This is JANET(UK)’s response to Ofcom’s consultation on “Online Infringement of Copyright and the Digital Economy Act 2010: Draft Initial Obligations Code”. JANET(UK) is the operator of JANET, the UK’s National Research and Education Network, which connects universities, research establishments, colleges and regional schools networks to each other and to the Internet. We consider JANET(UK) to be a communications provider within the meaning of the Communications Act 2003 (and therefore the Digital Economy Act 2010) and our customer organisations to be either communications providers or ISPs within the meaning of the Digital Economy Act 2010, depending on whether or not provision of Internet access is the principal reason for them to connect their students and staff to their networks. JANET and its connected organisations have been recognised by rights-holders and in Parliamentary debate of the Digital Economy Bill as having very effective policies and processes (with connected organisations taking a role similar to that of ISPs in the Act) to reduce infringement of copyright by users of the network.

The impact of the Code on JANET and its customers will depend very much on how they are classified. Provided the status of JANET as a “communications provider” and its connected organisations as either “communications providers” or “ISPs” is recognised, the Code would allow us to continue to implement and develop our current effective policies and processes for reducing copyright infringement. Implementing the Code with either JANET or connected organisations as “subscribers”, or with JANET as “ISP”, would require us to abandon those policies and processes and replace them by something both less effective in dealing with copyright infringement (because notices and the accompanying education would no longer reach infringing users) and highly disruptive of the network’s purposes of education and research (because universities and research organisations would have to re-configure their networks to block any application, protocol or site, no matter how useful for education or research, that might be used to infringe copyright).

We welcome Ofcom’s achievement in producing a Code that addresses many of the problems that have been raised during consultations concerning domestic broadband connections. However we note that these changes make the Code significantly more disruptive and less effective if businesses and other organisations are expected to act as “subscribers” rather than “communications providers” or “ISPs”. We believe that this is an inevitable result of trying to stretch the Act’s model of domestic broadband to cover the whole of UK Internet provision. We therefore strongly urge Ofcom to follow their own advice and “focus on the provider of the final leg of the internet distribution chain” (para 3.25), rather than sweeping organisations of all sizes (which constitute less than 5% of the problem, according to para 3.11) into the unsuitable category of “subscriber”.

Our responses to the specific questions in the consultation are as follows:

Q 3.1    Do you agree that Copyright Owners should only be able to take advantage of the online copyright infringement procedures set out in the DEA and the Code when they have met their obligations under the Secretary of State’s Order under Section 124 of the 2003 Act?

We agree with this proposal, since it is essential that ISPs have sufficient notice and guarantee of cost recovery if they are to develop robust processes for the receipt of CIRs, identification and notification of their subscribers. Without such processes there is a serious risk of reports being mis-assigned and users being falsely accused. In our response to the DBIS consultation on cost-sharing we suggested that a small-scale notification process with only a single level of notification to subscribers and no infringers list might be considered for small Copyright Owners if they were found to be disadvantaged by this requirement.

Q3.2     Is two months an appropriate lead time for the purposes of planning ISP and Copyright Owner activity in a given notification period? If a notification period is significantly more or less than a year, how should the lead time be varied?

We believe that two months should be sufficient for a Qualifying ISP to plan activity with an existing or new Qualifying Copyright Owner. However two months is definitely not sufficient notice for an ISP to move from non-qualifying to qualifying status, since this will involve implementing new processes and may well also involve changes to the ISPs equipment and architecture. The DBIS report by Mott-MacDonald suggested that implementation of an automated CIR system would take a minimum of 6-9 months and that this was “optimistic” for large ISPs where such developments would require lengthy internal approval processes. This does not include the time needed for Ofcom to audit and approve the system, as envisaged by paragraph 5.7 of the consultation document.

Q 3.3    Do you agree with Ofcom’s approach to the application of the Code to ISPs?

We believe that in the long term, as envisaged by the Act, the Code should be applied to those ISPs where there is a substantial problem of copyright infringement. This allows resources to be concentrated where they will have most effect, prevents the appearance of “piracy havens” on non-Qualifying ISPs, gives Qualifying ISPs an incentive to make their processes effective to return them to non-Qualifying status, and gives non-Qualifying ISPs an opportunity to develop innovative breach reduction processes to maintain their status. We are therefore surprised by the statement in paragraph 3.6 that, once in scope, it would be impossible for an ISP to drop out of scope, since this seems both to remove an incentive for ISPs to reduce infringement and to contradict the words of section 124C(5) of the amended Communications Act 2003, which suggests that ISPs would be re-assessed against the threshold in each reporting period.

Q3.4     Do you agree with the proposed qualification criteria for the first notification period under the Code, and [are] the consequences for coverage of the ISP market appropriate?

Given that it is impossible to use a CIR-based threshold until the process is in operation, we consider that starting with the major domestic broadband ISPs is a pragmatic solution to the first notification period. Including smaller ISPs is likely to rapidly increase the cost for rightsholders, Ofcom and the ISPs themselves with little benefit to the overall level of copyright infringement. Furthermore, although there is little doubt that the major domestic broadband providers are “ISPs” as defined in the Act the definition, and therefore the application of the Act, becomes much less clear for smaller organisations, so it is far from certain whether there are hundreds, thousands or tens of thousands of small “ISPs”.

Q3.5     Do you agree with Ofcom’s approach to the application of the 2003 Act to ISPs outside the initial definition of Qualifying ISP?

On the whole we agree with the approach to interpreting “ISP” in paragraphs 3.19 to 3.27. However we strongly disagree with the conclusion reached by paragraph 3.28 that libraries, pay-as-you-go wifi and mobile providers will in future have to collect address details from all users before allowing them to access the Internet. We consider that this goes well beyond the stated will of Parliament. In effect it would no longer be possible to access the Internet in the UK without first proving one’s identity. This major policy change (in direct contradiction of other Government policies on widening Internet access) does not seem to have been considered either in the Bill’s impact assessment or in the Parliamentary debate. The idea was debated, and strongly resisted, in Parliament when Data Retention proposals were being discussed in the context of terrorism and serious crime. It therefore seems surprising for it to be introduced, with no Parliamentary debate, in an Act dealing with copyright infringement at or below the level of a civil wrong.

We also note that this interpretation could actually encourage providers to stop having their users agree to an Acceptable Use Policy (and, in particular, to agree to respect copyright) to avoid the burden of being classed as ISPs. This seems a perverse result of legislation to improve copyright enforcement.

We agree with the consultation paper’s conclusion (in paragraph 3.31) that the implications of the interpretation will be “challenging” for community broadband schemes, thus further damaging the Government’s objective of widening broadband access.

We therefore consider that more flexibility is required. The experience of JANET-connected organisations is that a wide range of different approaches, from technical prevention to accountability and education, can be successful in reducing copyright infringement. We therefore consider that the Code must not, either explicitly or implicitly, prescribe the measures that an ISP or subscriber must take and, in particular, that non-traditional models of Internet provision must have the flexibility to determine the most appropriate mix of measures for their particular circumstances.

Finally paragraph 3.22’s statement that a provider of open wifi must be either an ISP or a subscriber does not match the definitions in the Act: a business that provides open wifi is clearly a communications provider (and therefore not a subscriber) as defined in the Communications Act 2003 and referenced in the Digital Economy Act 2010. If it does not have an agreement with its users then it cannot be an ISP.

Q3.6     Do you agree with Ofcom’s approach to the application of the Act to subscribers and communications providers?

No. We consider that the interpretation contained in paragraph 3.30 does not reflect the wording of the Act and, if implemented, would seriously damage both the Act’s purpose and the UK’s ability to benefit from the Internet. The paragraph states that any organisation that receives connectivity both for its own purposes and to provide to others will be a “subscriber” – that includes JANET(UK), even though we operate a national network, and any ISP that uses its own service. We would be surprised if none of the seven initial Qualifying ISPs do so, thus taking them out of scope of the Code!

When dealing with organisations, classing them as subscribers also defeats the purpose of the Act, which is to educate individuals not to breach copyright. This can only be done if the organisation responsible for those individuals receives the CIRs concerning them. Organisations providing network access to others therefore need to be treated, as the wording of the Act states, either as “ISPs” or “communications providers” depending whether or not the principal purpose of the network connection is to access the Internet. This implements paragraph 3.25 of the consultation paper by “focus[ing] on the provider of the final leg of the internet distribution chain”.

We consider that treating organisations as subscribers would be particularly damaging for their use of the Internet now that the threshold for classification as a “serious infringer” has changed from thirty CIRs to three CIRs in three months. For a domestic property this is a much better measure of seriousness: for a business it means that three different employees infringing copyright once on their first day at work (for example by viewing a single image that has been placed on a website without its owner’s permission) could place the whole business on the highest scale of copyright infringement. An organisation that did not wish to take this risk would have little alternative but to limit Internet access to a small number of trusted staff, as was done in the very early days of the commercial internet. This chilling effect on business is likely to be seen as soon as the Code comes into force, since many SMEs will be customers of the initial Qualifying ISPs.

We believe that the majority of businesses do, in fact, “receive [an internet access service] as a communications provider” and therefore are not “subscribers” as defined in section 124N of the amended Communications Act 2003. It should be clear from the agreement under which connectivity is provided whether the provider anticipates that the recipient will connect a corporate network, or a number of PCs. The first type of agreement involves receiving service as a communications provider, the latter –which we would expect to be used for domestic broadband services – does not (even though a home network probably does fall within the wide definition of providing an electronic communications service in section 32 of the Communications Act 2003). We consider that this is the only interpretation of the Act that can deliver its purpose: other interpretations will damage existing copyright infringement provisions implemented by organisations to comply with organisational licenses and the Copyright, Designs and Patents Act, make it impossible for them to educate their users, and make it far harder for the UK to benefit from the Internet’s economic, educational and social opportunities.

Q4.1     Do you agree with the proposed content of CIRs?

We agree with the proposed content of CIRs, however we believe that the Code must also specify that timestamps in CIRs must be synchronised to an international standard time source.

Where an ISP uses Network Address or Port Translation (NAT/PAT), there will be a greater likelihood of uniquely identifying the responsible Subscriber (without which the CIR is invalid under para 5.3) if

• the IP address and port at both ends of the connection are identified, and
• content is actually downloaded from/uploaded to the allegedly infringing IP address, so that an established connection will be created and recorded in the ISP’s NAT logs.

If this is not done then ISPs using Address or Port Translation are likely to have to reject as invalid a significant proportion of CIRs.

Q4.2     Do you agree with our proposal to use a quality assurance approach to address the accuracy and robustness of evidence gathering?

We welcome the requirement to have evidence gathering processes and equipment checked in advance, and the possibility for Ofcom to issue directions on the maintenance or enhancement of equipment. There should be the option for such a direction to suspend the issuing of CIRs until it is confirmed that the required maintenance or enhancement has been completed, otherwise there is the possibility that equipment known to be faulty will continue in use.

Q4.3     Do you agree that it is appropriate for Copyright Owners to be required to send CIRs within 10 working days of evidence being gathered?

We agree that there should be a requirement on Copyright Owners to send CIRs within a fortnight, however we believe that this should be expressed as 14 calendar days, not 10 working days. Over the Christmas/New Year period, 10 working days could be as long as 17 calendar days, requiring ISPs to keep a significantly greater amount of logging information (this logging requirement should, in any case, be reviewed before the Code is extended to ISPs, such as mobile providers, who make significant use of NAT/PAT systems). For automated processes we see no reason why reports should not be sent within a much shorter time of the alleged infringement.

Q5.1     Do you agree with our proposals for the treatment of invalid CIRs?

We agree with the proposals, however we believe that an additional reason for invalidity is required: that the report is not consistent with the ISP’s flow records. Systemic problems with reporting systems have been detected in the past in circumstances where an IP address was allocated at the time contained in a report but was not generating the volume of traffic that would have been required for the alleged infringement. This was traced to a failure to update the reporting system for daylight saving, a type of error unlikely to be detected in a prior audit. We believe it is important to allow this type of problem to be detected and resolved between the Copyright Owner and the ISP, without requiring potentially large numbers of falsely-accused Subscribers to make an appeal.

Q5.2     Do you agree with our proposal to use a quality assurance approach to address the accuracy and robustness of subscriber identification?

As in our response to Q4.2, we welcome the requirement to have subscriber identification processes and equipment checked in advance, and the possibility for Ofcom to issue directions on the maintenance or enhancement of equipment. There should be the option for such a direction to suspend the processing of CIRs until it is confirmed that the required maintenance or enhancement has been completed, otherwise there is the possibility that equipment known to be faulty will continue in use. The cost of such checks and audits should be included in the calculation of ISPs’ costs that can be recovered from Copyright Owners.

Q5.3     Do you agree with our proposals for the notification process?

As in our answer to Q3.6 we believe that a time-based notification system is most appropriate for domestic Subscribers. However it is highly inappropriate for organisational “Subscribers” who risk being placed on the highest level of infringer by three previously blameless employees. This defeats the purpose of the Act and risks serious harm to business, educational and social use of the Internet, in direct contradiction to other Government policies. We believe it is essential to use different processes to address internet copyright infringement in domestic and organisational contexts.

Q5.4     Do you believe we should add any additional requirements into the draft code for the content of the notifications?

The requirements in the draft Code seem sufficient for domestic broadband customers; we note that the sample letters and factsheets only apply to this scenario. As in our response to Q3.6 we believe that a different process is required for businesses and that applying a domestic process to business Internet connections will be damaging to copyright enforcement and to wider use of the Internet.

There appears to be an error in para 5.14.1 of the draft Code, where reference is made to a period of “6 months” that does not appear anywhere else in the Code.

Q 6.1    Do you agree with the threshold we are proposing? Do you agree with the frequency with which Copyright Owners may make requests?

We agree with the threshold for inclusion on the copyright Infringement List. Since this means it will take a minimum of three months to get on the list, and twelve months to be removed from it, there seems no value in allowing a Copyright Owner to request the list more often than every three months.

However we believe that requiring ISPs to respond within five (?calendar) days is unreasonably and unnecessarily short: they are in any case required to retain the list for a year and the request is likely to be in preparation for legal processes on timescales of weeks or months, rather than days. Copyright Owners are allowed to wait a fortnight before sending a CIR, so ISPs should have at least ten working days, and probably more, to respond to a request for the Infringement List.

Q7.1     Do you agree with Ofcom’s approach to subscriber appeals in the Code?

Yes. However the Code must also state that the effect of a notification is suspended while it is being appealed. For example if a first notification is appealed then neither a first nor second notification may be sent to the Subscriber until after the appeal process has concluded.

Q8.1     Do you agree with Ofcom’s approach to administration, enforcement, dispute resolution and information gathering in the Code?

Yes.