The UK has been at the forefront of IP rightsholders’ global efforts to enlist Internet intermediaries to police Internet communications for several years. Since 2005, there have been several government-sponsored efforts to encourage Internet intermediaries to “cooperate” with rightsholders in online copyright enforcement. This culminated in the Digital Economy Act (the DEA), which passed through the UK Parliament in a controversial expedited process in April 2010.
Although it is often described as a Three Strikes law, the DEA does not presently require British ISPs to disconnect subscribers on repeat allegations of copyright infringement. Instead, the DEA requires ISPs to forward rightsholders’ copyright infringement allegations to their subscribers, and to maintain an anonymized blacklist of accounts that have received multiple copyright infringement reports. These obligations were due to come into force in June 2010, but have been delayed by an ongoing legal challenge and pending reviews by UK government departments tasked with setting up various parts of this complex framework. “Three Strikes” disconnection of users’ Internet access could still become the law in the UK, as described below. But even if it doesn’t the DEA will increase the cost of Internet access for UK citizens, and could create strong incentives for restricting open wifi networks run by citizens, libraries, and community organizations.
Apart from potential disconnection of Internet users, the DEA also creates sweeping new powers that could require ISPs to implement extensive website blocking. In addition, IP rightsholders have recently used existing provisions in UK law to require British Telecom to block UK Internet users’ access to the Newzbin2 website and to payment intermediaries that facilitate its operations. The Government recently announced it would drop the blocking powers from the DEA, although the powers remain written in the law. Even if the DEA website blocking provisions do not come into operation, IP rightsholders will use this precedent and existing law to force ISPs to block access to parts of the global Internet in the service of copyright enforcement.
DisconnectionCreated by: law
Stage One: ISP Notice Forwarding
The DEA has several phases. In the first phase, ISPs are required to send copyright notifications to subscribers at identified IP addresses on receiving “Copyright Infringement Reports” (CIRs) from copyright holders. The details of how this will work and what ISPs must include in these notifications are set out in a draft Initial Obligations Code produced by the UK telecoms regulator, OfCom.
When a “Qualifying Copyright Owner” sends a valid Copyright Infringement Report to an ISP to whom the Code applies, the ISP must match the IP address in the report with the name of the relevant account holder, and send a first notification to that subscriber. CIRs must include the date, time and duration of the alleged infringement, the IP address used for the alleged infringement, the name of the copyrighted material involved, indicate what part of it was made available, and provide a hash of the copyrighted material.
The draft Code provides for three escalating notifications to Internet users. ISPs are required to send successive notices to identified subscribers when they receive a valid CIR at least one month after the previous one. If an ISP receives three notices within a 12-month period, it is required to put that account on a blacklist – the “Copyright Infringement List.” At present, ISPs are not required to take the next step and disconnect users’ accounts. This policy decision reflects empirical surveys conducted by the UK government indicating that around 70% of Internet users would refrain from further copyright-infringing filesharing after receiving a first notice alleging copyright infringement. It also reflects British ISPs’ long-standing resistance to Internet disconnection obligations.
The DEA puts the burden on copyright holders to bring lawsuits to enforce their rights. On request from a rightsholder, ISPs are required to provide an anonymized version of the Copyright Infringement List. Copyright owners can then apply to a court for a “Norwich Pharmacal” order directing the ISP to unmask the subscribers that used the identified IP addresses. Rightsholders can then file copyright infringement lawsuits directly against them.
ISPs are only required to take action on valid CIRs that include all specified information, and only for copyright owners that have paid their notification fees to ISPs (see Facts and Figures below) and certified to Ofcom that their system complies with relevant data protection laws (Qualifying Copyright Owners). Finally, the Code provides an appeals process before an independent appeals body for subscribers who wish to challenge copyright infringement notifications.
In its initial phase, the Initial Obligations Code will only apply to fixed line broadband Internet service providers with more than 400,000 subscribers. This captures the seven largest ISPs (BT, O2, Orange, Post Office, the Talk Talk Group, Sky, and Virgin Media) , which account for about 96% of the UK broadband market. It excludes smaller ISPs, in recognition of the burden that costs of compliance would impose on them. The Code also excludes mobile network providers, which allocate IP addresses differently from fixed broadband providers, making subscriber identification from IP address more costly.
Both libraries and citizens who provide open wifi to downstream Internet users seem to fall within the ambit of the DEA. While they are not currently required to send notifications under the Code, they could receive CIRs for actions taken by their downstream users. The DEA essentially creates a new duty to secure open wifi connections against possible misuse for copyright infringement. CIRs will contain information on how to do so. This puts the onus on providers to explain why they should not be held responsible for infringements of downstream users using their Internet connection, and creates unfortunate incentives to restrict or eliminate downstream open wifi use.
The Initial Obligations Code has not yet taken effect. OfCom released a draft in May 2010. The UK Department of Culture, Media and Sports has announced its intention to move forward with implementation of the DEA. A final version of the Code was expected in Autumn 2011. However, in October 2011 the UK Court of Appeal granted an appeal of the judicial review of the DEA sought by UK ISPs British Telecom and Talk Talk. As a result, the timeframe for full operation is now unclear. Ofcom recently estimated that the first letters to alleged infringers will not be sent until the summer of 2013.
Stage Two: Technical Measures
In its second phase, the DEA empowers the UK Secretary of State to make an order requiring ISPs to adopt “technical measures” – including disconnection of subscribers’ accounts – if he or she determines after 12 months that the current notice forwarding regime has not been successful at curbing online copyright infringement. If the order is approved by Parliament, it would result in a Three Strikes Internet disconnection regime.
Technical measures that ISPs can use against infringers include (section 124G):
(a) limiting the speed or other capacity of the service provided to a subscriber;
(b) preventing a subscriber from using the service to gain access to particular material, or limiting such use;
(c) suspending (i.e. disconnecting) the service provided to a subscriber; or
(d) limiting the service provided to a subscriber in another way.read more...
While there has been much recent discussion about the proposed US website blocking legislation, the Protect IP Bill and the Stop Online Piracy Act, this policy debate has been fought longest in the UK.
Section 17 of the DEA
UK rightsholders, led by the British Phonographic Industry, pressed for the inclusion of expansive new website blocking provisions in section 17 of the DEA.
Section 17 empowers the Secretary of State to create regulations (through secondary legislation) for courts to issue “blocking injunctions” to ISPs on request of rightsholders. These regulations would require ISPs to block websites and online locations that are “being or [are] likely to be used for or in connection with an activity that infringes copyright.”
Before the Secretary of State can use the blocking regulation power, he must be satisfied that:
(a) use of the Internet for copyright infringing activities is having a serious adverse effect on businesses or consumers;
(b) making the regulations is a proportionate way to address this; and
(c) the regulations won’t prejudice national security, or the prevention or detection of crimes.
The DEA also sets out conditions on the court’s ability to grant such broad injunctions. It must be satisfied that the website is:
(i) a location from which a substantial amount of material has been, is being or is likely to be obtained in infringement of copyright,
(ii) a location at which a substantial amount of material has been, is being or is likely to be made available in infringement of copyright, or
(ii) a location which has been, is being or is likely to be used to facilitate access to a location within paragraph (a) or (b).
In addition, courts must take account of various factors, including the importance of freedom of expression and whether the injunction would be likely to have a disproportionate effect on any person's legitimate interests.
In February 2011, the UK Minister of Culture Ofocm to review the workability of the DEA’s website blocking provisions. In August 2011, the Department of Culture, Media and Sports announced that it would not go ahead with the DEA website blocking mechanism, at least for the time being. It based its decision on the Ofcom’s May 2011 report. It found that the website blocking provisions were not workable in their current format, but did not reject use of website-blocking altogether. Instead, it concluded that website blocking could form ”part of a broader package of measures to tackle infringement.”
Ofcom’s report considered the technical feasibility of four techniques that Internet intermediaries could use to block sites: Internet Protocol blocking, Domain Name System alteration, URL blocking, and Packet Inspection of network traffic. Ofcom weighed these measures against seven criteria: speed of implementation; cost, blocking effectiveness; difficulty of circumvention by users and counter measures ISPs could take; ease of administrative or judicial process; the integrity of network performance; and the level of granularity of blocking that is possible and its corresponding impact on legitimate services.
Ofcom concluded that while it is feasible to “constrain access to prohibited locations on the Internet” using these techniques alone or in combination, “none of the techniques is 100% effective; each carries different costs and has a different impact on network performance and the risk of over-blocking” and that “[f]or all blocking methods circumvention by site operators and Internet users is technically possible and would be relatively straightforward by determined users.” However, it found that:
Although imperfect and technically challenging, site blocking could nevertheless raise the costs and undermine the viability of at least some infringing sites, while also introducing barriers for users wishing to infringe. Site blocking is likely to deter casual and unintentional infringers and by requiring some degree of active circumvention raise the threshold even for determined infringers.
Ofcom concluded that if blocking is to be implemented, DNS blocking is the preferable approach because it would cause the least delay and cost – two of the key concerns voiced by copyright holders. It also recommended supplementing that with a requirement for search engines to delist websites. Ofcom acknowledged that DNS blocking is at best a short-term solution because implementation of DNS Security Extensions (DNSSEC) will shortly make DNS blocking more transparent and less effective. It recommended Packet Inspection as a longer-term solution, but emphasized that it is technically complicated and raises a number of complex legal questions – such as whether DPI is compatible with UK privacy and data protection law.
Ofcom concluded in their assessment of the Digital Economy Act blocking provisions that the approach set out in the DEA is unlikely to be effective. The Government, in response, said they would not bring forward the blocking measures 'at this time'. The powers remain written in the law.
Section 97A of the Copyright, Designs and Patents Act
Apart from the expansive potential new enforcement powers in the DEA, rightsholders can get broad blocking injunctions against ISPs and online payment intermediaries under existing section 97A of the 1988 UK Copyright, Designs and Patents Act. As a result, UK IP rightsholders can require ISPs to block vast parts of the global Internet, even if the DEA website blocking provisions never come into operation.
Section 97A implements the UK’s obligations under Article 8(3) of the EU e-Commerce directive (2001/31/EC), which requires EU member states to “ensure that rightsholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right.” Section 97A permits rightsholders to seek injunctions where a service provider has actual knowledge of another person using its service to infringe copyright.
In a key test case brought by the six major Hollywood Studios in July 2011, the UK High Court ordered British Telecom to block its UK subscribers from accessing the Newzbin2 website. Under the terms of the injunction issued in October 2011, BT was required within 14 days to block or attempt to block access to www.newzbin.com, its domains and sub-domains. This includes payments.newzbin.com and “any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 website.”
The court required BT to utilize: (i) IP address re-routing in respect of each and every IP address from which the website operates and which is notified in writing to the Respondent by the Applicants or their agents; and (ii) DPI-based URL blocking utilizing at least summary analysis in respect of every URL available at the Newzbin2 website and its domains and sub-domains. The Newzbin2 case is widely seen as setting a precedent that will result in a flood of IP rightsholder requests for blocking of a broad range of websites. Indeed, shortly afterwards, in November 2011, the British Phonographic Industry asked BT to voluntarily block access to The Pirate Bay under threat of a lawsuit for a section 97A injunction.
Rightsholders’ Proposed Voluntary Blocking Code
In addition to legislation and recent litigation, rightsholders have sought a Voluntary Code in closed-door meetings held by the Minister for Culture, Communications and the Creative Industries, Ed Vaizey, in June 2011. The aim of this Code would be to speed up the process of getting sites blocked. Under this, ISPs would be required to “inhibit.. access to websites that are substantially focused on infringement of copyright.” This would be overseen by a “neutral expert body” which would make recommendations to ISPs on measures that they can implement and “technical enhancements” that ISPs may need to keep pace with online copyright infringement. This body would also review evidence, and after notification to the identified site, certify rightsholder applications for injunctions to streamline the judicial process for obtaining blocking injunctions at the Applications Court of the High Court. The Proposed Voluntary Code would apply to websites “mainly hosted overseas, which make available, facilitate the making available of, or otherwise authorize the infringement of copyright content in the UK.” This would require changes to how the legal process works. The body would review the evidence, and after notification to the identified site, it would certify rightsholder applications for injunctions to streamline the judicial process for obtaining blocking injunctions at the Applications Court of the High Court.read more...
The DEA requires ISPs to build systems that gather and retain logs and data necessary for identification via IP address matching, and to keep track of valid CIRs sent by rightsholders.
This raises significant concerns for Internet users’ privacy, and the obligations of ISPs under UK data protection law. This is one of the grounds of the legal challenge to the DEA brought by UK ISPs British Telecom and Talk Talk, in which the digital rights, consumer and human rights groups, Open Rights Group, Consumer Focus and Article 19 have intervened. At first instance, Justice Kenneth Parker in the High Court of Justice, Queen’s Bench Division (Administrative Court) found that the proposed data processing was permissible under EU law. However, in October 2011, the UK Court of Appeal granted BT and Talk Talk the right to appeal on this ground. The appeal hearing will take place on January 16th 2012.
As the UK data protection law implements the UK’s obligations under the EU Data Protection Directive (95/46/EC) and the EU Privacy and Electronic Communications Directive (2002/58/EC), observers across Europe are closely watching the UK challenge. Interest in the UK challenge is also particularly high in light of the European Court of Justice’s 2008 ruling in Promusicae v. Telefonica, the recent ECJ decision in the SABAM v. Scarlet case , and the 2011 European Commission consultation on the EU IPR Enforcement Directive (2004/48/EC).
Following the previous experience in Ireland, the DEA and the draft Ofcom Code include various features intended to provide Internet intermediaries with protection against liability for disclosure of Internet users’ personal data. ISPs are required to disclose the identity of subscribers who have received three CIRs to rightsholders only upon receipt of a Norwich Pharmacal order from a court directing it to do so.
In addition, the DEA framework includes several procedural protections for Internet users. First, Qualifying Copyright Owners are required to submit a Quality Assurance Report to Ofcom before sending its first CIR to an ISP. Copyright owner reports must describe the processes and systems used by copyright owners and the agents acting on its behalf (such as Dtec) to gather evidence about alleged infringements. Ofcom are required under section 7 of the Digital Economy Act to set out the standard of evidence required of copyright owners, although the draft Initial Obligations Code only outlined a 'quality assurance process'. Qualifying Copyright Owners must also certify to Ofcom that their processes comply with relevant data protection laws. Second, participating ISPs are also required to submit their own Quality Assurance Report to Ofcom, certifying that their systems comply with relevant data protection and privacy laws.
Third, ISP notifications to subscribers must include a statement that subscribers have the right, under data protection legislation, to any information held about them, including CIRs sent by copyright owners to ISPs. Fourth, ISPs are only required to retain information about subscribers generated under the DEA for limited time. ISP notifications must inform subscribers that ISPs are required to destroy CIRs and other information held about the subscribers after 12 months, as far as is reasonably practicable.read more...
Facts and Figures
Costs of Implementation
The UK government estimated that the costs of implementing the copyright enforcement provisions of the DEA would be £290 – 500 million. This includes the costs of notifying infringers, capital costs to ISPs, costs of setting up and running a call centre, and the annual capital and operating costs to mobile network operators.
UK ISPs noted that this would add 25 GBP per broadband subscriber per year. The costs will be passed on to consumers, as the government’s own initial and revised impact assessments foresaw. The UK Parliament estimated that this would result in 40,000 households having to give up their Internet connection.
Actual expenditure figures were made public in June 2011 in response to a Freedom of Information Act request. Ofcom spent £1.8m investigating the filesharing measures and preparing the draft Initial Obligations Code last year. It expects to spend a further £4m in the financial year up until March, 2012, researching a base level of copyright infringement, setting up an appeals body, and assessing a nationwide education campaign run by IP rights holders. Accordingly, by the time that the DEA’s first phase is operational in 2012, Ofcom will have spent around £5.8m. In addition, Ofcom revealed that it has spent £100,000 since February 2011, investigating the practical feasibility of the DEA’s website blocking provisions.
Who pays for the data tracking and notification infrastructure has been the subject of much controversy. The Code and a statutory instrument set up a framework for cost sharing. Copyright owners are required to pay ISPs a flat fee for sending notifications (the amount of which is yet to be determined). Copyright owners are also required to notify ISPs in advance of the volume of CIRs that they expect to send in the upcoming notification period, so that ISPs can plan accordingly.
The UK government decided in 2010 that the costs of implementing the ISP notice-forwarding regime would be divided 25:75 between ISPs and copyright holders. This was incorporated in the draft Statutory Instrument on Cost-Sharing laid before the U.K. Parliament on 18 January 2011. Following the successful challenge to the 25% contribution required of qualifying ISPs in the 2011 Judicial Review, this cost sharing arrangement is being revised.