Having now gone through Ofcom’s consultation paper on the draft Initial Obligations Code, there seems to be both good news and bad news.
As with everything else around this Act, a lot of thought has gone into the implications for consumer broadband connections. The consultation document contains several significant improvements for those types of connections. However there seems to be very little thought about the potential impact on business connections – which may or may not be subject to the Act – and some of the changes actually make things significantly worse for them.
To start with the good news: Ofcom have clearly understood that it’s critical that high-quality systems are used both by rightsholders to create Copyright Infringement Reports (CIRs) and by ISPs to direct those reports to the apparently responsible subscribers. So the draft Code would require both types of organisations to submit details of their systems to Ofcom in advance, to have them approved and potentially subject to a third party audit (paras 4.4 and 5.7). Much more detail will also be required in each Copyright Infringement Report, including source address and port, and start and end times during which infringments were taking place (para 4.3). There isn’t currently a requirement for destination address and port, though as far as I know (please let me know if I’m wrong) it’s only the most extreme types of Network Address and Port Translation where that might become a problem. In any case it is explicitly recognised that for some reports it may be impossible to uniquely identify a subscriber from the details provided, and that is one of a number of reasons why reports can be returned to the reporter as undeliverable (para 5.3). These reasons don’t yet appear to include “this report doesn’t match our flow data” (a test commonly used by universities that has, on occasion, detected systemic problems with rightsholder reporting systems), though I’ll be seeking clarification on that from Ofcom (there is “IP address not used by a subscriber at the relevant time”).
The draft also proposes a novel implementation of the three levels of severity of notification: rather than simply counting the number of reports, it is now proposed that a second, more severe, notification will be sent if a subscriber is still reported as infringing a month after receiving a first notification, and then a third notification (at which point the subscriber will be added to the anonymous serious infringers list that may be disclosed to rightsholders) a further month later (para 5.11). I suspect this actually matches quite well how universities and colleges currently regard individual wrongdoers – someone who carries on after a warning is treated more seriously than someone who stops when warned about a burst of activity.
Indeed were JANET connected organisations ever to be required to apply the Code to their users I think there would be little problem for those already implementing our Acceptable Use Policy.
Unfortunately although the consultation paper states (correctly) that “attention must focus on the provider of the final leg of Internet chain” to achieve effective education and enforcement (para 3.25), the paper’s interpretation of the Act’s definitions to organisational, rather than consumer, Internet connections appears to do the exact opposite. Ofcom still seem to think that most organisations are “subscribers” and not “communications providers” (para 3.30). Implementing that Act that way would actually prevent those organisations from educating their users (because they would never hear about most alleged infringements); the new time-based notification system would also mean that three employees, none of whom had ever received a warning, could put their employer into the most serious category of infringer if they downloaded a single copyright file each!
The paper doesn’t mention universities, colleges or schools, but does mention libraries (para 3.28): suggesting that they will be classed as “ISPs” and that they may, if the initial scope of the Code is extended at some future date, be required to collect postal and e-mail address details from all users. Again, this is a side-effect of the change to time-based notifications: Government ministers had previously praised libraries who displayed prominent notices as an effective way to keep infringement below a numerical threshold, however with a time-based threshold the very first report has to be forwarded and so needs to be linked to an address. The paper also admits (para 3.31) that this interpretation will be “challenging” for those providing community networks! So my response to this consultation will again be pointing out the direct conflict between these suggested requirements on the Government’s other policies to combat digital exclusion.
Responses to this consultation are due by the 30th of July, so I’ll be drafting a JANET response over the next month. If you have comments or feel I’ve missed anything in the above, please let me know either by commenting here or e-mailing. Thanks, Andrew.