Make a submission against forced Internet disconnection and mandatory Internet usage data retention

The New Zealand government is in the process of changing Copyright laws in an attempt to crack down on file sharing in contravention of copyright laws. The trouble is, the law they want to pass will seriously affect your rights online, whether or not you share files without permission.

One of the problems is that the bill is very badly written, and potentially affects far more than what you conventionally think of as being your ISP - for example, certain pay websites will be caught in the net as well. In addition, if you share an Internet connection with flatmates, or if someone hacks into your computer or wireless, you could be liable for up to $15,000 because of other people's actions. You could also get your Internet disconnected.

Perhaps the worst part is that it forces everyone considered an ISP under the law (including websites, for example) to collect Internet usage information on you, in case someone later accuses you of copyright infringement. Once collected, the information could be used for much more than that. So the law basically outlaws privacy and anonymity on the Internet (unless someone masks your identity for you for free - but then they might be liable), and treats you and I like criminals before they are even accused of doing anything.

What can you do? You can make a submission to the Select Committee on the bill before 18th of June, 2010, at this form here. To get you started, I have included my submission. Feel free to use all or part of my submission, but be aware that it will be more effective if you put it in your own words.

Submission of

Your name and address here

to the

Commerce Select Committee

on the Copyright (Infringing File Sharing) Amendment Bill

Date

I wish to appear before the Select Committee.

1. Abstract

I support the repeal of Section 92A (as inserted by the Copyright (New Technologies) Amendment Act 2008, but not in force). I also support government efforts to support a knowledge economy (in parallel with efforts to increase the pool of publicly funded, public domain information).

I do not support the creation of a mandatory data retention regime, nor do I support Internet disconnection as a remedy for Copyright infringement.

I have also identified a number of technical problems with the bill.

2. Definition of ISP and the safe-harbour provision

There are currently two applicable definitions in the bill for 'Internet Service Provider' (ISP). One of the definitions defines ISPs for the purpose of the safe-harbour provision which protects ISPs from liability from their user's actions (I'll refer to this as the “safe-harbour ISP definition”), while the other defines which ISPs need to participate in the notice system (the “notice ISP definition”).

The safe-harbour ISP definition should be as broad as possible. The Internet has been spectacularly successful, and one of the major reasons for the continuation of this success is that, in jurisdictions where many Internet businesses operate, businesses are not held liable for the actions of their users. This means that many processes can be automated without opening up liability for the service provider. If New Zealand is to successfully foster a home-grown Internet industry, it is essential that the safe-harbour provisions are broadly applicable, unambiguous, and do not create unreasonable liability for service providers.

The safe-harbour ISP definition should therefore at least include all web service operators, all data storage providers, and all network routing service providers.

The following part of the definition is very narrow: “offers the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user's choosing”. There are several problems here.

Firstly, the concept of connection is confusing because it has varying technical and legal meanings. According to Wikipedia, as of the 23rd of May 2010, a “connection-orientated communication” is one where, “in case of digital transmission, in-order delivery of a bit stream or byte stream is provided”. The protocol which is used to route data over the Internet, called Internet Protocol, is not connection-orientated, but rather datagram-orientated, meaning that a series of datagrams (packets) are sent. Transmission Control Protocol (TCP), which is used to assemble datagrams into connections, operates between the two endpoint hosts without the involvement of the ISP.

Part of the problem is that it is unclear if the definition is supposed to mean:

“

offers:

(i) transmission, or,

(ii) routing, or,

(iii) the provision of connections

for digital online communications

”

Or alternatively,

“

offers the:

(i) transmission of, or,

(ii) routing of, or,

(iii) provision of,

connections for digital online communications

”

I would suggest making it clear which one is intended, and would suggest that the former is a broader, and better definition, for the reasons discussed above.

The requirement that points be “specified by a user” and that the material be entirely “of the user's choosing” are the most problematic, as some types of network will place restrictions on which users material is routed between (for example, in some cases it may be sent to everyone on the network), and will also place certain restrictions on the material. For example, a service provider might offer a service intended to allow musicians to broadcast their music to interested people. The service might allow the musician to determine the source, and the listeners to determine the destination (so the points would therefore not be of a single user's choosing), and would presumably only allow music, so the material is not entirely of the user's choosing either. However, the hypothetical site should, in all fairness, be eligible for the safe-harbour provisions in the event someone broke the rules of the site and broadcast music in which copyright rests with someone else, without a license.

I suggest an additional class of provider also be added to 92A:

“(c) provides computational resources to one or more Internet Service Providers”

This definition will cover infrastructural providers (such as providers of Virtual Private Servers, and services like Amazon EC2 [Enterprise Compute Cloud]) that provide services which are used by ISPs, even if they wouldn't otherwise qualify as an ISP themselves.

In addition, I would suggest that “offers” in part (a) be changed to “provides”, so that people who unwittingly route traffic for others because their computer systems have been compromised are also protected.

3. Definition of ISP for the purposes of the notice scheme

While the definition of ISP for the safe-harbour provision is too narrow, the definition of ISP in new section 122A for the purposes of the notice regime is too broad.

As discussed earlier, Internet Protocol (IP) is a datagram-based protocol which works by allowing a series of messages to be sent between two points. If a court concludes that the definition is intended to include IP, by extension it would also include any point-to-point message-sending system. For example, any subscription website which offers the ability to send private messages between users would meet the definition.

4. Mandatory data retention

The bill creates a mandatory data retention regime; for example, inserted section 122Q requires that “every ISP must retain, for a minimum of 40 days, information on the use of the Internet by each account holder”. This is a very bad idea for several reasons.

It will prevent anyone in the country from operating a legal, and commercially supported anonymous or anonymising service (that is, a service which allows access to information, without creating any record of the source of the request of the information).

Privacy on the Internet plays an important role in ensuring that the public are free to seek and impart information, without fear of reprisal. It allows people to safely speak out about organised and corporate crime, as well as oppressive and corrupt governments.

Keeping computer systems secure is a very difficult task, as many types of software error can open up the system to exploitation. Great effort is focussed on ensuring that fixes for security issues which are discovered are promptly deployed, as once efforts to fix the problem commence, potential attackers can analyse the fix to discover and exploit the problem. However, a determined attacker can work to find an issue which is not previously known (a “zero day” issue). The exact amount of effort required depends on the software in use, but for an experienced programmer, would probably require a few weeks work (i.e. a likely financial cost to an attacking organisation of under $10,000). Because not all attacks will be discovered, and because many ISPs do not disclose attacks due to the negative publicity associated with them, it is likely that a single one-day exploit could be used to attack more than one ISP.

Alternative options which would allow an organisation to identify and unlawfully retaliate against a critic trying to remain anonymous would be to bribe employees of the ISP for the information, or to file a bogus lawsuit and seek an order to disclose the information. In addition, in the case of high-profile pseudo-anonymous users, there is a risk that employees of the ISP could look up and disclose the information out of interest.

For this reason, the best way to keep information private is to not store a record of it in the first place, and to destroy or obfuscate information which is not required for business reasons as soon as possible (reference: Electronic Frontier Foundation Best Practices for Online Service Providers. http://www.eff.org/wp/osp).

Mandatory data retention laws passed in Europe have recently been found to be a violation of the human right of respect for private life and correspondence in both Germany (http://www.bundesverfassungsgericht.de/entscheidungen/rs20100302_1bvr025608.html) and Romania (http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/romanian-constitutional-court-decision-regarding-data-retention.html). For this reason, for New Zealand to pass mandatory Internet data retention laws here would likely damage New Zealand's reputation as a country which respects human rights.

As a country, we should be pushing for greater privacy, and less voluntary data retention, rather than for mandatory data retention. The benefits of mandatory data retention are far outweighed by the costs.

I suggest that the bill be updated so that ISPs are not legally required to retain any data about the use of the Internet by subscribers, and are only required to send a notice if they have retained enough data to send the notice.

5. Account holders who are also ISPs

An account holder is defined as 'a person who has an account with the ISP'. The Internet is, by definition, an interconnnected network. A tier 1 network is defined by Wikipedia, as of the 24th of May, as “a network that can reach every other network on the Internet without purchasing IP transit or paying settlements”. By these definitions, any ISP connected to the Internet which is not a tier 1 network is an account holder. The same Wikipedia article suggests there are only 14 tier 1 networks in the world, none of which are New Zealand businesses. For this reason, every ISP in New Zealand is an account holder.

In practice, tracing a connection back will often reveal an entire series of ISPs (who are also account holders). For example, consider the following hypothetical (but realistic) situation:

  1. Big commercial ISP A holds an account with many other ISPs around the world, and exclusively focuses on providing services to other ISPs.

  2. Medium sized commercial ISP B is an account holder with ISP A, and offers services both to other ISPs, and directly to consumers.

  3. Small ISP C is an account holder with ISP B. They focus on providing services for home users.

  4. Doug (D) is an account holder with ISP C. He acts as an ISP for his flat, and collects money from everyone in the flat to pay C.

  5. Emma (E) lives with her husband and children in the flat. She pays Doug (is an account holder) and owns a network switch, which she uses to act as an ISP for her family (her family don't pay her for the Internet, so she is an ISP for the purposes of the safe-harbour provisions, but not the notice regime).

  6. Fred (F) is Emma's son, and he connects to her switch. He acts an ISP by running a wireless network for the benefit of visitors in the area.

This exposes two problems with the bill. Firstly, there is an inherent contradiction, when an account holder is also an ISP, between existing section 92B(2)(c), which states “merely because A uses the Internet services of the Internet service provider in infringing the copyright, the Internet service provider, without more, …, subject to subsection (3), must not be subject to any civil remedy or criminal sanction”, and new section 122N(1), which states that

“(1) The Tribunal must order an account holder to pay a copyright owner a sum if the Tribunal is satisfied that—

  • “(a) each of the 3 alleged infringements that triggered the infringement notices issued to the account holder were infringements of the copyright owner's copyright that occurred at an IP address of the account holder; and

  • “(b) the 3 notices were issued in accordance with this Act.

I suggest that in addition, a new clause be inserted which states that “However, the Tribunal must not make an order under subsection (1) unless it is satisfied that the account holder was not an Internet Service Provider within the meaning defined in section 92A''.

Secondly, there is a lack of any procedure for dealing with the situation where an ISP receives a notice in respect of an account holder who is also an ISP. Continuing the example given above, if big commercial ISP A receives information that identifies an IP address at which an infringement of its copyright is alleged to have occurred, it must issue an infringement notice to Medium Sized Commercial ISP B. Instead, there should be a procedure for an ISP who is also an account holder to inform B that they are an ISP. At this point, the record of the notice would be cancelled on A's system, and A would be required to collect a fee for B to send the notice on the Copyright holder's behalf, as well as a fee for collecting the fee. This process would continue all the way down to E. However, E would signal to D that they are not required to send the notice, and this would be passed back up to the alleged copyright owner.

Where an ISP is also an account holder, it is still important that the ISP not be identified. For example, in this case, identifying D as the ISP could reveal the location of the flat.

In addition, I believe there should be explicit provision for benefit of the doubt where there is evidence that a computer may have been compromised, and that a user may have unwittingly become an ISP.

6. Jurisdictional issues

The Internet is very much an international network. For this reason, this bill should be very clear on issues of jurisdiction, but it does not address the issue at all. I suggest that it be limited to apply only to services which are provided by hardware physically present within New Zealand, operated by people who are subject to New Zealand jurisdiction, and are used to provide services to people in New Zealand. This will ensure that there is no limit on how competitive New Zealand businesses can be in other markets where other players are not facing similar limitations.

7. Internet Disconnection as a penalty

Access to the Internet is become increasingly important to allow access to government information, and to participate in modern society. For this reason, I strongly recommend against sections 122O and 122P, and suggest that financial penalties are sufficient to discourage copyright infringement.

The only protection a user has against abuse of their personal information, when it is obtained under section 122P, is an undertaking to the court made by the alleged copyright holder. This would be of little reassurance to a blogger whose information was released to potentially violent agents of a government, criminal gang, or corrupt business who they have criticised.

8. Conclusion

While this bill is an improvement over section 92A, it has numerous issues which need to be addressed before it can be passed. If nothing else, I strongly suggest that the Select Committee remove the mandatory data retention requirements, deal with the problem of account holders who are also ISPs, and to strike out new sections 122O and 122P.