The Digital Economy Act (the “Act”) is a wide-ranging piece of legislation, covering such diverse areas as the future of Teletext to the age-classification of video games. By far the most controversial aspect of the Act are the measures relating to the online infringement of copyright. These measures are designed primarily to deal with the illegal downloading of music, films and video games and impose new obligations on Internet Service Providers (‘ISPs’) to co-operate with copyright owners in enforcing their rights.
ISPs are set to be required to take action against their own customers by reporting on their activities, or, in future, restricting the internet access of alleged copyright infringers, or even blocking websites in their entirety. Two of the UK’s largest ISPs, Talk Talk and BT, are sufficiently unhappy with the legislation to have sought a judicial review of the Act. The judicial review sought by BT and Talk Talk articulates many of the concerns raised in the media about the Act. In essence, the ISPs’ complaint is that the anti-infringement measures are a disproportionate response to the issue of unlawful peer-to-peer file sharing. In addition, the Act will be costly for ISPs to implement and, in the ISPs’ view, is unlawful as a matter of EU law, due to the infringement of various directives and laws relating to human rights.
Understanding the basis for these objections requires an appreciation of the specific measures which the Act is set to impose on users and ISPs. There are three key elements to the Act’s efforts to reduce illegal file sharing: a notification and reporting procedure, the imposition of ‘technical measures’ by ISPs and blocking injunctions. Not all measures will be introduced at once, with the notification and reporting procedure due to be implemented during early 2011 and the latter two requiring further Parliamentary approval and consultation before taking effect.
Notification and Reporting Procedure
The notification and reporting procedure is the only one of the three measures for which detailed provisions are available to review, as Ofcom published a draft code on 28 May 2010. The draft code sets out the procedure copyright owners will need to follow in order to report suspected infringement to ISPs and the obligations of ISPs once they have received such reports. The current most popular peer-to-peer file sharing technology, BitTorrent, makes it relatively straightforward for copyright owners to identify the IP addresses of those who are engaged in illegal file sharing and the nature of the file being shared, so copyright owners should find compiling and submitting such reports relatively straightforward (with expert assistance).
Ofcom’s draft code envisages that an ISP receiving a report will, if it meets the required evidential standard, send a ‘first notification’ to the subscriber linked to the IP address contained in the report. Subscribers receiving a first notification will be given one month to mend their ways, but, if a further copyright infringement report is received after that month has expired, the ISP will then send a ‘second notification’, containing sterner language. If, after a further month, another copyright infringement report is received, the ISP will send a ‘third notification’, this time by recorded post as well as by email, warning the subscriber that the copyright owner will be able to apply to court for an order seeking the disclosure of his identity, with a view to bringing proceedings against the subscriber for copyright infringement. Recipients of a third notification will be flagged as such on the ISP’s database for 12 months.
The ISP must assist copyright owners by providing them with an anonymised list of subscribers who have both received a third notification and against whom the particular copyright owner filed a report. This mechanism will assist copyright owners in determining whether a subscriber has been the subject of multiple reports, irrespective of whether that subscriber’s IP address has changed between the alleged infringements (which will often be the case with dynamically assigned IP addresses). The copyright owner will then need to judge whether it is worth seeking a Norwich Pharmacal order to obtain the identity of the subscriber and, ultimately, whether to take further legal action against the individual.
The notification and reporting procedure will not fundamentally change the basis for action against copyright infringers. Instead, it helps copyright owners by formalising the relationship between copyright owners and ISPs, with the latter now being obliged to assist the former without a court order in place, up until the point at which the copyright owner wishes to establish the identity of a particular subscriber. As well as assisting particular copyright owners obtain compensation, it is clear the government hopes that the notification procedure will modify the behaviour of internet users by letting them know that their actions are being monitored and that they are at risk of legal action.
An issue with the notification and reporting procedure is that it focuses on subscribers rather than the person actually using the internet connection at the relevant time. This is understandable: the ISP has no way of knowing which individuals are accessing its service through a particular connection. This has particular consequences for those businesses which provide internet access to the public, such as cafés or hotels, which may find themselves receiving copyright infringement notifications due to the actions of their customers. Recognising that pursuing hotels and cafes for the actions of their customers would inhibit the provision of a typically legitimate and useful service, Ofcom has expressed the view that where a wireless network is provided in conjunction with other goods or services to a customer, the presumption will be that the provider is an ISP, rather than a subscriber (and fortunately for such hotels and cafes only the largest ISPs are initially being required to comply with the reporting provisions of the Act). However, Ofcom accepts that this may not be the case where wireless access is being provided free of charge without payment or prior agreement, in which case the person making the wireless network available would fall within the definition of a subscriber and risks being subject to the notification procedure.
The focus on the subscriber also presents a risk for the less technically savvy. Until recently it was common for wireless routers to default to broadcasting an unencrypted wireless network. Not using encryption makes it easier for users to set up their equipment, but also leaves the wireless network open to unauthorised use, potentially for copyright infringement. If a subscriber receives a copyright infringement notification the code provides an appeal process. One of the grounds for appeal is that the act constituting the apparent infringement was not done by the subscriber and the subscriber took reasonable steps to prevent other persons infringing copyright by means of his or her internet access service. This leaves open the question of what precisely constitutes ‘reasonable steps’, but leaving a wireless network unsecured seems on the face of it not to meet this test.
This problem is not unique to the UK. The recent German case known as Sommer unseres Lebens (concerning a song of the same name), held an individual to be responsible for an unauthorised music download, even though he was on holiday at the time and therefore could not have been the person responsible. The individual was held liable because he had not implemented the security measures which were state of the art at the time the wi-fi equipment was acquired. In the German case, the WPA2 standard was considered to have been the appropriate level of security a private individual could reasonably be expected to use.
If a similar standard to that which applies in Germany is applied in the UK, then it is likely many subscribers’ security will be inadequate to successfully appeal a copyright infringement report, because lower levels of encryption are commonly set as a default and a degree of technical skill is required to change this setting. For example, the default encryption level set on the original BT Home Hub (a popular router in the UK) was WEP encryption, which can be easily hacked. Many subscribers are unlikely to realise that there are different grades of encryption available.
The second limb of the anti-piracy measures included in the Act is for ISPs to be required to limit or suspend a subscriber’s internet service, if that subscriber’s account is being used for copyright infringement. A draft order implementing this aspect of the Act will need to be presented to Parliament prior to its introduction and Ofcom will be obliged to draw up a code to set out detailed procedures and safeguards.
The introduction of technical measures to limit internet access is not, at present, being actively pursued. The stated reason for delaying the introduction of technical measures is that the government hopes that the notification and reporting mechanism will significantly reduce online copyright infringement. If this proves to be the case, then technical measures may prove unnecessary.
Assuming technical measures are considered a necessary further step, then the terms of the Ofcom code will be critical. It seems likely that the code would build upon the existing framework set out in the reporting and notification code as to the standard of proof the copyright owners will need to meet and the basic procedure for appeals, although this is far from certain and will depend on whether the reporting and notification code proves workable in practice.
If technical measures are introduced then this will be a significant departure from the current approach of facilitating copyright owners’ claims. Imposing technical measures on a subscriber will make no difference to the compensation a copyright owner will obtain, so it must be assumed the intent is purely one of deterrence and punishment. If the imposition of technical measures is based on the volume of copyright infringement reports, it is easy to envisage situations in which a copyright owner has judged the infringement not to be worth pursuing, but the subscriber nonetheless has his internet access restricted.
The third limb of the anti-piracy measures is the prospect of courts being empowered to grant injunctions requiring ISPs to block access to internet sites, in order to prevent infringement of copyright. As with the introduction of technical measures, the introduction of such powers will require a consultation and for draft regulations to be laid before parliament.
A number of safeguards are contained within the Act. These seek to ensure that a court can only block sites which host a substantial amount of infringing material and that it must also take into account the extent to which steps have been taken by the site to prevent copyright infringement, the effect on legitimate users and the importance of freedom of expression.
Subject to the limitations set out in the regulations, the wording of the Act seemingly sets a low threshold for a court to grant an injunction. Again, the Ofcom code will be critical in assessing what the impact of this measure may be in practice.
Future Issues for Copyright Owners
Although the focus of complaints about the Act have focused on the problems facing subscribers, the copyright owners may well find that the proposed involvement of ISPs in the reporting mechanism is insufficient to reduce copyright infringement in the long term. The Act appears focused on peer-to-peer file sharing and the current technology used in this area. The copyright infringement reports are predicated on the copyright owner knowing the IP address of alleged infringers (the IP address is specified as a necessary component for reports in section 3 of the Act). File-sharing protocols are under active development and anonymous peer to peer protocols may grow in popularity, making it more difficult for copyright owners to obtain IP addresses. If the legislation is vigorously enforced, this may hasten a move to more anonymous file-sharing methods in which the IP addresses of infringers are much harder to obtain.
Looking yet further ahead (although possibly only a few years from now), if IP addresses are no longer readily obtainable, the copyright owners will be unable to initiate the procedures laid down in the Act. This will push to the fore the prospect of blocking injunctions to deal with the issue (although blocking injunctions are unlikely to be entirely effective, given the number of sites that operate and that major search engines such as Google are involved in links to copyrighted works). Ultimately copyright owners may find themselves having to push for ISPs to be obliged to both inspect the internet traffic of subscribers for copyright material and to restrict their ability to obscure their online activities through virtual private networks. Such intensive monitoring may well be deemed excessive, but BT and Talk Talk must no doubt be aware that once they have accepted the principal of assisting copyright owners in the pursuit of their subscribers, this obligation is far more likely to be extended than abolished.