Send this statement from openrightsgroup.org
via email to Campbell Cowie at ofcom http://stakeholders.ofcom.org.uk/consul ... ringement/
enclose coversheet with your email - http://stakeholders.ofcom.org.uk/consul ... oversheet/
Dear Mr Cowie,
Please find below my answers to the questions set out in the consultation Online Infringement of Copyright and the Digital Economy Act 2010.
I believe that the code does not comply with the Digital Economy Act and I therefore ask Ofcom to set up a new consultation round. The areas I am particularly concerned about include the gathering of evidence, the identification of customers, data retention by ISPs, the threshold for notifications sent to the subscriber and appeals.
No definition of the process by which evidence is collected
Section 7/124E(2) of the DEA requires that the initial obligations code makes the required provision about CIRs by specifying “requirements as to the means of obtaining evidence of infringement of copyright for inclusion in a report”, and “the standard of evidence that must be included”. The draft initial obligations code makes no provisions specifying the means of obtaining evidence of infringement of copyright for inclusion, and neither does it make provisions specifying the standard of evidence that must be included.
Section 3.5 to 3.7 of the draft initial obligations code outlines, in relation to evidence gathering process what it calls a “quality assurance process” but this process does not specify the means of obtaining evidence or the standard of evidence included, only that the copyright owner will have to follow the process outline in their quality assurance report which is to be submitted to Ofcom. The DEA does not require such a quality assurance system.
The code does not currently require evidence to be robust
Ofcom appear to want evidence gathering systems and processes to produce robust and accurate results, but provides no explicit statement in the Draft Code that those processes are required to be "robust and accurate".
No definition of the process by which customers are identified
The DEA also requires that Ofcom's Initial Obligations Code specify the means by which subscribers are identified by ISPs. In order to ensure that citizen's interests are protected properly we should be given the full detail required by the Act – otherwise we are not able to comment on whether safeguards are in place or not.
Section 7/124E(3) of the DEA requires that the initial obligations code create provisions covering the notification of subscribers for whom the internet service provider receives one or more CIRs. These provisions include “requirements as to the means by which the internet service provider identifies the subscriber”.
In contrast, the quality assurance process outlined in Section 4 of the draft code does not make “requirements as to the means by which the internet service provider identifies the subscriber”, but instead only requires that the qualifying ISP complies with the process outlined in their own quality assurance report.
No provisions explaining how ISPs keep information about subscribers
The DEA requires that Ofcom's code makes provisions about how ISPs keep information about subscribers. This information is important in order that the public are able to assess the privacy risks inherent in the storage of this data, including whether the information stored will be secure from tampering and misuse. I believe it is a serious problem not to be able to comment on this key element of the Initial Obligations Code.
Threshold for determining a 'relevant subscriber' is not set
The DEA requires that Ofcom's code sets a threshold of notifications made to a subscriber in relation to a copyright owner (Section 7/124E(1)(c)), in order that they are a 'relevant' subscriber whose details may be offered after a court order to the copyright owner. The code instead offers a scheme by which, after three notifications from the ISP, they are placed on a list (of “repeated infringers”). So the code sets a threshold for determining “relevant subscribers” in relation to notifications sent by ISPs and not CIRs received by ISPs. This does not comply with the DEA.
That Parliament expected thresholds to be set by the code was recognised in the debates:
"We absolutely accept that the concept of a threshold is important, and the Bill allows for it. Our approach to the threshold is that it should be for the code, but I recognise that this is not a sufficient answer. Let me say that we would expect the threshold to be based on the number of CIRs received over a period of time. The details should be left to the code. I accept that we must develop the concept of a threshold. We make allowances for it in the Bill and we will put flesh on to the bones in the code."
Lord Young, 12 January 2010 http://www.publications.parliament.uk/p ... 2-0011.htm
The very notion of a 'threshold' distinguishes it from the process of sending three notifications.
Instead of the approach mandates by the DEA and advocated by the government front bench, Ofcom have conflated CIRs and notifications sent to subscribers. The public need to see the details of a fully functioning, compliant scheme in order to assess its fairness and efficacy by offering this non-compliant alternative, it is denied that opportunity.
The entire process of collection and storing of data in this area is fraught. Personal copyright infringement is, ultimately, a matter between private parties and not something endangering state security or being a matter of serious crime: the type of infringement targeted not a crime, but a tort. Each copyright infringement notice may relate to a music file with a retail value as low as 35p, but is almost always a matter of small sums of money, not state or public security.
The case for collecting and storing information about private individuals on the internet by private parties needs to be set out. The reasons why personal data may be processed are called “conditions for processing” under the Data Protection Act. The Code should set out what the justifications are.
[ Ref. http://www.ico.gov.uk/for_organisations ... ssing.aspx
These conditions need to be set out for both the private parties and the ISPs databases of infringement allegations.
The code fails to explicitly state whether the subscriber's data and IP address are sensitive personal data under the Data Protection Act 1998. IP addresses and other personal data relating to the subscriber consist of information as to: “any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.” This is extremely important, as this affords greater standards of protection and access.
In particular, I urge Ofcom to assess whether the draft initial obligations code, which is to become secondary legislation, complies with the relevant EU data protection and data retention directives. Unfortunately the UK government has failed to properly implement EU data protection and retention standards into UK law, therefore I ask Ofcom to assess compliance with EU standards, not just UK law on the matter. In particular I am concerned that the code places a duty on internet service providers to retain IP logs for the purpose of matching CIRs to subscriber details for 10 days, and Ofcom needs to ensure that this complies with relevant EU data retention standards.
I am also concerned that the draft initial obligations code does not make the deletion of CIRs by the ISP an absolute requirement, instead Section 5,.2 of the draft initial obligations code states that: “As far as is reasonably practicable, the Qualifying ISP must retain this information for no longer than 12 months after receipt of the CIR in question.” Ofcom should clearly state that the CIRs need to be deleted after 12 months, failure to do so would then be a non compliance with the initial obligations code.
I also ask Ofcom to clarify how anonymity of notified subscribers will be ensured at all stages of the process.
Content of notifications
The code does not set out a requirement for any standardised content although this was clearly intended by Parliament in order to ensure that the most important content is included in the notification letters. The DEA requires the following information “about subscriber appeals and the grounds on which they may be made” to be standardised:
“information about copyright and its purpose”
“advice, or information enabling the Subscriber to obtain advice, about how to obtain lawful access to copyright works”
“advice, or information enabling the subscriber to obtain advice, about steps that a subscriber can take to protect an internet access service from unauthorised use“.
The code also requires all notifications to include information about: “the ability of a Qualifying Copyright Owner to bring a legal action for damages in relation to an infringement”. This is, however, not required by the Act.
The Appeals process also contravenes the process set out the DEA.
It appears from the draft initial obligations code that an appeal on any grounds can only be upheld if the subscriber proves that “the act constituting the apparent infringement to which the report relates was not done by the subscriber” and “the subscriber took reasonable steps to prevent other persons infringing copyright by means of the internet access service”. The DEA only requires that the subscribers proves the above two cases where the appeal is in relation to either “the apparent infringement to which the report relates was not an infringement of copyright” or “that the report does not relate to the subscriber’s IP address at the time of the apparent infringement”. Hence the draft initial obligations code places a considerable burden of proof on the subscriber which is not required by the DEA.
Section 13/124K(5) of the DEA also requires that the initial obligations code “must provide that an appeal on any grounds must be determined in favour of the subscribers unless the copyright owner or internet service provider shows that [...]” “the apparent infringement was an infringement of copyright” and “the report relating to the subscriber’s IP address at the time of the infringement”. However the draft initial obligations code does not fully implement these DEA requirements. Section 7.23 of the draft initial obligations code states that “a Subscriber Appeal on any grounds may only be determined in accordance with paragraph 7.22.2 (must be rejected) if the Appeals Body is satisfied that there is sufficient evidence to show that, as respects any CIR to which the Subscriber Appeal relates or by reference to which anything to which the Subscriber Appeal relates was done (or, if there is more than one such CIR, as respects each of them): 7.23.1 the apparent infringement was an infringement of copyright, and 7.23.2 the CIR relates to the Subscriber’s IP address at the time of that infringement.” In doing so the draft initial obligations fails to implement the clear requirement for an appeal on any ground to be determined in favour of the subscriber (that is upheld) unless the copyright owner or the internet service provider can prove that “the apparent infringement was an infringement of copyright” and “the report relating to the subscriber’s IP address at the time of the infringement”. The Section 13/124K(5) requirement is of upmost importance because it means that an invalid CIR or failure by the internet service provider to accurately match the IP address would automatically mean that the subscriber appeal is upheld in favour of the subscriber.
“Definition of “copyright owner”
The draft initial obligations code states that a ““Copyright owner” means (a) a copyright owner within the meaning of Part 1 of the Copyright, Designs and Patents Act 1988 (see section 173 of that Act); or (b) someone authorised by that person to act on the person’s behalf.” Hence the Digital Economy Act allows the actual copyright owner and its agent, to make copyright infringement reports against subscribers. It is likely that agencies such as the British Phonographic Industry (BPI) and the Motion Picture Association of America (MPAA) which will be acting on behalf numerous mayor copyright owners, may also issue CIRs to internet service providers independently. This is significant in so far as the Digital Economy Act provides that “the copyright owner may require the provider to disclose which copyright infringement reports made by the owner to the provider relate to the subscriber”. The question is whether an actual copyright owner who has sent CIRs through an agent, or several agents, can ask the internet service provider to disclose the copyright infringement list in relation to the CIRs relating to copyright owned by them.
Importantly the definition of “copyright owner” for the purpose of the copyright infringement provisions only apply to these provisions. For example, the initial obligations code follows the Digital Economy Act in stating that following disclosure of the anonymised copyright infringement list, “the copyright owner may apply to a court to learn the subscriber’s identity and may bring proceedings against the subscriber for copyright.” Under UK law only the actual copyright owner as defined in the Copyright Designs and Patent Act 1988 can apply for such a court order, not the agent, who for the purpose of the copyright infringement provisions is included in the definition of “copyright owner”. Similarly it would only be possible for the copyright owner as defined in the Copyright, Designs and Patents Act 1988 to take a subscriber to court for copyright infringement, not the agent of the copyright owner as defined in the Digital Economy Act for the purpose of the online copyright infringement provisions. However, the current draft initial obligations code does not clearly distinguish between the actions that can be taken by the “copyright owner” as defined by the initial obligations code, and the “copyright owner” as defined in the Copyright, Designs and Patents Act 1988.
Criteria for approval
Section 7/124E(1) of the DEA establishes a set of criteria and Ofcom must not approve the initial obligations code unless it is satisfied that it meets the criteria set out in this section. The criteria for approval of the initial obligations code are:
‘the provisions of the code are objectively justifiable in relation to the matters to which it relates’
‘that those provisions are not such as to discriminate unduly against particular persons or against a particular description of persons’
‘that those provisions are proportionate to what they are intended to achieve’
'that, in relation to what those provisions are intended to achieve, they are transparent’
While the consultation document references these criteria in relation to its decision to not implement some of the DEA requirements, particularly in relation to not complying with Section 5/124C(5) requirement for the Code to set a threshold for qualifying ISPs based on the number of CIRs received, Ofcom has provided no overall analysis on whether the draft initial obligations code meets the criteria set out above.
Threats to WiFi
I am greatly concerned that the proposals made in the consultation document would not allow Wifi to continue to be offered as normal, be it password protected or open.
The definition of “subscriber” and “internet service provider” provided in the draft initial obligations code creates a number of problems, particularly in relation to other definitions provided in the consultation document itself. For example, in relation to the definition of subscriber, the draft initial obligations code states that the internet access service must be provided under agreement. But the consultation document states that a user of a WiFi network would only be a subscriber if the internet access service is provided under explicit or implicit agreement and in return for payment.
But this definition is not contained in the draft initial obligations code. If the definition in the code was applied to users of WiFi, all users of WiFi, including open Wifi, would be subscribers as they all receive it under an explicit or implicit agreement. In turn, because the draft initial obligations code defines “Fixed ISP” as any ISP who “provides a fixed internet access service”, all providers of WiFi would be Fixed ISPs. But the consultation document states that Wi-Fi operators may only be classified as ISP if there is payment, if there is no payment the operator of the WiFi network is a subscriber.[Draft initial obligations code, Section 1] This definition is not in the draft initial obligations code and it is not clear what Ofcom is actually consulting on.
In any case, the definition outlined in the consultation document creates significant problems for operators of wifi networks. The consultation document states that wifi operators providing internet access service on agreement, explicit or implicit, and against payment, are to be “internet service providers” and wifi operators who provide internet access service without any payment are to be classified “subscribers”, meaning that any open or free wifi will be classified as subscriber for the purpose of the act. This means that especially public intermediaries such as libraries and councils, who frequently provide open and free WiFi access to users, would be classified as subscribers, and therefore copyright owners may make copyright infringements reports against them. As these operators are put on copyright infringement lists, they would be subject to court action by copyright owners and to technical measures if those are introduced at a later date. Open WiFi provided by not for profit organisations and public intermediaries plays a key role in providing internet access to all users. For example Islington council provides a free WiFi hotsport, called StreetNet, on Upper Street and Holloway Road near Angel tube station, which provides registered users with free one-hour session (i.e. no payment is required).
Classifying wifi operators who provide the service against payment as “internet service providers” does not necessarily make them immune from the provisions of the act either. That is because the draft initial obligations code provides that any “internet service provider” with more than 400,000 subscribers will be a qualifying ISPs. Ofcom fails to consider that some paid for wifi operators may well provide access to more than 400,000 users. For example, The Cloud, which provides WiFi against payment in the City Of London reportedly allows “more than 350,000 people who work in and visit the area access to wireless broadband.” The Mayor of London now plans to role out a similar service across London, stating that “London is the home of technological innovation. We in City Hall are doing our best to keep up, and one of our most important projects is called wi-fi London”.[http://news.bbc.co.uk/local/london/low/people_and_places/newsid_8691000/8691879.stm] It is not clear whether Ofcom considers service such as The Cloud as qualifying ISP, especially if such services were roles out London wide, potentially providing access to millions of people.
Therefore Ofcom has failed to clarify the position of wifi operators and its suggested approach is likely to cause great uncertainty for wifi operators, which may be consumers, businesses or public intermediaries.