Online infringement of copyright: detail regarding clauses 4-16
(Download Online infringement of copyright: detail as a PDF)
Introduction
This factsheet sets out to explain in more details the Government’s thinking on:
- Who the subscriber is in terms of the Bill • The meaning of “allowed” in the Bill
- The position of community sites, libraries and educational establishments and home hubs
- Defences against an allegation of copyright infringement
- What protective measures are available for individuals and other subscribers
This fact sheet is in response to questions raised in Committee in the House of Lords on 12th of January 2009. For further background information about the Bill, and its clauses pertaining to Online Infringement of Copyright, please visit the Bill’s website
Who is the subscriber?
“Subscriber” is defined within clause 16 of the Bill in the following terms:
“subscriber”, in relation to an internet access service, means a person who-
a) receives the service under an agreement between the person and the provider of the service; and
b) does not receive it as a communications provider ( s.405 of the Communications Act 2003 provides : ‘communications provider’ means a person who (within the meaning of section 32(4)) provides an electronic communications service);
Hopefully (a) is clear enough, and could at its essence be regarded as being the person who pays the money to the internet service provider (“ISP”) for access to the internet. In many cases, the subscriber will not be the only person who is using the internet service. However, the subscriber will be the person who has entered into a contract with the ISP and usually one of the conditions of that contract will be that the service should not be used for any unlawful purpose. It is therefore not unreasonable to assume that the subscriber is the person properly responsible for what happens over that internet service. On a more practical note, the subscriber is the only person who can be identified from an IP address at a point in time – which is the information that a Copyright Infringement Report (“CIR”) will contain.
The reason for part (b) is to avoid the situation where an ISP becomes treated as a subscriber because they take a wholesale service from another ISP. The clear intention is that the notifications should reach the person or people who are using the internet service where apparent infringement is taking place.
This raises some interesting questions about those who provide a wi-fi network, whether free for anyone to use or restricted in some way. Organisations running this sort of service may be classed as a ‘communications provider’ within the meaning of the Communications Act 2003 or as a subscriber depending on the terms and conditions on which they both take and provide the service.
Where access is provided on the internet café model, typically with a time-based pricing structure and a service open to anyone, the provider of wi-fi access will be providing a 1 s.405 of the Communications Act 2003 provides : ‘communications provider’ means a person who (within the meaning of section 32(4)) provides an electronic communications service public electronic communication service. However, there are other circumstances in which wi-fi access is provided in a way which does not make it available to members of the public; where, for example, access is restricted to members of an academic community or to the customers of a particular hotel. The providers of this wi-fi access will not fall within the definition of subscriber if they receive the internet access service as a ‘communications provider’. For wi-fi providers who are providing a public electronic communication service, existing telecommunications regulation means that there will be an obligation to offer contracts and providers may be directed to publish information on the quality of their service.
We can be clear that a subscriber with a personal account, who allows others to use it by means of not securing it, is a subscriber for the purposes of the Bill.
The Earl of Erroll asked whether a user on the Parliament account would be a subscriber or not. The simple answer to that is no. The subscriber would be the organisation that has an account with an ISP. However, as the subscriber the account holder might well expect to set rules and standards of behaviour that they expect from those using their internet access. And it is reasonable to expect that subscriber to take steps to ensure that the account is not being used for unlawful purposes. In most companies, for example, misuse of the internet service is likely to be a disciplinary offence.
Implications for Community sites, libraries and educational establishments, internet cafes and home hubs
There is no doubt that Libraries, other wi-fi operators and other open-access providers serve a very important function, not least in helping the less advantaged in getting access on-line. It is difficult at this stage to say with certainty what the effect these measures will have on them. As described above, these sorts of providers might be classified as subscribers, or they might be classified as communications providers, depending on the terms and conditions on which the take and provide the service.
If the library or other provider is a subscriber in the terms of the Bill then they may receive notifications if their internet service IP address is identified as the source of apparent infringements. In this case there is obviously a chance that the library or other subscriber might in due course be subject to either a civil action by copyright owners or technical measures, should they be introduced.
We think this is right. Whilst clearly the Government has no desire to see libraries, community sites, or indeed, anyone else, suffer degradation to, or the temporary suspension of, their internet service we do think that it is important that these provisions should apply across the board so as not to create substantial loop holes allowing anyone who wants to continue infringing copyright to do so simply by going to an internet café or a library.
Those who provide this kind of service will be able to, and should, take steps to prevent infringement occurring on their accounts. There are many ways they can do this. Detailed information on technical approaches to securing home and local wi-fi networks is contained in the section of this paper on ‘reasonable steps’ below.
Briefly, the most significant factor will be the type of service that their customers can use. A library, internet café etc which offers access via PCs provided in situ can install the types of simple and inexpensive measures listed below to stop anyone using that machine from accessing particular sites or downloading P2P software.
Offering access via wireless connection poses a more complex challenge. A service which offers consumers a basic level of wireless internet access with limited amounts of broadband is unlikely to be used for copyright infringement. A library for example offering a wi-fi service which allows users to access e-mail, undertake web browsing but not to undertake more bandwidth hungry applications (on-line gaming, file-sharing, large data transfers, video streaming) is not likely to find that its service is being misused for copyright infringement. Of course, with the higher speeds that we hope will be available in the future that will not be the case – but the protections suggested below will certainly apply.
We would also expect that an establishment offering such a service would not want any such bandwidth-hungry applications to be run. One user file-sharing (legal or otherwise) could easily take up all the available bandwidth with the result that no other user could use the service at the same time.
For wi-fi providers where consumers have to pay for access, we would not expect in many cases that using this service to infringe copyright would prove cost-effective for the infringer. Almost all content can be obtained from (paid) legal sources, be it film, music, whatever. It would usually be cheaper to simply use a home broadband connection and pay to obtain the content from legal sources.
However, if they do find themselves receiving notification letters in connection with an alleged infringement, they can take easy steps to prevent infringers from using their connection in future, and I go into this in more detail below. Once again, the Government believes that it is reasonable to expect libraries and others offering these kinds of services to take steps to ensure this service does not facilitate unlawful activity. This is not new – libraries are already responsible if their users download criminal material.
The meaning of “allowed”
There was some debate on 12 January about what we meant, within the Bill, by the word “allowed”, which is used in clause 4 in subsection (1)(b). This sets out that the section applies if it appears to a copyright owner that –
(a) a subscriber has infringed his copyright by means of an internet access service or
(b) has allowed another person to use the service and that person has infringed his copyright.
The reason for underlining “appears” (rather than “allowed”) is that it is the first precondition for the copyright owner being able to send a CIR to the internet service provider. The owner is not going to know whether or not the subscriber has done anything to secure his system or whether the system is hijacked; he can only complete the infringement report on the basis of how it appears to him. The whole idea behind the notification system is to reduce the level of online infringement by warnings/education and to facilitate legal action being taken against serious persistent infringers. It is worth reiterating what we said in Committee – nothing is going to happen under the initial obligations until or unless the copyright owner takes civil action against those infringers having obtained their details through a court order. Under the Bill provisions we expect that copyright owners would focus their attention in respect of legal action on those who have been the subject of the most copyright infringement notices. These will be the subscribers who have had multiple letters informing them that infringement is apparently occurring on their connection and providing advice as to how to prevent it if the subscriber themselves is not responsible.
We hope and expect that the initial obligations included within the Bill (the notification letters) should reduce the level on online copyright infringement. But if these are to be effective they need to be backed up by the prospect of further action. That is why we consider it important for the Bill to include reserve powers to limit internet access (clauses 10 and 11). These tougher technical measures will be exceptional and a last resort.
We hope that it will not be necessary to introduce technical measures. But should technical obligations be introduced they will be likely to apply automatically to a subscriber once they pass a certain threshold of notifications. That threshold will clearly be a matter of substantial concern to Peers, but it is something that we envisage would need to be addressed in the Secretary of State’s order under clause 11 imposing the technical obligation. We have recently laid an amendment in response to concerns by the House of Lords Delegated Powers and Regulatory Reform Committee that would require these orders to be made by affirmative procedure, meaning that the House will have an opportunity to debate any order and take a view on it before it comes into effect. We do not think, therefore, that this is something on which we can or should be prescriptive about now. Apart from anything else, it might be sensible to apply one level of threshold to a relatively unintrusive measure (such as a download cap) but a much higher one to something as significant as temporary suspension of the internet account.
Once again, these measures would only be applied to those subscribers in respect of whose accounts the most CIRs had been lodged and who had consequently been sent multiple notifications ensuring that the subscribers understand the situation and have the advice they need to put a stop to infringement on their account.
However, once a technical measure is liable to be imposed on a subscriber they will have the opportunity to appeal against it and it is in this context that we agree that it is important to be clear on what defences could be relied upon. While it is important that we are clear that “allowed” has its normal meaning (and that it actually applies to what it appears to the copyright owner has happened, not to what has actually happened), and therefore there is no need of a definition in the Bill, we do need to address the points made by a number of noble Lords about what constitutes a defence in those circumstances. In view of its importance I address that separately and at some length below.
Defences against an allegation of copyright infringement
Understandable concern was expressed by a number of noble Lords that if subscribers were to receive notifications alleging copyright infringement then they should be able to defend themselves against those allegations if it was somebody using their connection without their knowledge. This will not be a particularly pressing concern, perhaps, for the initial notification, which we would expect to be couched in terms of friendly advice rather than stern reprimand, but we accept that for subsequent notifications, and particularly if technical obligations are applied, subscribers, whether they be individuals or community networks, may well be anxious to demonstrate that it was not them who had infringed copyright, or allowed it to happen, or that it was not their fault.
Of course, if this is part of a civil action by copyright owners, the details will be considered within that process and we could not and should not interfere, but that was not the focus of the concern. The question is what might a subscriber say in response to receiving a notification from their internet service provider, perhaps to appeal against being put on the copyright infringement list or against a technical measure being imposed?
Here, Lord Lucas suggested that “…we should not attach a liability to someone who has done all that could be reasonably be expected of them to behave correctly” (Hansard: Col 458). We really must be careful not to pre-empt the way that the independent appeals body, or indeed the First-tier Tribunal, wishes to operate. However, with that clear qualification, I do think that in practice the scenario put forward by Lord Lucas is an entirely sensible one – if a subscriber has taken all reasonable steps to prevent infringement on their network, and if necessary can show that they have done so, then that should be regarded as a good defence.
What might such reasonable steps be in practice?
It is worth remembering that advice about securing their internet connection is one of the things that the notifications to subscribers will include, and that advice will be written by industry experts not by Government. However, almost certainly reasonable steps would include protecting internet service wireless hubs through a password, making it much more difficult for the casual outside user to piggyback on a subscriber’s connection. Within a household the information and options to impose controls over what can be accessed are built into the routers and the browsers. This means that it is possible to impose those controls in relation to a number of different computers using the connection without having to install software or change settings on the individual computers. This is an important point in respect of households where those sharing the internet connection are not necessarily in a parent/child relationship that allows for putting controls on to a particular computer or other device.
It is also very easy to install free parental control software. Subscribers can also opt to only allow access at particular times of the day or only allow PCs or laptops that are registered to use a wireless connection. These are all standard and easy to use features open to wireless routers serving a household or indeed a small business. Community wi-fi providers can use a password to only allow particular individuals to use the service (although of course we accept that this is not necessarily what such wi-fi is installed for).
The main operating systems – such as Windows – also come with parental controls. These allow websites to be blocked by genre (e.g.) porn, gambling, chat rooms, shopping etc and can filter access to websites by other criteria, such as language. This is simple and usually done via a “tick-box” set of options on a menu. Specific websites can be added to a bespoke list by “cut and pasting” from the history of websites visited. There are a number of well-known sites where file-sharing software is obtainable, for example, and there are a number of well-know sites connected with unlawful file-sharing – the best known perhaps being Pirate Bay. This can be equally applied to households, community wi-fi or SMEs.
Although we acknowledge that peer-to-peer technology has many legitimate applications, should subscribers wish to do so, blocking peer-to-peer traffic specifically is more difficult. It is possible to block use of peer-to-peer (P2P) protocols but this does require some technical knowledge – for example the Windows Firewall can be configured to block P2P traffic but this is not a straightforward procedure. However, there are a number of freeware or inexpensive products which will block most P2P traffic, usually through a Firewall or by blocking access to ports that P2P protocols typically use. Again this is an option open to households and SMEs alike.
For community and other wi-fi operators, should they wish to do so, blocking P2P traffic will depend on the nature and configuration of the broadband connection. There are, though, a number of free or inexpensive products available.
The “Get Safe Online” website (http://www.getsafeonline.org/) – supported by the Government and Ofcom – lists three companies which provide filters and software which can block or filter content and who can also block the use of P2P programmes: Cybersitter, Net Nanny, and Cyberpatrol.
It also provides a link through to other sites such as GetNetWise.org which lists and evaluates a wider range of products including BSafe, Safe Eyes, ChildSafe and Cybersentinel.
These products typically cost in the region of US$40 (about £30) and allow the user to block the most popular peer-to-peer file-sharing applications such as Bit Torrent, eMule, Gnutella, Kazaa, Morpheus and Limewire.
For entities such as libraries, internet cafes etc a solution could be to address this issue when entering into the contract with the ISP. It is possible to ask them to block access to certain traffic (pornography, gambling etc) or specific website addresses or lists of addresses such as Pirate Bay. This may be a charged for service but the cost is not likely to be prohibitive. This facility is also open to individual private subscribers. However, there may be network performance issues that could arise if this were the norm.
Proxy servers are another common method of controlling access to the Internet. Users are not allowed direct access to the Internet from the network they are on. They are only allowed access to the proxy server. This proxy server is then allowed to access the Internet in accordance with a set of instructions, e.g. blocked sites etc. It is the proxy server that accesses the Internet and then passes the traffic to and from the user. The use of the server, over which the individual user has no control, means that it is very difficult for them to circumvent the imposed controls.
We would suggest that being able to demonstrate, as an individual or a community network, that these sensible and inexpensive precautions have been taken could go a long way towards persuading any appeals body that reasonable steps had been taken to prevent infringement.
It is readily acknowledged that nothing is 100% effective. It is possible to crack a the security on a wireless connection with the right software, time and technical know-how. But it is simple to make connections more secure and to block websites at the household, SME and community wi-fi level so as to make such circumvention much more difficult, and doing so would show that the subscriber had taken allegations of infringement seriously, and taken steps to prevent it.
The position in universities, raised by a number of noble Lords, is a little different – internet services at UK universities are provided by JANET (UK) – a private business-to-business network. They have the advantage of operating networks which are relatively small and to which the consequences for the individual of misusing a connection are relatively severe. For example, any loss of access by an individual following misuse would have a significant impact on course-work and the student’s studies. We would assume in this situation that JANET will be defined as the internet service provider under the legislation, and the universities will be the subscribers – but it is not possible to be 100% sure of the relationship without looking at the details of the contractual relationship. Of course there will be a threshold of numbers of copyright infringement notices received before JANET, if it is an internet service provider, would be subject to the obligations, and it is open to it (and/or the universities) to apply restrictions along the lines suggested above should it consider them appropriate in order to ensure that it does not cross that threshold.
Internet domain registries: further facts
(Download Internet domain registries: further facts as a PDF)
This factsheet explains the detail of the Government’s policy on domain registries. For an introductory factsheet please see Internet Domain Names: Factsheet.
Why we think the powers are necessary
The Internet is an integral part of the UK’s economy. The domain name system is a crucial element of the Internet economy and in the UK the .uk domain is a key part of that. However, Nominet, the registry that runs the .uk domain, is like many other domain name registries, a private company over which the Government has no control should the need arise. We have been particularly concerned about some past problems at Board level at Nominet. Whilst the Government has strong confidence in the way Nominet is currently run, the possible implications for the interests of wider stakeholders should operations at the registry be disrupted in future has helped to persuade the Government that it should seek these reserve powers on a precautionary basis.
The domain name industry in the UK is self-regulated and has been so for many years. This has largely worked well and the Government’s intention is that self-regulation by domain name registries should continue. Some registries and their registrars are ‘regulated’ through specific agreements with ICANN, for example .tel and .com. Country code domain registries (such as Nominet) are not.
There are no current Government plans to intervene in any domain registry and it is intended that the powers in the Digital Economy Bill will only be exercised where self- regulation fails to the detriment of consumers, businesses or the UK’s wider Internet economy. However, as mentioned above, as things stand at present, the Government has no powers to act to protect these interests if self-regulation was to fail.
It should be made clear that the new powers will not permit the Government or OFCOM to nationalise any domain name registry or any registrars.
Amending the scope of the powers
Since the Bill was drafted, the Government has realised that the provisions on domain names could have unintended consequences. For example, they would catch any organisation, such as BT, that runs its own name server, and the registries for some other country code domains that are situated in the UK. The Government has, therefore, proposed an amendment that restricts the scope of the powers to cover Top Level Domain registries where the domain is UK-related.
What will happen in practice before deciding to exercise the powers?
We do not expect a registry to act beyond its powers to correct any failure that it could not reasonably address, for example where that failure results from the actions of a third party over which it has no control. However, if a deficiency in self regulation resulted in continuing failure, then the Government would expect the registry concerned to take corrective action, or at least explain why corrective action was neither appropriate nor possible. Use of the powers in the Bill would be a last resort. In practice, the Government would expect to enter into a dialogue with the registry concerned to explore ways of dealing with the issue that had arisen.
What is a serious failure of a domain name registry?
The Impact Assessment (Word doc) and Explanatory Notes published at the same time as the Bill highlight some of the instances of domain name abuse that might be considered a failure of a registry. These include domain names being used for phishing (a form of internet fraud) or for distributing computer viruses, for setting up websites selling fake tickets to events, and, in some circumstances, cyber-squatting (registering domain names which are of economic value to other people and then charging those people high prices to buy or use them for their own purposes.) and drop-catching (waiting until the expiry date for an existing registered domain name, snatching it and then charging the previous owner to buy it back).
Similarly, a registry which lacked any adequate dispute resolution system, leaving complainants forced to resort to court action to gain redress, would be considered a failure.
A failure, or combination of failures, which affected the reputation or functioning of UK networks or services, or the interests of UK consumers or the public generally, would be a “serious failure” and would trigger the Secretary of State’s powers.
What is self-regulation?
Some examples of where the Government considers existing self regulation to be working well (both involving Nominet):
- In December, Nominet worked with the Metropolitan Police’s Central e-Crime Unit to take down around 1200 .co.uk domain names that had been used by criminals to set up websites selling counterfeit goods. Although Nominet was under instruction by the police to comply, Nominet worked closely with the police to ensure rapid response to their instructions as part of the registry’s stated aim always to take fast, effective and responsible action to protect consumers and end users.
- Nominet implemented a phishing lock to allow a registrar, when presented with credible evidence e.g. by the police, to lock a domain name that has been used for phishing. This suspends and locks all the information linked to that domain name such as access to website, and also prevents the domain name being re-registered so that it cannot be used. Nominet is also currently working on a phishing clearing house to provide information and a notification service tool of verified phishing sites.
- Nominet has a Dispute Resolution Service (DRS) that offers an efficient and transparent method of resolving disputes in the .uk Top Level Domain. Through the DRS, Nominet seeks to settle .uk domain name disputes through mediation (free of charge) and, where this is not possible, through an independent expert decision that costs from £200. This is the usual mechanism to deal with complaints about cyber- squatting and drop-catching.
When the powers might be exercised
In practice, the Secretary of State would be alerted by a significant number of complaints of domain name abuse from the public or businesses, or a steady increase in complaints over a period of time. These complaints might be about consumers being duped or misled, or bona fide companies (especially small firms) being defrauded or losing customers, as a result of the activities of a registry, its registrars or end users. We are aware however, of the potential for malicious lobbying by organisations with vested interests calling for action against a registry: that is one of the reasons we would expect to have a dialogue with the registry concerned before exercising the powers.
The following are examples of actions which could amount to a failure of a registry:
- The registry was not utilising existing mechanisms in place to deal with those complaints;
- The registry would not consider/make modifications to those mechanisms to make them more effective;
- The registry was altering those mechanisms or reversing its policy to the detriment of members of the public and business (perhaps by making it more difficult to pursue a complaint).
If the level of failure were to sufficient adversely affect the reputation or, the functioning of the UK’s Internet economy or the interests of consumers or the public, that would tend to indicate that self-regulation was failing and would amount to a serious failure for the purposes of the legislation. Ultimately though, it would be the Secretary of State’s decision whether the situation was sufficiently serious to warrant the use of his powers.
Draft Statutory Instrument on Costs
Draft Statutory Instrument on Costs (PDF) (NB Please note that this is a draft, designed to give an idea of how the cost issues could be approached. The proportional split included in the draft is a working assumption. Before laying the SI, we will conduct a full consultation.)
