being used more as a location tool than as a more detailed investigatory procedure. But, the figure for Lithuania is so much greater than others it does rather beg the question what use is being made of retained data in that small state? Perhaps there remains an investigatory throwback to a prevous regime - although the lower (far lower) figures for neighbouring Estonia and Latvia may negate that suggestion.

Interesting data - it will be interesting to watch what comes out of the Commission in late summer/autumn 2010.

Tempus fugit …..

Where does the time go? It seems only just a few weeks ago that we were discussing the ramifications of the proposal for a European Data Retention Directive. The reality is that this was now five years ago and the major discussions took place during the UK Presidency of the European Union in the second half of 2005.

We are now fast approaching the date set within the Directive for the European Commission to report to the European Parliament and the Council on the working of the Directive and its impact on the economic operators and consumers. The date for the submission of the evaluation is 15th September 2010 - just 6 months away now. As a result of the evaluation, the Commission will determine whether it is necessary to amend the provisions, particularly in relation to the nature of the data to be retained and the period of retention. The results of evaluation must be made public.

In the background to the imminent evaluation there are some interesting developments and it is clear that the Directive has not yet been applied across all member states of the European Union.

On March 2nd, the German Constitutional Court ruled that the implementation of the Directive in Germany was in contravention of the German Constitution. Der Spiegel reported on Wednesday 3rd March that the Court had ruled that data collected and retained under the (now unconstitutional) law was to be deleted with immediate effect and that strict controls were to be brought into place before the law could be re-introduced. The case has taken some two years to progress but was brought as a class action on behalf of some 35,000 German citizens who argued that the new law went too far.

The court agreed and said that there was insufficient clarity in the reasons for the retention of data and that there were insufficient safeguards on the data once retained. A key point here is that the Constitutional Court has struck down the German implementation of the Data Retention Directive, not the Directive itself. The German government must now look at the decision of the Court and consider the safeguards that must be put into place before it can draft a new law and introduce that. It is certain that there will now be intense public scrutiny.

Belgium also faces an interesting period, particularly as it is scheduled to take over the rotating Presidency later in the year and will be ‘in the hot seat’ when the evaluation of the Directive is due to be presented. The transposition of the Directive into national (Belgian) law has taken some time and there has been considerable and vocal opposition to the Government proposals. The proposals went much further than provided for within the Directive including banking data and use of the data beyond what may be determined as ’serious crime’. The Belgian proposals also called for the retention of data at the maximum period (24 months) provided for within the Directive. The initial proposals attracted a negative response from the Belgian data protection agency, an almost unheard of situation - although that eventually was turned around to a more positive response when the proposals were watered down time scales pulled back to a more standard 12 months.

The Belgian proposals have not yet completed the parliamentary process. In the last couple of months, Belgian ministers have been trying to reach consensus with stakeholder groups to see if they can bring forward a new law before June. That is an important date - the rotating Presidency comes to Belgium on 1st July and the government wants to prevent the country from critiscism about their failure to implement whilst they are also supposed to be leading discussions on evaluation.

It is clear that some Belgian politicians had been awaiting the outcome of the case before the German constitutional court. That is now clear - it remains to be seen how this may affect the Belgian transposition.

320 years down the line - was this what they meant?

The news that 3 Labour MPs have cited clauses within the 1689 Bill of Rights as part of their reaction to criminal proceedings brought in relation to claims submitted for expenses leaves a feeling that this was not what was intended when the original draft was laid before Parliament.

The Bill of Rights is one of the fundamental pieces of legislation that defines the English system of government and the constitution of the land. It came after a turbulent period in English history - the Civil War had taken place some 40 years earlier and had led to the execution of King Charles I in 1649 and the creation of a republic under the leadership (dictatorship) of Oliver Cromwell. After Cromwell’s death in 1658 the monarchy was restored and King Charles II returned to London in 1660. The death of Charles in 1685 with no legitimate heir raised substantial issues of succession. James, Charles brother, took the throne but was not popular. Charles eldest son, James, Duke of Monmouth raised an army and led a rebellion in the west, culminating in the last battle fought on English soil, at Sedgemoor in 1685. James, Duke of Monmouth escaped the field of battle but was captured at Ringwood, tried and executed for treason (the executioner botched the job and was forced to finish the decapitation with his pocket knife). James II fled in 1688 (The Glorious Revolution) and was replaced by his son-in-law, William of Orange. After the experience of James II (absolute monarchy), Parliament introduced the Bill fo Rights in 1689 in order to define the role of Parliament and the freedom of members.

The Bill of Rights makes clear its importance, ‘An Act declareing the Rights and Liberties of the Subject and Setleing the Succession of the Crowne’. The reason for the Act is then set out, ‘Whereas the late King James the Second by the Assistance of diverse evill Councellors Judges and Ministers imployed by him did endeavour to subvert and extirpate the Protestant Religion and the Lawes and Liberties of this Kingdome.’

The part that has been cited in the recent period comes later in the Heads of Declaration. The Bill makes it clear that the election of Members to Parliament ought to be free and that there should be freedom of speech, ‘That the Freedome of Speech and Debates or Proceedings in Parlyament ought not to be impeached or questioned in any Court or Place out of Parlyament.’

It is this part that has now been brought forward in an attempt to prevent prosecution in the criminal courts. The MPs suggest that their dealings in relation to Parliamentary expenses should be considered as ‘Proceedings in Parlyament’ and should therefore not be questioned in any place other than ‘in Parlyament.’ Proceedings in Parliament are defined on the Parliamentary website, a definition that offers some clarity. Proceedings taking place on the floor of the House, in committee etc. are protected by privilege. If necessary, a Member can name a person within a speech without fear of that person taking action for slander in another place (in the courts). This is an important freedom and one that must be guarded and protected.

Submission of expense claims may take place within the Palace of Westminster and may be seen as part of an MP’s administrative proceedures but should not be seen in the same context as a speech, statement, question etc. before the House. Those actions are recorded in the proceedings of the House (Hansard) and available in print and on line.

To consider the use of the clause within the 1689 Bill there should be consideration of the context and the intent of the Parliamentary draughtsmen at the time. The preface to the Bill makes it clear that the Bill is a repsonse to the abuse of Parliament conducted by James II, ‘Whereas the late King James the Second by the Assistance of diverse evill Councellors Judges and Ministers imployed by him did endeavour to subvert ….. the Lawes and Liberties of this Kingdome.’ Parliament was taking care to enshrine and ensure the freedom of speech, the opportunity for Members to make statements, to raise questions and to name and shame without fear or favour.

The allegations made agains the Members suggest that there was criminal intent (mens rea). The Crown Prosecution Service have now indicated that they consider there is a case to answer and that this should be answered in the Criminal Courts with charges laid under the Theft Act. The intent of the Bill of Rights was clearly to protect Parliamentary freedom but reading the Act with the preliminaries does suggest that the intent was not to provide an escape clause for criiminal proceedings.

The late, great Master of the Rolls, Lord Denning, reiterated Thomas Fuller’s statement of some 300 years ago, “Be you ever so high, the law is above you.” Good advice, as ever. The three MPs who now find themselves facing criminal proceedings should now make it clear that they wil not attempt to distract the investigation by calling upon privilege. It does rather seem that this is the view of the party who have now withdrawn the whip from the accused.

None of the accused will be candidates in the forthcoming election, that had already been decided by the party. Now they should face up to the criminal investigation, prepare their defence and make efforts to persuade a jury that they are indeed innocent.

If they do want to insist on the application of the 1689 Act then they may wish to consider accepting the penalty that would have been applied for theft at that time - if they are found guilty. A couple of public beheadings on Palace Green might concentrate the minds, ‘pour encourager les autres’, as Voltaire noted in Candide after the execution of Admiral Byng. Somehow, The Crusher believes there might be a limitation as to the application of 17th Century legislation.

Whither ‘mere conduit’?

‘Mere conduit’ is a defence - laid down within the European e-Commerce Directive and transposed to UK law within the Electronic Commerce (EC Directive) Regulations 2000 - that allows an intermediary, typically an Internet Service Provider, to limit liability for illegal activity. This follows on from the accepted position that a mail carrier (Royal Mail etc.) is not liable for the contents of mail that it carries - provided that it does not know what is in the package.

Article 12 of the European Directive sets out the position:

‘Mere conduit’

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:

(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.

2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.

So, that seems reasonably clear. An Internet Service Provider (ISP) is an intermediary - they carry traffic across their network, they do not initiate the traffic, they do not select the recipient and they carry it without selection or modification. Provided they adhere to the conditions then they may claim a defence of mere conduit and cannot be held liable for, say, the transmission of illegal criminal content (child abuse content) or unlawful content (Peer 2 Peer file sharing). The problem for the ISP comes when they are told about the traffic or otherwise become aware. Once an ISP is ‘put on notice’ then they must take action.

OK, so why is there a question mark over ‘mere conduit’, what appears to be a well established point of law. The problem, as so many affecting ISPs today, has derived from the peer 2 peer discussion. We know that pressure from the industry has resulted in the ‘3-strikes and you’re out’ process - shortly to be incorporated within the UK Digital Economy Bill. Now it seems that the rights industry has been able to exert pressure in other areas and the outcome of this could be important for the intermediary.

The problem area is ACTA. AC what you say - ACTA stands for the Anti-Counterfeiting Trade Agreement. OK, what has that got to do with ISPs. Governments have been engaged in a series of discussions, the most recent of which have taken place in Seoul, South Korea, to look at the updating of laws to protect intellectual property. Most readers will be familiar with actions brought against online auction houses (e-Bay) alleging collusion in the sale of counterfeit goods diluting the trademark interests of well known luxury brand names. Other actions have been taken by Customs and Trading Standards officers to confiscate counterfeit goods - sunglasses, handbags, rip-off DVDs etc. That all seems fairly straight forward and expected.

The problem comes with the extension of the counterfeiting argument to copyright infringement in the electronic environment. Hints of the nature of the Seoul discussions appeared in leaked preparatory papers. An European Commission (DG Trade) document in September indicated that the EU and US had engaged in discussion in Washington as part of the Intellectual Property Rights Work Group. Within those discussions, a side meeting had been held to discuss the US preparation of the future Internet Chapter of the ACTA. At that time the US delegation indicated that they had been working for some while on the chapter and had engaged in discussion with other Govt. agencies and with interested private stakeholders (not defined or named as these were bound by NDAs). The US delegation gave an oral presentation to the EU Trade group. It is now clear that discussions in Seoul have followed the inital oral advice and that the US drafted chapter appears to follow the provisions of the US Digital Millennium Copyright Act (DMCA)

ACTA requires that ACTA members (Government/member state signatories) have to provde for third-party liability; Safe-harbours for liability regarding ISPs to be based on Section 512 of the Digital Millennium Copyright Act and to benefit from safe-harbours, ISPs will need to put in place policies to deter unauthorised storage and transmission of IP infringing content (these might include making changes to customer contracts to allow a graduated response - ie, ‘3-strikes and you’re out’).

The European Parliament has now voted against the ‘3-strikes’ approach - there is development within the new Telecoms Package to be agreed between the European Council and the European Parliament. That is likely to reach consensus with provisions to allow a ‘3-strikes’ approach but perhaps subject to appeal or judicial oversight.

There is more amongst the discussion from Seoul. It would appear that rights owners will be able to initiate proceedings against intermediaries alleging that they have allowed their networks to be used for unlawful activities. European ISPs have long known that US based rights owners would like to see the European protection removed and brought into line with the US DMCA practice. In order to claim safe-harbour protection the European intermediaries would need to ensure that they, ‘put in place policies to deter unauthorized storage and transmission of IP infringing content.’ That is a wholly different approach to the current status, transferring the onus to the ISP. The EDRI newsletter notes, “European citizens should be concerned and indignant. As reported, the ACTA Internet provisions would also appear to be inconsistent with the EU eCommerce Directive and existing national law, as Joe McNamee, the European Affairs Coordinator of EDRi notes: “The Commission appears to be opening up ISPs to third party liability, even though the European Parliament has expressly said this mustn’t happen, ACTA looks likely to erode European citizens’ civil liberties.”

There has been real concern about the nature of the discussions - and the secrecy within which they have been conducted. The EU leaked paper noted, ‘As agreed among ACTA participants, the negotiating papers are not public documents’. The Washington Post noted that civil rights organisations had written to President Obama to complain about the lack of transparency.

The Washington Post article noted. ‘The groups, which include Public Knowledge and the Sunlight Foundation, wrote in a letter that the secrecy of the process – and on an issue that could have broad implications for Web users – could unfairly the benefit content providers that are most actively involved in the process.

“We applaud your promise of a more transparent, collaborative and participatory government,” the groups wrote. “However, multiple aspects of ACTA fail to meet these standards.”

The Swedish Presidency has published a note about the 6th round of negotiations. The Swedish note notes, ‘discussions at the meeting were productive and focused on enforcement of rights in the digital environment and criminal enforcement.’ The note continues, ‘Participants also discussed the importance of transparency including the availability of opportunities for stakeholders and the public in general to provide meaningful input into the negotiating process.’

The opportunity for the public to ‘provide meaningful input’ is important. The next stage of the ACTA negotiations will take place in Mexico in January 2010. With the Lisbon Treaty in full force from 1st December, the EU will represent all member states and any decisions accepted will be implemented for all. The current (Swedish) presidency of the European Union notes that ACTA hopes to reach agreement and implementation early in 2010 - there is not much time left before we might see major changes that will affect ISPs and other third parties. Where will be the opportunity for public consultation and input in this timescale?

IMP - an overview

A significant paper from the LSE provides an overview and substantial critique of the Government plans for review of the interception of communications traffic data - currently under consultation.

The paper, which can be downloaded here provides a review of UK intercept law, changes in communications and the technological limitations of the proposals for high levels of deep packet inspection (DPI). This is a paper that is informative and a useful contribution to the debate. It notes that there are significant privacy issues although these are for others to discuss. What it does do is to point out the limitations of the core technology concepts behind the Intercept Modernisation Programme (IMP) and ‘Mastering the Internet’, the GCHQ programme aimed at collecting and analysing data within the UK’s Internet traffic.

Every MP and member of the House of Lords should read this - and should then be made to sit an examination on its contents with passage to permission to debate only granted on being able to demonstrate a satisfactory understanding of the content. Well, pigs might fly!

The Home Office Consultation, ‘Protecting the Public in a Changing Communications Environment’ can be downloaded here.

Hadopi - three strikes and …. it’s out!

The French farce continues.

After passage through a singularly empty French assembly, then return to a more populous house, the Hadopi law (Haute Autorité pour la Diffusion des Oeuvres et la Protection des droits sur Internet - Higher Authority for the Distribution of Works and the Protection of Copyright on the Internet) has now received a further setback.

The superior court in France, the French Consititutional Court, has now ruled that access to Internet services can only be denied on the authority of a judge. The court has recognised the view in the European Parliament that Internet access is a basis human right - as also now recognied by Ofcom in the UK. The introduction of the bill to create the Hadopi in France was contentious - in France and elsewhere. Supported by President Nicolas Sarkozy the bill would have created a new agency with the power to disconnect users on third notification of file sharing infringement. The agency would also place the users on a blocklist to prevent them from simply migrating to another provider. This cannot now happen - any process to remove a user access must now go before a court and a judge - with the user able to defend his position in court.

The UK Government has already indicated that it does not favour the 3 strikes approach - again echoing the view that broadband access is now seen as a basic human right.

It’s back to the drawing board for the rights owners. Perhaps these actions might just focus their minds to consider some new business models. But then ‘les cochons peuvent voler’ as they might say in France.

Article 8 again ….. and the UK loses another case!

A few months ago we heard the outcomes of the case of ‘Marper and S v United Kingdom’ brought before the European Court of Human Rights. Now, you may remember this one - something of a landmark. The court opined that the storage of DNA profiles in England was contrary to the privacy requirements enshrined under Article 8 of the European Convention on Human Rights.

Just in case you had missed the Article, it states:

ARTICLE 8
1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The problem for the UK, and for England in particular, was that the claimants in the case were innocent persons who had not been charged or convicted of any offence. It was, said the Court, an infringment of their privacy for their DNA records to be retained within a national criminal database. Now, interestingly Scotland applies the law in a different way to England (of course!) and the Scottish model was approved by the European Court. The Conservatives have given a commitment to implementing the Scottish model when (not if!) then win the next election. We’ll hold them to that. The Government in London has now announced a revision of rules to apply in England - rules that have all the sublety of a two fingered salute to Europe - and has indicated that it will change the rules to allow law enforcement to retain data for 6 or 12 years. No intention there to remove the data as required by the Europen court.

But - along comes another case and again the Courts find that the actions of law enforcement in the UK go against the requirements of Article 8. Andrew Wood had his photograph taken by police surveillance units when (perfectly legitimately) he attended the AGM of a company in which he had shares. The police photographs were stored on file and were potentially available for use in investigation of other acts. The Appeal Court has now rules (2 to 1) in the case and has instructed the Metropolitan Police to destroy copies of photographs of Mr Wood.

The implications here are interesting. The police must now destroy Mr Wood’s images - but must also now look to identifying, removing and destroying images of other perfectly law abiding persons who happened to come in front of their surveillance photographers - perhaps at football matches, demonstrations etc. Taking photographs is a legitimate practice the court held - but the police should identify those who were of good character and should destroy the images. The implication of that opinion by Lord Justice Dyson is that images should only be retained of those who are nicked - and they will be photographed at the police station anyway so facial recognition should be able to locate, and identify them in surveillance image databases. Anyone else should then deleted.

Naturally the police were not too happy and may now consider an appeal to the House of Lords (note - there was one dissenting opinion in which Lord Justice Laws argued that the police were ‘operating within the margin of operational discretion in keeping the photos’.

The Crusher senses the wind of change blowing - the surveillance society created under New Labour is unravelling before the courts. With an increasingly lame duck administration and an imminent election (which the PM has tacitly recognised that Labour will lose) we may be seeing a few steps back from the oppressive nature of surveillance. Where next - data retention and the Communications Data Bill?

French farce

A few postings ago we reported on the vote in the French Senate that introduced the ‘Hadopi’ law, providing for the 3-strikes and you’re out principle to be adopted by rights owners seeking the disconnection of persistent file sharers. After the initial vote in a sparsely attended house, the law passed on to the National Assembly where a rather larger house voted it down. Now it seems that the French authorities have adopted the European approach - if at first you don’t get the result you want, ask them to vote again until they give the right result!

The law was returned to the National Assembly for another attempt and this time it seems that there was a rather fuller attendance. Perhaps some ‘persuassion’ by the French equivalent of the Whips? There is clear intention by the French Government to push the law through and in advance of voting in the European Parliament on the Telecom Reform package.

A large number of amendments to the Bill made it impossible to proceed through the voting process by 5th May and the Bill must now return for further debate. It is seen as likely that this will be by mid-May so it is quite possible that President Sarkozy will see the new legislation in force by the end of the month. This will allow the setting up of a new agency (the HADOPI) which will deal with copyright infringement notices submitted by rights owners and will decide whether to warn or to disconnect users and place them on a list of blocked persons.

Quite clearly this will not be a popular piece of legislation. Civil rights campaigners will be campaigning and asserting that the law will be an infringement of the rights of the citizen. But the campaigners will have some powerful allies. MEPs voting in the European Parliament in Brussels and Strasbourg have indicated that they view internet access as a fundamental service and have voted down 3-strikes approaches.

When the Telecom Package came up for 2nd reading in the European Parliament, MEPs voted 407 to 57 for initial amendment 138 rejecting the Trautman report and reverting to the initial text which provided that only judicial authorities would be able to make decisions on cutting off users. The reversion to judicial authorities means that users accused of infringement would be able to submit a defence and to appeal any decision. It would seem that the HADOPI proposed in France would not be accepted as a judicial body and would not be acceptable under the European package.

Going further, it is interesting to read comments by Commissioner Redding responding to questions in Brussels: “The fourth element I would like to underline is the recognition of the right to Internet access. The new rules recognise explicitly that Internet access is a fundamental right such as the freedom of expression and the freedom to access information. The rules therefore provide that any measures taken regarding access to, or use of, services and applications must respect the fundamental rights and freedoms of natural persons, including the right to privacy, freedom of expression and access to information and education as well as due process?”

Now that makes the Commissioners view quite clear. Internet access is a fundamental right and any rules must respect fundamental rights and freedoms. That will make it difficult to impose any 3-strikes approach without their being a judicial process. Even then, there must be compelling reason to act - and, I suspect, copyright infringment will not be there as the most compelling reason. Perhaps use of the internet to download paedophilic content might be there.

So, how will this impact on the UK. There is discussion in Govt. and we are awaiting the final version of Stephen Carter’s ‘Digital Britain’ report. Trails suggest that that may include details of a Digital Rights Agency - amongst other things. The report is now unlikely to arrive before mid-June - it will not be published in the run-up to local and European elections at the beginning of June - and will probably be after voting in the European Parliament. Any agency that is then set up will have to accommodate the European Telecoms Package - so we are unlikely to see any 3-strikes here. Unlikely anyway as Govt. Ministers have now indicated that this is not favoured by Govt.

Not so centralised database ……

So, after all the speculation, the Home Office have now published the consultation paper on ‘Protecting the Public in a Changing Communications Environment’ and it now makes clear that the idea of a single centralised database containing records of all telephone calls, Internet login/logout, email, web access etc. has been kicked into touch. Page 25 of the paper makes clear, ‘The Government has no plans to create a centralised database to store all communications data.’

However, it is also clear that this would be the preferred option, ‘This approach would have several advantages. It would be the option most likely to come close to maintaining the historic capability of public authorities in their use of communications data. It would be the most effective at delivering fast and efficient access in support of the law enforcement and intelligence agencies and emergency services; the least challenging technically to implement; and the cheapest to build and run.’ But, Government is clearly aware of the sensitive politics of any implementation in this manner and has accepted that this wqould be a step too far and a massive intrusion into privacy. Richard Thomas, Information Commissioner, had made it quite clear that a single centralised database would be seen as an infringement of data privacy legislation and this advice seems to have been taken on board, ‘The Government recognises the privacy implications in holding all communications data from the UK from a 12-month period in a single store. The Government therefore does not propose to pursue this approach.’

So, the remaining option is to require communications service providers (CSPs) to retain data themselves and to release to national security and law enforcement authorities on receipt of the appropriate (RIPA) authority. That is similar to the current provision and the requirements of the Data Retention Regulations. However, the proposed plans go further than the requirements of the European Data Retention Directive (DRD) - law enforcement agencies have advised government that they require access to a broader range of data than that required under DRD. “We also need to ensure that UK companies collect and store additional types of communications data about their own services, which are not included under the EU Data Retention Directive. This includes data that communication service providers do not generate or process about their services.”

So what would this additional data retention requirement include. Web access for certain - but again, not the content, only the access to the server (to the domain rather to internal pages), volume of data transferred (download/upload), access to third party services.

Ah, this last is interesting. Acccess to third party services. Government is clearly aware of the limitations of the DRD and is now looking to close loopholes. DRD does not include web access and does not include access to services that are not hosted in the UK. Now, we know that a large number of users use webmail and that the major services (Hotmail, Gmail etc.) are hosted in the US. There is no provision under DRD for retention of any data relating to mail sent via these services - nor for any retention of data sent via other means including social networking sites, game sites, forums etc. Govt. now wants to close this loophole, ‘This would include third party data relating to internet-based services and communications services provided from outside the UK.’

Now that leaves some interesting questions. If CSPs are to be required to retain data relating to access to systems and servers outside of their network (and outside of the UK and EU) then they are going to have to collect the data by analysing the traffic flow on their own network. In practice this means deep packet inspection (DPI) of ALL traffic. DPI imposes some overheads - in order to undertake analysis and extraction of data without impacting on user experience will require real-time inspection with substantial processing demands. That is expensive. Well, at least the Govt. recognise this as the potential costs are estimated in the consultation as £2 Billion (yes, that’s right, 2 BILLION pounds).

The technical limitations are not the only concern. For CSPs to effectively read each and every packet will require substantial changes to current legislation. In effect, what will be required will be the electronic equivalent of opening mail, checking the contents and storing data. It is illegal to intercept the post, it is illegal to intercept traffic in a communications environment. Clearly the intention of the Government is to change the legal position to allow CSPs to analyse traffic and to retain data.

At present, there may be some inspection going on at CSP level in order to identify traffic types and to prioritise traffic flow - packet shaping. This is used to control use of high volume services such as peer to peer transfer. What is currently done is relatively simple compared to what may be required - traffic packets are checked to see what the type of data is and automatically routed or controlled as a result. The plan is for data to be read and then recorded and retained - and for the data to be retained for 12 months.

Now we can see an advantage for the Govt. in making CSPs retain the data. If there is a leak of data then it will be the CSPs at fault and not the Govt. Govt. agencies (national security, law enforcement etc.) will only become involved when they request data to be transferred from the CSP store.

The single centralised database has become a decentralised, distributed store of data. Once you set those up, the next step is to look to see how they could all be linked. We know that the Govt. views the single database as being the best option (and the cheapest). What they are going to do is to plan a distributed store that may circumvent privacy concerns, will be more expensive but will still store the same information. And that is going to be far more than is currently retained.

Privacy watchdogs will just be sharpening their claws - they will need them.