September 2009

This is JANET(UK)’s response to the Department for Business, Innovation and Skills’ consultation on Legislation to Address Illicit P2P File-sharing. JANET(UK) is the operator of JANET, the UK’s national research and education network, which connects universities, colleges and schools to each other and to the Internet. As operator of this large private business-to-business network we have many years’ experience of working with both rights-holders and connected organisations to significantly reduce the level of copyright breach occurring on our network.

On August 25th a ministerial statement from the Department made very significant changes to the proposals in the original consultation. We regret the very short time allowed to respond to these changes; our responses to them have been added to our original response.

1. In responding to this consultation we note that the paper makes two important assumptions about the structure of broadband networking that we believe are not appropriate. First is the assumption, in paragraphs 4.5, 4.23 and elsewhere, that each connection to an ISP is used by a single individual. In fact, each residential broadband connection is likely to be shared by all residents (and possibly guests) at that address. As a result we believe that the consultation underestimates the harmful impact of proposed technical measures, which will affect all of these users, as opposed to written communications where the occupants can determine which one of them is concerned.
2. Second is the definition of Internet Service Provider in paragraph 4.10. This states that the term “ISP” is synonymous with Electronic Communications Service/Network as defined in the Communications Act 2003. However those definitions include every network that connects two computers – in private homes, business, charities and government departments – far more than just the services that are generally referred to as ISPs. Placing a legal duty on all of these would be far more costly that suggested by the consultation’s impact assessment, and affect far more groups than those addressed in this consultation. We have therefore assumed in this response that the intention of the consultation is actually to impose duties on “residential broadband ISPs” – a group that is a subset of Public Electronic Communications Service/Networks defined in the Communications Act 2003. If this assumption is not correct we consider that the consultation is seriously flawed as its impact assessment is incorrect and its list of those consulted represents only a very small part of the affected stakeholders.
3. Our response considers separately the three parts to the proposed obligation: notification, serious infringers and technical measures. Our answers to the specific questions in the original consultation follow this discussion.

Notification

4. As we reported in our response to previous consultations, the experience of the JANET community of Higher and Further Education organisations is that warning those breaching copyright by illicit file-sharing can be very effective in reducing its prevalence. We therefore welcome the original consultation’s focus on an effective system of notification.
5. However we note that the process of identifying the individual responsible for particular Internet traffic may be complex, and in some cases impossible, so that the duty to inform must not assume that ISPs will always be able to do this. Problems may arise from both business models and technology. Some providers of Internet connectivity (for example free wireless networks in pubs, hotels and other premises) have no reason and no means to know the identities of their users. These providers will therefore never be able to notify individual users accused of copyright infringement. Technical issues principally arise from the fact that there are fewer IPv4 addresses than humans, so that ISPs have to allocate the same IPv4 address to more than one user. An address may be shared by users simultaneously using Network Address Technology (NAT) technology, or reused by different users at different times using the Dynamic Host Configuration Protocol (DHCP). Evidence of infringement must therefore include times synchronised to a standard time source and accurate to within a second and the IP addresses used by both the infringer and the service to which they were connected. Even with this information, if two users of a NAT system were accessing the same service at the same time, it may be impossible to distinguish their activities. Any duty that orders an ISP to notify the person responsible for every infringement is likely therefore to be impossible to satisfy.
6. A further problem is that the logging capabilities of NAT and DHCP devices vary greatly. Some may produce very large quantities of information, some very little. To avoid placing a very large burden on those ISPs whose systems produce complete logs we therefore consider that there should be a time limit within which rights-holders must send their complaints and that this limit should be at most a few working days. A short limit is also likely to be required to ensure compliance with the Data Protection Act 1998. Although some ISPs may be retaining related logs under the Data Retention (EC Directive) Regulations 2009 it is not clear in law whether that information can be used other than for criminal and terrorist investigations.
7. We agree that there should be a limit on the number of complaints that ISPs are required to receive subject to the duty, to avoid placing an unlimited burden on ISPs and their systems that may also be required to investigate other, criminal, activities.

Serious Infringer Provisions

8. As in our responses to previous consultations, we believe that the proposals to help target civil action against serious infringers strike a good balance between enforcing intellectual property rights and protecting individual privacy. We welcome the additional detail provided on pages 20 and 21 of the process whereby rights-holders could target serious infringers for civil court action.
9. However the paper does not make clear whether it would be the ISP that kept records of number of complaints against each of their customers (as in 4.19), or whether the intention is that the rights-holder should be given some anonymised tag for the user associated with each complaint (as seems to be implied by 4.20 and 4.21). We believe that the process will be more accurate, less open to abuse, and raise fewer legal issues if it is the ISP that keeps the records. The ISP must, in any case, retain this information to know which level of a graduated sequence of warnings a customer should be sent. Converting the information to an anonymised tag would involve risks of misidentification and might also allow a rights-holder (or someone claiming to be a rights-holder) to discover the identity of a user by, for example, making a complaint about information on a personal page or in an attributed posting. We therefore recommend that the ISP keeps a record of the dates on which warnings were sent to each user and informs the rights-holder only that a complaint has taken the user beyond a final warning. The rights-holder can at this point decide, knowing that they are dealing with a serial infringer, whether to initiate civil action by seeking a Norwich Pharmacal order to discover the infringer’s identity.
10. Whichever of ISP or rights-holder keeps the information, the legislation must define a time limit within which a series of breaches will be considered a serious infringement, and therefore a maximum retention period for records of warnings. Contrary to paragraph 4.34f we consider that this information is personal data within the meaning of the Data Protection Act 1998 (if could not be linked to an individual there would be no point in keeping it); an anonymous tag held by a rights-holder might be personal data, depending on the location of the material that triggered the complaint so, according to the Article 29 Working Party’s Opinion 1/2008, must be treated as if it is.

Technical Measures

11. We welcomed the original consultation document’s proposal that Ofcom should review the effectiveness of the system of warnings before considering whether additional technical measures were required. We are therefore concerned that the ministerial statement appears to have ruled out this evidence-based approach to determining whether additional measures are required on the grounds that evidence gathering will take too long.
12. Ofcom and other surveys have clearly shown that iIlicit file-sharing has become the normal way for a very large number of UK citizens to gain access to music. Changing behaviour that is regarded by many as in no way improper will inevitably take many years and involve a complex interaction of economic, social and regulatory factors. Any attempt to impose change more quickly and without proper data is very likely to have unexpected results. When dealing with the Internet, an infrastructure that has been identified by other Government policies as critical to the nation’s future, such results could well be economically, educationally and socially harmful.
13. We believe that it is essential that any decision on technical measures is based on an assessment of necessity, proportionality and effectiveness of the kind envisaged by the original consultation document. This assessment must include the fact that, despite the suggestion in paragraphs 4.5 and 4.23 that technical sanctions can be imposed on an individual infringer, in fact they will impact all those sharing the same ISP subscription, including innocent family members who may rely on the Internet connection for their business, commercial, educational and social activities.
14. This is particularly important if, as suggested by the ministerial statement, technical measures may include the option of requiring ISPs to remove Internet access from repeat infringers. The Digital Britain Report identified the crucial importance of universal access to broadband for the country’s economic and social prosperity; the Government’s education policy considers universal home access so important that Internet-connected laptops are being given to disadvantaged pupils and their families. Mandatory disconnection for copyright breach represents the reversal of those policies and we have seen no evidence that would justify such a complete change of approach.
15. Depending on how the technologies of legitimate and illicit use develop, all the control measures suggested in paragraph 4.23 have the possibility of restricting or preventing legitimate and beneficial business, commercial, educational and social activities (for example on-line education often uses audio and video streaming that would be affected by bandwidth capping or shaping). We would also expect the impact on ISPs to be taken into account in the assessment, since some of the suggested measures, for example bandwidth management, may require them to invest in new equipment.
16. We also note that many of the proposed technical measures may in any case be easily rendered ineffective by changes in technology, such as the use of tunnelling or encryption.
17. Because of its likely impact on the alleged infringer and innocent family members, we consider that the imposition of technical measures should require a higher standard of evidence than the mere allegation that is required to trigger a written warning. Before the state compels an ISP to restrict Internet access from a particular address – with all the social, educational and financial disadvantage that will involve – the evidence against an alleged infringer should be considered by an independent third party. Neither rights-holders nor ISPs can properly assess the evidence: rights-holders cannot assess the strength of evidence that a particular individual was responsible, ISPs cannot assess the strength of evidence that a copyright infringement has taken place.
18. Finally, we note the finding of the French Constitutional Court that disconnection that was not approved by a judicial authority was a breach of human rights. As in all our previous consultation responses, we must stress that disconnection is a severe educational, social and economic sanction that will be imposed on innocent members of a household where one member is accused of copyright breach. We believe that this would be a disproportionate response to behaviour that has not been found to reach even the minimum threshold for criminal copyright breach as defined in s.107 of the Copyright, Designs and Patents Act 1988.

Responses to specific questions

Q2 As in paragraph 6 above, we agree that there should be a time-limit within which complaints must be made, and consider that this should be no more than a few working days to ensure that excessive logs do not need to be kept.

Q4 If complaints are to result in a duty imposed by legislation we believe that the minimum evidential content of a complaint must also be stated in the legislation. As discussed in paragraph 5 above, evidence that demonstrates that an infringement has taken place may not be sufficient to allow the identification of the individual responsible. We also consider that the duty must recognise that in some circumstances it will be impossible to identify that individual.

Q5/6 As in paragraphs 6 and 7 above, we consider that there should be both a time limit on making a complaint and a volume limit beyond which the duty will not apply, to allow ISPs to provide an appropriate level of resources and to avoid complaints subject to this duty from competing for resources with ISPs’ other legal and social duties that may be more important (e.g. providing evidence for criminal investigations and identifying other types of Internet misuse).

Q7 We are concerned that the chosen allocation of costs should not give an incentive to remove safeguards from the process. The model must also scale fairly for different stakeholders as use increases or decreases – for example postal communications have a fixed, per letter, cost, whereas electronic communications do not – and reflect the expected benefit to each party from a reduction in copyright breach. We do not believe that the simple 50:50 division of costs proposed in the ministerial statement meets any of these requirements. Since costs of detection and enforcement are likely to change as technologies develop, their allocation should be left to the more flexible Code of Practice rather than fixed in legislation.

Q8 As discussed in paragraphs 9 and 10 above, we anticipate both legal and technical difficulties if the collection of information is done by rights-holders owing to the risks of mis-identification and accidental or deliberate privacy breach. We therefore recommend that the collection be done by ISPs and that rights-holders be notified when a complaint exceeds a defined threshold number (within a time period) for that individual.

Q11 As in paragraphs 15 to 17 above, we consider that the test of proportionality of any measure must include consideration of the impact on innocent individuals who share an ISP account with the alleged infringer, of the impact on the infringer’s legitimate and desirable activities, and of the costs for ISPs and effectiveness of the measures. All of these factors are likely to change with the development of new technologies and practices, so proportionality may well need to be re-assessed periodically in the light of these developments. We also consider that evidence of each infringement should be assessed by an independent body before technical measures are imposed. As in paragraph 17 above, if disconnection is a possible technical measure, we consider that this scrutiny must be performed by a judicial body.

Q12 We consider that a review of the effectiveness of the targeted warning process is essential before considering further technical measures. The original consultation suggested that this be done after 12 months, which we considered likely to be too short a period for an assessment to be valid. As the consultation notes, effectiveness is dependent on changing widespread attitudes to copyright file-sharing and this is unlikely to even begin until there is significant media coverage of notices and targeted court action. Both rights-holders and ISPs will require time to establish their processes and systems, and to make available alternative legitimate sources of material; this may well take several months. Since the repeat infringer process is itself likely to require several months for each case, it is quite possible that the targeted information process will not be used at all in the first 12 months, making it impossible to assess its effectiveness in changing behaviour either of repeat infringers or the wider public. We therefore considered that either the review should take place after a longer trial period, or that the criteria for the assessment should be made much more realistic in view of what is likely to be achieved in an initial start-up period. As in paragraph 12 above, we consider that attempting to decide on the effectiveness of measures in an even shorter period, as proposed in the ministerial statement, runs a serious risk of implementing measures that damage the country’s economic, social and educational interest.

Q19-20 As in paragraph 2 above, we consider that the apparent mis-statement in paragraph 4.10 that the duty will apply to all providers of Electronic Communications Networks or Services makes it impossible to determine the intended scope of the duty and therefore whether any additional exemptions may be required.