The Digital Economy Act 2010 places a number of requirements on internet service providers.
This document defines a number of suggestions for aspects of the code about initial obligations as specified in the Digital Economy Act 2010. OFCOM shall create a code, or approve a code written by someone else. I would like to see these ideas considered by anyone drafting a code to meet the requirements of the Act. They are my ideas, and will be modified in light of debate and discussion.
I would like to thank those that have commented on this web page so far.
What this code has to achieve...
- A code OFCOM will adopt - so we can't require all copyright owners to stand on one leg whilst singing twinkle tinkle little star and writing the complaint on a whiteboard outside our office with their left hand. It has to be reasonable.
- A code ISPs can live with - so it has to be practical. We need copyright notices (on the whole) to be processable in an automated way, otherwise we would need copyright owners to pay for our time and effort providing them with a communications service. If we can automate it, then it is cheaper and maybe even free.
- A process that is not open to abuse - as with anything on the internet, especially rules tied in to law, we have to be sure it cannot be abused. We need to avoid anyone spamming copyright notices, or using them as a means to spam our customers. The copyright notices are a means to communicate with our customers. So some accountability for sending notices is needed (digital signing, registration, etc).
- A code that is fair - notices like this can cause distress and ultimately technical measures can cause real inconvenience and cost. We need a reasonable standard of evidence. Is there a reason the standard of evidence should be any less than would be required in a court?
Single and bulk infringement allegations
The code needs to address the small rights holder sending one notice, and the large rights holder's agent sending thousands of notices every month. Somehow we need to make it cheap and efficient for large scale reports whilst not making it impractical for small rights holders. To this end we propose two distinct mechanisms of reporting allegations to a service provider.
Small scale reports
Small scale reports can be sent by post to the service provider and enclose a fee for the processing of that report. The service provider would manually process the report and pass on to the subscriber. This would probably be passed on in writing with a copy of the original report, however the Act allows the service provider to send the notice by email. The fee would reflect the level of work involved and the costs involved. Small scale reports would only be applicable where the level of reports is below that for reporting severe infringers or taking technical measures so that the only action by the service provider that is ever needed is the sending of the report on to the subscriber.
The report would have to meet the requirements of the law for the content of the report and the requirements of the code for the standards of evidence. The report has to include the processing fee, or the rights holder has to arrange a pre-payment of the fee to the service provider or an account of some sort in advance. Service providers can insist on payment in advance before processing the report.
This arrangement will inherently minimise any abuse
Large scale reports
Large scale reports will allow rights holders to send reports for a substantially lower fee, possibly even free of charge. The reports can be sent by email to the service provider. However, in exchange for this lower fee and lower cost of reporting, the report has to meet a number of technical requirements allowing the service provider to fully automate the processing and forwarding of the report to the subscriber.
To avoid abuse this only makes sense if the reports are required to be digitally signed. This only works if there is a process for the registration of copyright owners and their agents with digital signatures. The registration process can be run by OFCOM or some agency who counter sign the digital signature. This allows the checking of reports without the need to reference any central database making the process cheap to run. A registration agency can operate on a cost recovery basis charging the rights holders for registration on an annual basis.
Reports, as sent to the service provider
- Each report shall relate to one incident and one stated subscriber IP address
- Reports will be in English
- Large scale reports will include an XML attachment to a defined schema
- Large scale reports will be sent to the email address published for the purpose by the service provider
- Reports will not include unsolicited marketing material
- Emailed reports will have a defined subject line to make it easy to identify, e.g. Copyright infringement allegation relating to IP address XXXX
- Emailed reports shall be by email complying strictly to current internet standards for email. Non compliant email may be rejected by the service provider.
- Emailed reports shall be encoded (where applicable) in UTF-8 character encoding
- To allow for smaller service providers that are not able to process XML, the report will include a plain text part as well as an XML attachment. The two parts will be consistent in their content and meaning.
- The report shall include a valid email address for the reply
- The report shall include a unique reference number to be quoted in the reply
- The report shall meet the requirements listed in the Act
- The report shall identify the full legal identity of the copyright owner, and, if applicable, the reporting agent
- The report shall clearly state the name of the copyright material concerned
- Emailed reports shall be digitally signed by the correct signature for the copyright owner quoted in the report
- The report shall not contain text exaggerating the possible or likely consequences of continued infringement or make any untrue statement
Obviously one concern with any automated forwarding of reports is that a report could be made that fails to meet the requirements stipulated and the service provider may be unaware of this. Some redress is needed where this is the case. It may be that we consider the existing redress that exists under under section 22 of the The Privacy and Electronic Communications (EC Directive) Regulations 2003 and The Protection from Harassment Act 1997 and section 127 of the Communications Act 2003 are satisfactory for this purpose as any report not meeting the code would not meet the exceptions listed in such legislation and could result in civil and criminal proceedings against the originator. The code should perhaps make clear that the service provider is acting as a mere conduit in passing on the report and not a party with any editorial control over the content.
Standards of evidence
One of the things the code can stipulate is the standard of evidence that is required. It is important to consider that the standard of evidence has to be high as this whole process provides a means to punish someone without a normal legal process and court hearing.
One consideration to ensure high levels of evidence would be for the code to stipulate somehow (and this may be beyond its remit) that only the details provided in the allegation can be used in any subsequent civil case. i.e. that the allegation has to contain evidence to a sufficient standard that it could be used in a court case on its own merits.
Copyright owners must be very careful to ensure that they only send allegations where they are very sure of the evidence as failing to do so could constitute defamation whereby they are incorrectly telling a third party (the service provider) that the subscriber is carrying out unlawful acts, and that would affect the reputation of the subscriber and could result in civil action against the copyright owner.
Evidence has to be of two way communications with the stated subscriber IP address
One of the ways that file sharing is carried out is by use of a tracker. This is an application that reports for a specific file the list of IP addresses that may be able to provide some or all of the content of the file. The tracker is software written by, and for, the people that share files and as such cannot be trusted. Trackers routinely provide invalid (random) IP addresses within the list as this causes little or no impact on the file sharing process. However, it means that you cannot rely on a tracker to tell you if an IP address really is providing some of the file in question. You have to connect to the IP and transfer some data.
It is also important to understand that IP addresses can easily be spoofed. I.e. it is possible to send an IP packet with a fake source address. It is therefore necessary to ensure proper two way communications has been established so as to confirm the IP involved in the data transfer is not being spoofed.
Evidence has to be related to content that is confirmed as being that owned by the copyright owner
It is very common for files to exist that purport to contain some specific material and in fact the do not. It is not acceptable to make an allegation based on the file-name alone. The file has to be downloaded and checked to see if it actually contains the material that is owned by the copyright owner. It may be that only part of the file need be loaded and checked to confirm this. It is also possible a file is downloaded and checked and all files claiming the same name and hash could be assumed to be the same file. A hash is a code derived from the file and so no two files that are different would be expected to have the same hash. This means copyright holders can search and find IPs that are serving a file automatically once they have manually confirmed the file is their material, but they could not work just on file-name alone.
Format of allegations (to ISPs)
A formal XML standard needs to be defined
More work needed
Format of allegations (to subscribers)
As per the Act the notice to the subscriber can be by email. It should be made concise and clear with references to external links (web sites) that contain more of the detail.
More work needed
Costs for allegation notices
The service provider has not committed any civil or criminal wrong in this situation and is being asked to act as a messenger between two parties in a civil dispute. It is only reasonable that the service provider is compensated for their provision of such a service. It may be that in the case of fully automated report processing this can be considered to be a very low cost per report or possibly free of charge.
More work needed
Other costs (OFCOM, appeals body)
The service provider has not committed any civil or criminal wrong in this situation and is being asked to act as a messenger and possibly enforcer in a civil dispute between two parties. It is only reasonable that the service provider is compensated for their work in this matter and that the rights holders fund OFCOM and any appeals process.
It is not unreasonable that a person making an appeal and losing the appeal should have to pay for making such an appeal and this could be a way to help fund the appeals process.
More work needed
It is hard to see any situation where any person would consider lodging an appeal in the case of any broadband internet access service. In the case that someone has had technical measures taken or threatened against them they simply have to request a free migration code from their service provider and migrate to another provider. This will have a guaranteed outcome with a known cost (usually zero) and time scale thanks to a lot of hard work by OFCOM ensuring migrations are mandatory and free. Someone trying the appeals route could find they are paying to appeal, and even find that they lose an appeal where they have not done anything wrong (e.g. failed to secure a wifi network, which is not itself any legal requirement for them to do). As such, given the choice between a chargeable, risky, and slow process of appeal, or a quick, free and reliable process of migrating provider I cannot see anyone choosing the former.
However, the Act requires an appeals process. It may be that in some cases there is some downside to migration and the service provider is not prepared to change the contract to a different party one end or the other. It may be that the contract is for hosting in a data centre and migration is neither free nor simple. As such a process needs defining.
More work needed
Reply to a report
We think it would be sensible for any report to received to have a reply from the service provider. Obviously a reply can only be mandated by the code where the report is valid (as an invalid report is not subject to the Act and the code and so could simply be deleted) but it is recommended that any service provider that normally processes such reports should send a reply for invalid reports as well.
|FORWARDED||The copyright infringement report has been received, processed and forwarded to the subscriber in accordance with the Act.|
|NOLONGERSUB||The copyright infringement report has been received, processed and forwarded to the last known contact details of the subscriber. However, the subscriber at the time of the report is no longer a subscriber so the details may not be current. The service provider may choose not to provide this level of additional detail and may send FORWARDED instead if they wish.|
|NODETAILS||The report relates to a former subscriber but the service provider no longer holds valid contact details for the subscriber and as such the report could not be forwarded.|
|INVALID||The report received was invalid in some unspecified way and has been discarded. It is recommended that a more specific response be given where possible.|
|NOTSP||The recipient is not a service provider. It is recommended that the copyright owner or their agent refrain from sending any further copyright infringement notices to this recipient as doing so may constitute harassment.|
|IPNOTMINE||The IP specified is not one that is routed or allocated by the recipient. The copyright owner should check the whois and contact details carefully|
|IPNOTLIVE||The IP specified is one that the recipient handles in some way but is not a routed IP address. i.e. it is not an IP address that relates to any active equipment.|
|IPNONSUB||The IP specified is a non subscriber IP. i.e. it relates to a valid and routed IP address but it is not an address of a subscriber as defined by the Act|
|IPOFFLINE||The IP specified is a subscriber IP. However the service provider logs confirm that the subscriber was not on-line at the time specified and as such, at that time, the IP was not routed. The report therefore contains demonstrably invalid evidence and as such is not a valid report.|
|IPINVALID||The IP is not valid in some way. e.g. RFC1918 IP address or incorrect syntax of IP address.|
|TOOLATE||The report was not received within the timescale required by the Act|
|INCOMPLETE||The report was not complete in some way|
|UNKNOWN||The report is from an unknown copyright holder or agent|
Emails are considered delivered when accepted by any of the public MX record servers for the target domain.
Should the reply email be rejected the service provider can consider that the original report failed to contain valid contact details and is therefore invalid.
Maybe these codes code be a main VALID/INVALID response and a sub code proving the extra detail, optionally.