apComms enquiry into Internet Traffic (May 2009)

1. The JNT Association Ltd. (trading as JANET(UK)) is the non-profit company limited by guarantee that operates the JANET network on behalf of the Higher Education Funding Council for England and other UK education funding councils. JANET is a transit network connecting the networks of all UK universities, colleges and research organisations to each other and to the Internet, and also inter-connecting regional schools networks. As a provider of high-speed networking services to research and education organisations we have daily experience of the extent to which a transit network provider is, and is not, able to police content flowing across the network; as a funding member of the Internet Watch Foundation (IWF) we also understand the strengths and weaknesses of the IWF’s approaches to reducing the availability of illegal on-line content in the UK. Our response therefore addresses questions 1 and 4 of the enquiry

#1 Can we distinguish circumstances when ISPs should be forced to act todeal with some type of bad traffic? When should we insist that ISPs should not be forced into dealing with a problem, and that the solution must be found elsewhere?

1. We would first observe that the concept of “bad” Internet traffic is far from simple, that the distinction between “bad” and “good” is rarely clear, and often not even consistent. “Badness” is very rarely a technical matter, more often it is a legal construct (for example copyright versus fair use), or a perception of an individual user (spam versus unexpected purchasing opportunity). Indeed a significant number of recipients appear to consider that advance fee fraud mails are “good” though society as a whole considers them “bad”. Any attempt by governments, ISPs, or anyone else, to impose their definitions of “bad” and “good” is therefore certain to differ on occasion from the perceptions of individual users. Furthermore, any attempt to implement that definition by technical means is likely to suffer from a significant proportion of mis-classifications and therefore reduce the extent to which Internet communications can be relied upon. Any proposal to encourage greater control of traffic must provide benefits greater than these disadvantages.
2. Many Internet users now obtain different services from different organisations: for example a typical user may connect to the Internet through a mobile phone company, use (invisibly) an international transit network to access their e-mail account on a webmail service provider, and to post their holiday snaps on a social networking site. The providers of these different services have inherently different capabilities to control the content viewed and published by the user. Rather than applying a single model of “ISP”, therefore, regulation needs to consider these different roles and consider whether the current regulatory regime provides the right incentives to exercise that control in ways appropriate in a democratic society. The Electronic Commerce (EC Directive) Regulations 2002 (S.I 2002 No. 2013) recognise three roles: connectivity provider (“mere conduit” in Reg.17), caching service (Reg.18) and hosting provider (Reg.19). We consider that the connectivity provider role may have separated into two forms: transit providers that connect organisations or networks to each other and access providers that connect individual users and their computers to the Internet. An access provider will generally have a user account for each of its customers: a transit provider will not. The potential for each of these roles to distinguish “bad” from “good” traffic, and the current incentives on them to do so, will be considered in turn.
3. Contrary to the assertion in the consultation paper, technology has greatly reduced the ability of transit providers to classify or control Internet traffic. The volume of traffic has grown exponentially and even hardware-based routers often have very little spare capacity available to support classification or control measures. Determining even which application is being used is difficult or impossible as modern applications rarely use fixed port numbers or other identifiers of the kind that could formerly be used to identify traffic as ‘web’ or ‘e-mail’, and an increasing volume of traffic is encrypted so that its content is completely opaque to the transit network. The impact of any control measure that may be taken by a transit provider is similarly much harder to predict: the common technique of Network Address Translation (NAT) means that a single Internet Protocol (IP) address seen by a transit provider may refer to a single computer or an entire company. As was seen in the recent incident where a page on Wikipedia was listed by the Internet Watch Foundation, control measures implemented by hosting providers and access providers may interact in unexpected ways with those implemented by transit providers resulting in unpredictable and undesirable results. We therefore conclude that any encouragement of transit providers to control content would be far more likely to damage the stability and reliability of the Internet than to have any benefit for users. The current regulatory regime, which treats transit providers as “mere conduits” with no liability for the traffic they carry, is far more likely to deliver UK and EU objectives for the reliability and resilience of information infrastructures.
4. Caching is a technical process that can be used to speed up delivery of content by storing copies of it closer to its users. The current liability regime, which treats caches as part of the transit network, and therefore exempt from liability, provided they promptly follow instructions sent by the original source of any material they store, ensures that removing content at source also removes it from all caches. Without this provision, enforcement would have to involve every location (potentially thousands) where material might be stored. We therefore consider that the current regulations allow the use of an effective technology to improve Internet performance while ensuring that implementations support effective policing of material at source.
5. UK legislation distinguishes hosting providers, who provide the technical platforms through which others can publish, from editors, who act as gatekeepers by selecting the material that they publish. This important distinction gives the Internet much of its value, since most of the vast amount of information available on-line is provided by individuals and organisations, not by editors. To permit some control of what is published, the E-Commerce Regulations and other legislation (covering, for example, defamation, copyright and terrorism) establish ‘notice-and-takedown’ regimes, whereby hosting providers (but not editors) are excluded from liability until they are notified of specific allegedly-infringing material that they host, but may share any liability if they do not act promptly to remove the material thereafter. The Law Commission noted in 2002 that such regimes give the hosting provider no incentive to examine the accuracy of any allegation before removing the material complained of, and that “the pressure to remove material” may conflict with “the emphasis placed upon freedom of expression under the European Convention of Human Rights” (Defamation and the Internet: A Preliminary Investigation, Scoping Study No 2, para 1.12). However a more serious concern is the lack of clarity over the legal position if a hosting provider makes its own attempts to identify infringing material. Ideally such a provider should be in the same position as one that receives notice from someone else: liable in respect of that material only if they fail to act promptly when they discover it. Instead it has been suggested that a hosting provider that attempts to detect infringing material of any kind immediately acquires liability for all infringing material that may be on their service, on the grounds that they have demonstrated some intent and ability to edit and select content and are therefore no longer merely a hosting provider but an editor. For providers that wish to remove inappropriate material from their own services, but are aware that checking can never guarantee to detect all problems, this potential liability can be a significant deterrent. We therefore consider that the law needs to be clarified to ensure that a hosting service that detects problems on its own service is in the same position as (or at least no worse than) a service that waits to receive notice of the problems from others. Such a change would encourage quicker removal of some types of inappropriate content.
6. The Regulations do not distinguish between connectivity providers and transit providers, giving them both the same “mere conduit” status. However connectivity providers that can distinguish individual users and computers may be more able to identify some types of inappropriate use and to apply controls with more predictable results. For example a connectivity provider might be able to determine that a user’s computer was sending an unusually large number of e-mails and limit the rate at which these were processed to reduce the impact of a potential spammer. However such a pattern might also indicate that the user was inviting friends to a birthday party, so interpretation and controls need to be used very carefully. As discussed above, there are many Internet activities where “bad” and “good” use are identical in technical terms, and it is unlikely that these could be identified or controlled by any connectivity provider. However current regulation does not encourage, and may actually discourage, the use of such capabilities as do exist. Two situations need to be considered separately: measures to protect customers from the Internet, and measures to protect the Internet from customers.
7. We consider that the UK’s competitive market in connectivity provision provides the appropriate incentive for measures by connectivity providers to protect their customers from “bad” Internet traffic: customers can choose providers based on the protection they offer, and should also be able to configure such protection to suit their individual requirements for Internet access. Regulation could help in this by ensuring that networks that offer such protection to their customers do not risk losing their mere conduit status in respect of other injured parties.
8. As discussed above there may be limited measures that connectivity providers could take to protect other Internet users from their customers. Competition does not appear to provide appropriate incentives to implement such measures indeed, since they will occasionally mis-classify a customer’s behaviour and incorrectly curtail the customer’s Internet access, competition may well act to discourage such measures. However we consider that making connectivity providers liable for damage caused by their users, as has been suggested by some authors, is not an appropriate approach. Since such liability could extend to every user of the Internet it would encourage connectivity providers to severely restrict Internet access and use to an extent that would prevent the achievement of national objectives for an information-based society and a reduction in the digital divide. A notice-and-takedown regime for customer connectivity would suffer from the same problems as identified by the Law Commission for hosting, but to a much greater extent because of the greater incentive to providers to disconnect users and much greater impact for users when they did. We therefore believe that other incentives for access providers need to be examined and great care taken to ensure that they do not harm the national interest in a dependable and widely available Internet.
9. We therefore conclude that the current regulatory incentives for transit providers and caches are right and that the status of hosting providers who self-police should be clarified and, if necessary, corrected. An examination of possible incentives for the use of out-bound controls by access providers should be conducted, while recognising that it may be impossible to achieve an acceptable balance. A certain level of “badness” of traffic may be an inevitable consequence of obtaining the benefits of the Internet as a communications medium.

#4 Is the current global approach to dealing with child sexual abuseimages working effectively? If not, then how should it be improved?

1. The current global approach involves two methods of reducing the availability of indecent images of children: removing the material at source from the services that host it and deploying technical measures to make it harder for Internet users to access the material. The effectiveness of these approaches is markedly different.
2. The first approach, removing material at source, is already highly effective for images hosted in the UK. According to the Internet Watch Foundation (IWF), since 2003 less than 1% of domains hosting such material have been in the UK. Dealing with images at source also removes them entirely from the Internet, thus benefiting all users. We consider that removal at source, whether by self-regulation as in the UK or otherwise, should be the preferred option. However it appears that there are still problems in having material removed from hosting services in other countries, despite widespread international agreement on its illegality. Recent studies by Cambridge University have shown that illegal banking websites are closed down much more quickly than those containing illegal images of children. The first priority should therefore be to improve the speed of removal of illegal images on international services to the standard already achieved by the banking industry, and then further improve both. We welcome recent announcements by the IWF and the Child Exploitation and On-line Protection Centre (CEOP) of action in this area.
3. The second approach, of using technical measures to make it harder for users to access illegal material, can mitigate the problem to a limited extent, but is much less effective. The basic technology of the Internet means that it will always be possible for a determined user to circumvent any technical measures so these should be regarded, at most, as only protecting against accidental access. Filtering such material in the network backbone, as is done by the majority of UK broadband ISPs, is particularly easy to evade. Unfortunately the encryption technologies that Internet users should use to protect their personal data flowing over the Internet also significantly reduce the effectiveness of backbone filtering, so as more customers adopt good privacy practice then the degree to which they are protected against even accidentally accessing filtered material is likely to decrease. Filters implemented on Personal Computers can be somewhat more effective in preventing accidental access, and can also protect individual users against unsuitable, as well as illegal, material. However it appears that many users are tempted to disable such filters to improve the performance of their computer, thereby leaving themselves, and probably other users of the same computer, unprotected. Although it is possible to prevent PC filters being disabled, this requires more discipline in the use of privileged accounts than most users, and many operating systems, currently demonstrate.
4. We therefore consider that the first priority should be to improve the removal of internationally-hosted material at source, and second that tools and advice to PC owners on using content filters should be improved. Filtering in the core network is likely to be less effective than either of these.