Thursday, November 26, 2009

OK I said I'd stop but..

.. then OUT-Law asked me to comment on the implications of the Digital Economy Bill, especially for organisations and businesses that provide wi fi networks; and this made me think a bit more about how unworkable this whole scheme is.

As I said to OUT-LAW, among the proposed new sections of the Bill is s 124A(1)(b) , which says that action can be taken not just against someone suspected of infringing copyright, but also against "a subscriber to an internet access service [who] has allowed another person to use the service, and that other person has infringed the owner’s copyright by means of the service". This might well be interpreted to mean that anyone who operated unsecured wi fi was "allowing" others to download using it; and be held responsible for it. BIS has indeed so indicated in previous press statements.

One solution to this , as I discussed with OUT-LAW would be an unfortunate one; to effectively prohibit unsecured wi fi networks. But actually, even locking down its network (wi fi or fixed) is not a solution for businesses and the like. A domestic user with a secure wi fi network knows the small number of people who might have infringed using that network, so perhaps responsibility is not so draconian an assumption. But what of corporate networks of thousands of employees, or "public" places like McDonalds Hamburgers , where thousands are currently attracted by the use of free wi fi? Giving a wi fi or network login and password (as McDonalds do, as required by their hotdpot provider, The Cloud) is still, it seems to me, "allowing" that person to access the network.

The network operator might well try to defend itself by proof it was not the person at fault; but the opportunity to put that case would not, in the current skeleton scheme, perhaps come until after disconnection - at which point there is an appeal to a tribunal and thence to the courts. This could take years - after which time evidence of IP addresses, logins, timestamps, and the like might be hard to reconstruct. There is an appeal of kinds available to a "named person" immediately after the "warnings" ; but the detail, grounds and scope of that appeal are vague in the extreme and it is clearly only a very interim process. It might, eg, prove to be an opportunity only to dispute the exact factual details of the IP address collected, or the timestamp.

So are businesses like McDonalds to be held responsible for the copyright infringements of all their customers? Are universities to be held liable for all their students? At the moment it looks like it. Even if the result was only temporary disconnection, this could have a crippling effect on many businesses.

BIS apparently suggest that " the problem be solved by Wi-Fi operators policing their networks. "Many premises that offer public Wi-Fi access already disallow access to unlawful file-sharing sites," said the BIS statement. "Software which limits or prevents access is freely available and easy to install and we would anticipate any responsible organisation offering Wi-Fi access would take action if it appears their connection is being misused." [from OUT-LAW]

Such software solutions do indeed exist, but anyone running a large, fast network will tell you they are far from a complete solution. McDonalds' free wi fi may be far to slow for practical downloading of MP3s (I haven't tried it, but I suspect so) but I bet IBM's or my own university's network isn't - because these networks get used by real employees for serious legitimate purposes. Even in cafes, it takes more to stop P2P than just blocking the URL of the Pirate Bay site. Universities have been trying to stamp out illegal P2P filesharing on their networks for years, if only because they overload the bandwidth(their Acceptable Use Policies nearly always make illegal dowloading a disciplinary offence), and have still generally failed. Blocking the P2P protocol entirely is also counter productive; as is now well known many legal products such as BBC iPLayer now use this protocol. Will I find one day I cannot show a BBC programme to my students because the university has had to block iPlayer?

The only apparent get out for businesses and public bodies may lie in the definitions section of the Digital Economy Bill (cl 16, amending the Communications Act 2003) which says that a "subscriber" (who receives warnings) does *not* include someone who received Internet access as a "communications provider" (CP) themselves. This is intended, I think to protect ISPs who themselves merely retail bandwidth wholesaled by larger ISPs , on the grounds they should be regarded as ISPs giving access to infringers, not infringers themselves. But can it apply further?

The definition of a CP already within the Communications Act 2003 is someone who provides (as per s 32 of that Act) either an "electronic communications network" or an "electronic communications service". Both definitions are quite complex, but without going into more detail. they seem intended to cover those who offer telecommunications services as their main or sole business - ISPs, phone companies, etc - not other kinds of businesses or premises which merely, as a "side order", offer a wi fi or fixed line network.

But even if the definition of a "communications provider" could be stretched to cover the likes of businesses likeMcDonalds, or universities, it would seem likely it could then also be stretched to cover any domestic consumer who offered his household or area wi fi access. This would contradict statements from BIS as above, which have seemed quite clearly to say that domestic wi fi is one of the targets of the legislation.

Also, to make a bad matter worse, if BIS did agree that a business (say) was to be regarded as a "communications provider" not a "subscriber", and thus be free of the risk of disconnection, it would also mean that business was to be subject to all the obligations placed on CPs by OFCOM under the Communications Act 2003; and even worse , if they qualified as a PUBLIC "electronic communications service" or "network" provider (see s 151 of the Comms Act 2003 - also somewhat controversial but very likely to apply at least to any open wi fi network), they would be caught under under the recent Data Retention Directive Regs , and required in principle to retain emails, traffic data and texts sent using their facilities, for later possible police access. I can't see this going down well with small businesses, or even small families.*

Can BIS simply stick in an exception, avoiding the whole CP farrago, that eg, "public and educational institutions providing not for profit wireless networks services to the public, or some section of the public" shall not be regarded as "allowing " access under s 124A(1)(b)? Well not without abandoning the whole point of the Bill. Because then, in essence, the Bill will only cover domestic users and domestic wi fi. Any infringing downloading at work, university, cafes, hotels etc will not be covered. Is there really much point in such legislation?

Alternately, BIS can stick to its guns and declare that businesses etc are covered by the Bill just as much as domestic subscribers , which will mean businesses, to defend themselves from disconnection, will have to (a) lock down all networks and (b) even then, spend their own money when they start to receive warnings, on internally allocating blame, by ascertaining who was using that login at that time etc etc : fiddly, expensive, fun in open plan offices with hot desking :-) and quite likely, sometimes simply impossible.

Tricky, isn't it? I welcome further responses from BIS.

*Reg 8 of the DRD Regs 2009 may be a get out for SMEs and individuals here - since it says these obligations only fall on PECS or PECN providers by notice : but (a) thus leaves room forlots of FUD and (b) the legality of thus rule in respect of the UK's obligations under the original Directive is more than dubious.

EDITED after comments : 27/11/09.

1 comment:

Anonymous Bloger said...

Thanks for all your hard work bringing much needed attention to this terrible piece of legislation. Some of the issues are fairly technical and you do a good job of explaining them.

I've just given my opinion on the bill over on my blog:
and will be doing my best to spread the word and will be lobbying my MP.

If anyone happens to read my blog post and has any comments I'd be very grateful. I care a great deal about these issues, but am very new to bloging so I'm sure make many mistakes.