The ISPAs 2010

Thursday night (8th July) was a glittering night for the Internet industry - the annual ISPA Awards bash at the Marriott Hotel in Grosvenor Square. After all the testing and all the submissions it was time to hear the judges verdict.

The awards are the Internet industry’s chance to recognise good practice and good performance. Over the last 12 years they have changed with new categories and new means of assessing performance in the ISP Division. The ISP Division recognises best practice across hosting, customer service, consumer and business broadband etc. The Times noted that the ISPAs were, ‘The awards that could have the most direct bearing on your life’ and the Daily Mirror called it, ‘The Internet event of the year’. Whatever, it is without doubt keenly awaited by those in the industry and keenly commented by customers and others.

Congratulations to all those who won. The Crusher was pleased to see the team at NewNet picking up another piece of acrylic to add to the two previous awards - this year in the class of Best Dedicated Hosting. Well done to the NewNet team and to all those who won in the ISP Division.

But, it is the Special Awards that arise more interest. New categories here for digital inclusion (Bolton Literacy Trust) and for Internet Safety (Childnet), Access Innovation (The Alston, Cumbria, CyberMoor project with a special commendation to SW Internet CIC) and Corporate Social Responsibility (Orange).

At the end of the evening there are two awards that evoke much wider interest - the Internet Hero and the Internet Villain award. Now, in years past The Crusher was pleased to nominate someone who was then awarded the Internet Villain prize so there is always a little more than minor interest here.

What was interesting this year was that both awards recognised different sides of the same thing - the passage through Parliament of the Digital Economy Bill to become the Digital Economy Act. ISPA Council members bestowed the Internet Hero Award upon Tom Watson MP for leading the opposition to the parliamentary fight against the Digital Economy Bill and continuing the campaign to ensure an informed approach to the Act. Well done Tom - your actions in the House of Commons and your speech in the final parts were an inspiration and made it clear that there was not a common cross-party consensus.

The passage of the Digital Economy Bill was fraught and was not helped by changes being made during the consultation period and then by inclusion within the final ‘wash-up’ stages before the end of the parliamentary session and the General Election. There were a number of nominations for the Internet Villain award, all in their own right quite worthy recipients, but in the end, the winner was a shoe-in for the award. It was the Dark Lord himself, Lord Mandelson, formerly Secretary of State for Business and Skills, who had steered the Digital Economy Bill through the various processes. The change that was made during the consultation phase coincided with a weekend meeting with a major rights owner and the final stages were a sham, forcing through legislation that was deeply unpopular and which made fundamental changes to the due process of law.

So, a worthy villain. Sadly, Lord Mandelson was not available to collect his award in person. What a shame - would have been a great appearance and a great acceptance speech!

The new coalition governement has now invited the public to suggest law that should be removed, replaced or amended. Inviting the public to comment is always a risk (a request to introduce a law ‘to allow me to marry my horse’) but sometimes shows popular unrest and resentment. No surprises really to see that some of the largest number of comments and requests related to repeal of the Digital Economy Act. So, it is over to you government, you asked and now you have been told. DEA must go!

Tempus fugit II …..

Time flees as the Latin tag says (perhaps more commonly recognised as ‘Time Flies’) and it certainly seems to be the case with Data Retention.

It seems just a short time ago that we were watching the progress of the Directive through the European parliamentary system, from introduction through discussion (is that really the right word for the actions of the UK Presidency in 2005?) to amendment and then to final acceptance and transposition to national law.

In the UK we were there at the beginning, transposing the first parts to apply to fixed line and mobile telephony. 18 months later came the inclusion of Internet data. The interesting bits were the differences between national transpositions - some elected for retention for as little as 6 months, others for 12 and some for as long as 24 months (but would have liked longer). The UK opted to allow for reimbursement of capital expenditure and the provision in relation to Internet data seems to pay only slight compliance - requiring retention of data only where the national authorities deem that it is necessary.

Some member states have only brought data retention within national law in recent months - Portugal in August 2009, Italy at the end of 2009 and Poland only at the beginning of 2010 (UK, 1st phase Sept 2006, 2nd phase March 2008). There remain a number of member states where data retention has still not been applied - Austria, Belgium, Greece, Ireland, Luxembourg, Romania, Sweden - so much for the idea of ensuring a common approach to law enforcement.

But, time flies. The implementation of the Data Retention Directive provided for an evaluation of the Directive. The time has now come for that evaluation and a number of conferences and meetings have taken place. The results of evaluation will be published later in the year, probably in October 2010. After that, the Commission will begin the processes that will lead to proposals for a revised Directive, probably by the end of 2011 with expected implementation by 2014.

It is too early to say what that new Directive may include, but undoubtedly there will be pressure to expand the range of retained data to include a wider range of Information society services - The Crusher would expect to see pressure for the inclusion of social networking data and web site access. There may be some agreement on a reduction in the range of the approved time scales -although as most members currently retain for 12 months this is unlikely to affect the majority (including the UK).

The evaluation report from the Commission does include some interesting data relating to the number of requests for access to retained data in 2008.

Clearly there are wide variations in the raw number of requests with France and the UK heading the number of actual requests. Of course, both have fairly high populations so it is reasonable that there should be a large number of requests. But, when the figures are compared against the national populations the data requests become more interesting. the right hand column shows the number of data requests per 100,000 of population. Under this order, Lithuania shows a massive 2239 requests per 100K with the UK behind France at a much lower 769. Yet Cyprus only requests data at the rate of 3 per 100,000!

Of course, there will be variations in what is perceived as relevant crime and the use of data to locate rather than to determine specific use. It may well be that the larger number of requests are being used more as a location tool than as a more detailed investigatory procedure. But, the figure for Lithuania is so much greater than others it does rather beg the question what use is being made of retained data in that small state? Perhaps there remains an investigatory throwback to a prevous regime - although the lower (far lower) figures for neighbouring Estonia and Latvia may negate that suggestion.

Interesting data - it will be interesting to watch what comes out of the Commission in late summer/autumn 2010.

Tempus fugit …..

Where does the time go? It seems only just a few weeks ago that we were discussing the ramifications of the proposal for a European Data Retention Directive. The reality is that this was now five years ago and the major discussions took place during the UK Presidency of the European Union in the second half of 2005.

We are now fast approaching the date set within the Directive for the European Commission to report to the European Parliament and the Council on the working of the Directive and its impact on the economic operators and consumers. The date for the submission of the evaluation is 15th September 2010 - just 6 months away now. As a result of the evaluation, the Commission will determine whether it is necessary to amend the provisions, particularly in relation to the nature of the data to be retained and the period of retention. The results of evaluation must be made public.

In the background to the imminent evaluation there are some interesting developments and it is clear that the Directive has not yet been applied across all member states of the European Union.

On March 2nd, the German Constitutional Court ruled that the implementation of the Directive in Germany was in contravention of the German Constitution. Der Spiegel reported on Wednesday 3rd March that the Court had ruled that data collected and retained under the (now unconstitutional) law was to be deleted with immediate effect and that strict controls were to be brought into place before the law could be re-introduced. The case has taken some two years to progress but was brought as a class action on behalf of some 35,000 German citizens who argued that the new law went too far.

The court agreed and said that there was insufficient clarity in the reasons for the retention of data and that there were insufficient safeguards on the data once retained. A key point here is that the Constitutional Court has struck down the German implementation of the Data Retention Directive, not the Directive itself. The German government must now look at the decision of the Court and consider the safeguards that must be put into place before it can draft a new law and introduce that. It is certain that there will now be intense public scrutiny.

Belgium also faces an interesting period, particularly as it is scheduled to take over the rotating Presidency later in the year and will be ‘in the hot seat’ when the evaluation of the Directive is due to be presented. The transposition of the Directive into national (Belgian) law has taken some time and there has been considerable and vocal opposition to the Government proposals. The proposals went much further than provided for within the Directive including banking data and use of the data beyond what may be determined as ’serious crime’. The Belgian proposals also called for the retention of data at the maximum period (24 months) provided for within the Directive. The initial proposals attracted a negative response from the Belgian data protection agency, an almost unheard of situation - although that eventually was turned around to a more positive response when the proposals were watered down time scales pulled back to a more standard 12 months.

The Belgian proposals have not yet completed the parliamentary process. In the last couple of months, Belgian ministers have been trying to reach consensus with stakeholder groups to see if they can bring forward a new law before June. That is an important date - the rotating Presidency comes to Belgium on 1st July and the government wants to prevent the country from critiscism about their failure to implement whilst they are also supposed to be leading discussions on evaluation.

It is clear that some Belgian politicians had been awaiting the outcome of the case before the German constitutional court. That is now clear - it remains to be seen how this may affect the Belgian transposition.

Whither ‘mere conduit’?

‘Mere conduit’ is a defence - laid down within the European e-Commerce Directive and transposed to UK law within the Electronic Commerce (EC Directive) Regulations 2000 - that allows an intermediary, typically an Internet Service Provider, to limit liability for illegal activity. This follows on from the accepted position that a mail carrier (Royal Mail etc.) is not liable for the contents of mail that it carries - provided that it does not know what is in the package.

Article 12 of the European Directive sets out the position:

‘Mere conduit’

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:

(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.

2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.

So, that seems reasonably clear. An Internet Service Provider (ISP) is an intermediary - they carry traffic across their network, they do not initiate the traffic, they do not select the recipient and they carry it without selection or modification. Provided they adhere to the conditions then they may claim a defence of mere conduit and cannot be held liable for, say, the transmission of illegal criminal content (child abuse content) or unlawful content (Peer 2 Peer file sharing). The problem for the ISP comes when they are told about the traffic or otherwise become aware. Once an ISP is ‘put on notice’ then they must take action.

OK, so why is there a question mark over ‘mere conduit’, what appears to be a well established point of law. The problem, as so many affecting ISPs today, has derived from the peer 2 peer discussion. We know that pressure from the industry has resulted in the ‘3-strikes and you’re out’ process - shortly to be incorporated within the UK Digital Economy Bill. Now it seems that the rights industry has been able to exert pressure in other areas and the outcome of this could be important for the intermediary.

The problem area is ACTA. AC what you say - ACTA stands for the Anti-Counterfeiting Trade Agreement. OK, what has that got to do with ISPs. Governments have been engaged in a series of discussions, the most recent of which have taken place in Seoul, South Korea, to look at the updating of laws to protect intellectual property. Most readers will be familiar with actions brought against online auction houses (e-Bay) alleging collusion in the sale of counterfeit goods diluting the trademark interests of well known luxury brand names. Other actions have been taken by Customs and Trading Standards officers to confiscate counterfeit goods - sunglasses, handbags, rip-off DVDs etc. That all seems fairly straight forward and expected.

The problem comes with the extension of the counterfeiting argument to copyright infringement in the electronic environment. Hints of the nature of the Seoul discussions appeared in leaked preparatory papers. An European Commission (DG Trade) document in September indicated that the EU and US had engaged in discussion in Washington as part of the Intellectual Property Rights Work Group. Within those discussions, a side meeting had been held to discuss the US preparation of the future Internet Chapter of the ACTA. At that time the US delegation indicated that they had been working for some while on the chapter and had engaged in discussion with other Govt. agencies and with interested private stakeholders (not defined or named as these were bound by NDAs). The US delegation gave an oral presentation to the EU Trade group. It is now clear that discussions in Seoul have followed the inital oral advice and that the US drafted chapter appears to follow the provisions of the US Digital Millennium Copyright Act (DMCA)

ACTA requires that ACTA members (Government/member state signatories) have to provde for third-party liability; Safe-harbours for liability regarding ISPs to be based on Section 512 of the Digital Millennium Copyright Act and to benefit from safe-harbours, ISPs will need to put in place policies to deter unauthorised storage and transmission of IP infringing content (these might include making changes to customer contracts to allow a graduated response - ie, ‘3-strikes and you’re out’).

The European Parliament has now voted against the ‘3-strikes’ approach - there is development within the new Telecoms Package to be agreed between the European Council and the European Parliament. That is likely to reach consensus with provisions to allow a ‘3-strikes’ approach but perhaps subject to appeal or judicial oversight.

There is more amongst the discussion from Seoul. It would appear that rights owners will be able to initiate proceedings against intermediaries alleging that they have allowed their networks to be used for unlawful activities. European ISPs have long known that US based rights owners would like to see the European protection removed and brought into line with the US DMCA practice. In order to claim safe-harbour protection the European intermediaries would need to ensure that they, ‘put in place policies to deter unauthorized storage and transmission of IP infringing content.’ That is a wholly different approach to the current status, transferring the onus to the ISP. The EDRI newsletter notes, “European citizens should be concerned and indignant. As reported, the ACTA Internet provisions would also appear to be inconsistent with the EU eCommerce Directive and existing national law, as Joe McNamee, the European Affairs Coordinator of EDRi notes: “The Commission appears to be opening up ISPs to third party liability, even though the European Parliament has expressly said this mustn’t happen, ACTA looks likely to erode European citizens’ civil liberties.”

There has been real concern about the nature of the discussions - and the secrecy within which they have been conducted. The EU leaked paper noted, ‘As agreed among ACTA participants, the negotiating papers are not public documents’. The Washington Post noted that civil rights organisations had written to President Obama to complain about the lack of transparency.

The Washington Post article noted. ‘The groups, which include Public Knowledge and the Sunlight Foundation, wrote in a letter that the secrecy of the process – and on an issue that could have broad implications for Web users – could unfairly the benefit content providers that are most actively involved in the process.

“We applaud your promise of a more transparent, collaborative and participatory government,” the groups wrote. “However, multiple aspects of ACTA fail to meet these standards.”

The Swedish Presidency has published a note about the 6th round of negotiations. The Swedish note notes, ‘discussions at the meeting were productive and focused on enforcement of rights in the digital environment and criminal enforcement.’ The note continues, ‘Participants also discussed the importance of transparency including the availability of opportunities for stakeholders and the public in general to provide meaningful input into the negotiating process.’

The opportunity for the public to ‘provide meaningful input’ is important. The next stage of the ACTA negotiations will take place in Mexico in January 2010. With the Lisbon Treaty in full force from 1st December, the EU will represent all member states and any decisions accepted will be implemented for all. The current (Swedish) presidency of the European Union notes that ACTA hopes to reach agreement and implementation early in 2010 - there is not much time left before we might see major changes that will affect ISPs and other third parties. Where will be the opportunity for public consultation and input in this timescale?

Data retention - still some unhappy states

The Data Retention Directive was introduced into European law back in 2006 - with a requirement that member states transpose the first phase by September 2007 and the second phase by March 2009 (where the State took advantage of a derogation in rellation to IP based traffic).

Interestingly, both Belgium and The Netherlands advised the European Commission of their intention to take advantage of the derogation in relation to IP. That still meant that they were expected to transpose in relation to fixed line and mobile telephone traffic by September 2007 but that had opted, like the UK, to leave IP based retention until the later date.

A group of Belgian organisations have now raised a petition to protest the local transposition of the Directive. In August, the Belgian Minister of Justice proposed a retention period of 2 years (the maximum within the range of the Directive - 6 months to 2 years) . The UK settled on 12 months - interestingly the Belgian Data Protection Supervisor felt that the 2 year period was too long and disproportionate and should be reduced to 12 months. The Belgian petitioners felt that there was not sufficient evidence to justify the retention of traffic data which they felt was not a solution to security issues.

Just to the north, the Netherlands government is also engaged in discussion. A few wees ago, government agencies held meetings with ISPs to provide some clarification of terms within the new Data Retention Act - EDRI-News reports that after the meeting there was still confusion as to what was required and for how long. As currently implemented, both telcos and ISPs are required to retain data for 12 months but discussion in the upper house of the Netherlands parliament (Senate) has suggested that the Minister may be prepared to reduce the ISP requirement to just 6 months (as was suggested in the UK, bearing in mind the low level of requests of user data in relation to IP based traffic).

A full description of the Netherlands law (2008) can be found at the site for Agentschap Telecom, the Dutch telecoms regulator.

There has also been discussion in the Netherlands about the possibility of centralised retention of traffic data. ‘Bits of Freedom’ in the Netherlands reports that some 3 Million requests for traffic data were served by the Netherlands police in 2008 - on a population of some 16 Million. That is a very high figure when compared against the reported request rate in the UK - Surveillance Commissioner reported 0.5 Million requests in 2007 against a population of some 60 Million. If the UK rate were the same as the Dutch then that figure would be in the order of some 11 Million requests!

Clearly there remains considerable concern and disquiet across Europe.

The Directive provides for review of the retention policies in 2010. Clearly there is likely to be a lot to be discussed.

Amendment 138 falls out into the Grand Place…….

For some time the European Commission and the European Parliament have been in discussion in relation to the development of a new Telecoms Package, a raft of new laws with the intention of revising and updating the regulatory control of the telecoms industry. Included within the package were updates to the Privacy and Electronic Communications Directive that would impact on the receipt of cookies (commonly used by advertisers and others) by a web browser.

But, the passage of the Telecoms Package was held up by the introduction of an amendment, Amendment 138 which aimed to control the move towards the ‘3 strikes and you’re out’ approach to the regulation of peer to peer file sharing.

The rights industry has been pushing hard for national governments to adopt the ‘3 strikes’ approach as a way of trying to contol the use of file sharing and unlawful copying of rights protected materials. The idea is that users identified as engaged in unlawful filesharing will receive a letter from their ISP to advise that the sharing is unlawful and (in pretty much most cases) in contravention of the ISP acceptable use policy. Experience suggests that the first letter had some effect in about 50% of cases. Many of those responded to confirm deletion of infringing materials and that they would not engage in any further file sharing. For those that continue, a second, stronger letter would be sent before a third letter and then disconnection of internet service.

It is the disconnection that is the problem. Many now consider access to broadband as a basic human right - alongside access to water, power etc. There was political support for the view, including from Mdme Reding, European Commissioner for Information Society. The problem was (is) that disconnection would take place without judicial review and potentially without the option for the accused user to defend their position and argue their innocence. When the Telecoms Package came before the European Parliament it was amended by Amendment 138 to require judicial intervention and oversight before disconnection.

The Amendment provided the clear requirement for a judicial role and in so doing acted as a brake on the proposals by certain European governments to press ahead with legislation to enable ‘3 strikes’. Before any disconnection could take place a rights owner would have to go before a judge and plead a case for disconnection of the user. And, of course, the user would have the opportunity to defend his position. In France, President Sarkozy promoted the ‘Hadopi’ legislation and in the UK, the Digital Britain report and the Business Secretary, Peter Mandelson, engaged in discussions to push ahead with a ‘3 strikes’ approach. It is notable that Peter Mandelson appears to have come out strongly in favour of ‘3 strikes’ since a weekend meeting with a leading producer.

For the European bureaucrats and politicians the groundswell of public support for Amendment 138 provided a problem. Whilst the Amendment was debated it held up progress on the whole Telecoms Package and with the imminent arrival of the Lisbon Treaty conference there was a political need for progression.

Now, at the last minute and just before the conference, there has been agreement in Brussels to accept a watered down version of the amendment Pressure from national governments that will allow them to introduce disconnection for persistent file sharers (and who else the Crusher wonders?).

Jérémie Zimmermann, spokesperson for La Quadrature du Net,(quoted on ISPreview) said: “Amendment 138 was in haste dissolved into useless legalese and soft consensus. The Parliament hurried to get rid of the safeguards of citizens’ freedoms because it knew that with the imminent coming into effect of the Lisbon treaty, both institutions will soon share the legislative power in the field of judicial affairs. And the bad excuses we have heard these past few days to justify to abandon amendment 138 will then be totally obsolete. In the end, the Parliament was not brave enough to stand against the Council to defend citizens’ freedoms.

Ministers of Member States, who want to be able to regulate the Net without interference from the judiciary, were rushing to kill amendment 138 and put an end to the negotiations. It is a shame that the Parliament’s delegation, and especially rapporteur Catherine Trautmann, was not determined enough to use the political context to assert its authority in the European lawmaking process in order to protect European citizens. Even though it has been an interesting and constructive discussion, amendment 138 has turned, by the lack of courage of the delegation, into the emblem of the powerlessness of the Parliament.”

So, in the face of political pressure to reach agreement before the meeting of Heads of State/Prime Ministers to conclude ratification of the Lisbon Treaty and the appointment of a new President of Europe, the Council has over-ridden the European Parliament (which had previously voted substantially in favour of Amendement 138) which has now accepted the reduced version limiting the rights of the citizen.

The way is now clear for those member states who wanted to introduce ‘3-strikes’ to do so. In the UK, Lord Mandelson has now announced actions to be taken against repeat piracy offenders and procedures will be included in the Digital Economy Bill expected to be included in the Queen’s Speech (18th November) with passage through Parliament before the end of the current session.

Lord Mandelson met with Internet industry representatives before the announcement was made. Mandelson asked the Internet industry to consider the proposed ‘3-strikes’ process in the context of the wider business economy (in iother words, consider the impact of filesharing on the revenues of the music industry) and to realise the importance of creativity. The Crusher understands that Lord Mandelson was fairly combative in his approach to the Internet industry but that the industry did make him aware of their concerns about proportionality, cost, options for alternative modes of contents delivery, due process etc.

The devil, as they say, will always be in the detail so it remains now to see how the Digital Economy Bill is drafted in order to see exactly how the ‘3-strikes’ approach will work in the UK. It would seem likely that the rights industry will contribute to the costs of the ISP in communicating with users and that there will be a likely lengthy process before any disconnection take place. It is likely that Ofcom will set up a dispute panel procedure to hear appeals from consumers targetted for disconnection and that Ofcom will collate information relating to the issue of notifications.

But - time is now running out for this Government. A full General Election must be held before June 2010 at the latest. As we are now clearly in the run up to the election and campaigning has been going on for some time, The Crusher wonders whether the Govt. will actually be able to progress the Digital Economy Bill to the Statute Book before dissolution.

The other matter, of course, is in Brussels. The actions there point to the ineffectiveness of the European Parliament. The elected representatives of the European citizenry are over-ruled and kicked into touch by member states acting in the European Council. The European Parliament has no ability to initiate legislation and can only comment and amend - it seems now that their ability to amend has been curtailed in the face of opposition from member states.

Emergency, which service ……..?

Most people are familiar with the process for making an emergency call - whether it is to the Police, Fire Service, Ambulance or Coastguard. Pick up a phone and dial 999 - or 112 as the pan-European common emergency call number.

When the call is answered by the emergency service operator at the telco, the operator will ask you which service you require and will ask you to confirm the number you are calling from. No problems there.

The operator will see the calling line number displayed in front of them and can immediately cross-reference with reverse look up to identify the location. OK, no problems there - but hold on a minute, what happens if you are not using a land-line?

Technology has moved on and there can no longer be an assumption that all users are calling from a fixed land-line. Emergency calls can be made from a mobile number and, increasingly, from a Voice over IP phone (VoIP). Now, these latter two present something of a problem. Mobile numbers are not geographic (they do not have a specific regional location exchange code) and can be made from pretty much anywhere (except in my house where the mobile does not work!). Emergency operators can access data from the mobile providers to locate the cell where the call is being made from - and triangulation from a number of base stations can provide a fairly accurate geographic location of the calling phone. That’s what law enforcement do when they want to track a criminal or suspect target - the mobile phone is a very effective piece of electronic tracking gadgetry sitting in your pocket. You don’t have to make a call, the phone will register itself with the local cell whenever it is switched on and will thereby giveaway its position.

OK, again, no real problems there. Problems arise with VoIP. There may be a number associated with a VoIP call but it may be a geographic number and the geographic number assigned to the call may bear no relevance to the actual geographic location of the VoIP handset or software. This may be connecting through any IP link - perhaps a fixed line broadband circuit or perhaps a WiFi connection in a public place (cafe, pub, airport etc.).

The Ofcom General Conditions of Service require providers to make details of callers available to emergency service operators. For fixed line and for mobile calls that is fine - the provider has all the data and can cross-reference databases. For VoIP there is a problem - the VoIP service is likely to be provided by a different service provider to the underlying IP transport. The VoIP provider may have a record of the geographic number associated with the call and may be able to reference that to a customer - but cannot tell whether or not the customer is at the location they have. The IP address used for the call and included within the packet data will be allocated by the ISP providing the transport layer - there may be no quick look-up between the VoIP provider and the ISP to determine the location and user of the IP address. It is quite possible that the VoIP user could log in from a range of IPs during a single day - particularly if they are connecting using WiFi access points.

The problem can have tragic consequences. A Canadian family called the emergency services using a VoIP service - the trackback from their initial service registration indicated a location in Toronto so that was where the medical team was sent. Unfortunately the family were hundreds of miles away in Calgary and had not updated the location information held by the VoIP provider.

To overcome the problem the emergency services want to be able to make a quick look up request to ISPs to determine the telephone line reference (CBUK record) for the line on which the VoIP call originated. That might seem straightforward but the practicalities are much less so. There is no standard format for ISP customer service records and there is no standard interface that will allow an external agency to access and requues information from those databases. Emergency service developers have suggested that ISPs should install systems that will allow real-time look-up requests from the emergency service operator. The operator would identify the call as a VoIP origin, identify the associated IP address, refer that to a central look-up registry to identify the ISP (RIPE?) and then pass the request to the ISP who would be expected to return the CBUK reference for the line. All this in real-time and in no longer than it has taken you to read this last paragraph.

The implementation of the Data Retention Directive at a European level has meant that there have been developments to create a standardised form of data request - ETSI standards. Implementing these may be fine for the larger operators who have teams of developers and can bear the costs. But for the medium and smaller level ISPs there will be a real problem - substantial development costs and quite likely whole changes to back end and Internet facing systems. It is quite likely that the smaller ISPs will simply not have the resources to be able to comply.

The Crusher can see another problem here. Once an interface system is in place then a remote operator will be able to input an IP address and return a telephone line reference which can be used to determine a location. That is exactly the type of information that typical Section 22 notices issued under the Regulation of Investigatory Powers Act (RIPA) often require - law enforcement agencies can issue a notice requiring an ISP to provide details of a user. Requests often cite a date, time and IP address - and require the ISP to identify the user. If that can be done automatically by the emergency operator then it will not be long before other parts of law enforcement agencies (LEAs) identify the route as a rapid way to investigative data. Politicians will trot out the tired old lines about importance for public safety, citizens have nothing to fear etc. And will then introduce legislative changes that permit LEAs to process automatic data requests.

Any development for emergency use will have to be developed with extensive safeguards and strict controls. These must ensure that access can only be made in genuine emergency situations and that it is not possible to investigators to access for alternate purposes. Equally, it must not be possible for other organisations to attempt to access data - for example, for rights owners to try to identify end users flagged up as potential copyright infringers.

The emergency request is fairly self-explanatory. The problem is the likelihood and the inevitability of mission creep.

Digital Britain - awaiting the outcome ….

Just another week to go before Lord Stephen Carter publishes his Digital Britain report. And with a week to go the various interest groups are positioning themselves ahead of the launch.

There have been numerous ‘trails’ which may turn out to be more positioning than actualities. We won’t really know until the document is in the public domain.

But things that are likely……

There is a recognition that broadband services are an essential part of modern life (recognised in a survey commissioned by Ofcom), as essential as water, gas and electricity. So broadband becomes the 4th service (do I recall the AA advertising themselves as the 4th emergency service?).

Broadband service providers (essentially that means BT) are to be encouraged to ensure a minimum level of service at 2Mbit. Easier said than done and will require some changes to the means of provision. Ofcom has today (11th June) removed the restrictions that prevented Openreach from operating electronic equipment within the network. This removal will pave the way for Openreach to operate fibre to the cabinet and direct ethernet to end users.

Ofcom recognise that there remains a significant group of internet Not users - typically older generation. They estimate that 20% of this group will sign up to broadband services if the cost and service is right. That might have to include some form of top-up education. Of course, 20% takeup leaves a remaining 80% of the group who do not see the need or do not want Internet access. Increasing takeup amongst this group will be difficult.

There have been moves from rights owners to suggest the introduction of a ‘three strikes and you’re out’ policy. With the recognition that broadband is now an essential service this is unlikely to be approved by Lord Carter - indeed, other Government Ministers have made it clear that the Government will not force ISPs to block access. There will have to be other ways found. Those might include some form of packet shaping to reduce the performance of the sharers - but not all ISPs will be in a position to do this. Certainly the smaller ISPs will find this difficult and will not have the flexibility of multiple central pipes to transfer heavy users to a specific ‘bad boys’ pipe.

So we wait. 16th June will be an interesting day.

May we live in interesting times ……!

The next week (week beginning 27th April 2009) appears to have the makings of a rather interesting time. Perhaps the ancient Chinese proverb was indeed close to the truth.

Later this week we expect the Home Office to publish details of the Intercept Modernisation Programme and the Communications Data Bill. Readers will remember that the Bill was originally trailed in the Government’s Draft Legislative Programme published in summer 2008 but was quietly dropped from the Queen’s Speech later in the year for ‘ additional public consultation.’

Well, it seems that time for consultation is here and we now expect the Home Office to publish the consultation document and details of the Intercept Modernisation Programme (IMP). The Daily Telegraph today (Saturday 25th April) printed a front page story to indicate that the consultation will resurrect the ideas of a single centralised database to hold details of all telephone calls, emails, web access etc. The Telegraph reports (in print - it does not appear on their web site - why not?) that the Information Commissioner has reiterated his opposition to the database, indicating that he considers this to be a major intrusion into privacy.

The Government, of course, appear to be trotting out the same old story - we need to monitor web access, email etc. in order to track terrorists and serious organised crime. And, if recent performance is anything to go by, also those sending their children to school and those ‘allowing’ their dogs to foul the pavement.

There are fundamental issues of privacy and rights of the individual at stake here. The current authoritarian and nanny obsessed government simply cannot be allowed to rail-road this legislation through. Remember the sentient words of Benjamin Franlink in 1775, ‘Those who give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.’

What we need is a little real risk assessment and some real truths - not the one-sided ‘business case’ that we have seen with other consultations. This is a fundamental issue of rights and the ability of the Government to spy on its own citizens. Levels of control as are being suggested have only existed in the most heinous totalitarian regimes - we cannot sleep walk into allowing a British government to overturn centuries of hard won reforms for a short term gain. As Franklin suggests, the cost to the people is just too great.