Should ISPs be Compelled to Become Copyright Cops?

January 27, 2009

I start from two important premises:

  1. Intellectual property law, like other laws, deserves to be respected. There is a place for criticism of modern digital IP laws, but it is not here.
  2. All law enforcement must respect basic human rights and fundamental values, and attempt to infringe those values as little as possible while achieving its goals.

In the words of the European Convention on Human Rights, law enforcement must be legitimate, transparent and proportionate. The question this article asks is whether the steps currently being proposed in the UK and globally to enforce laws against illegal downloading by enrolling ISPs as ‘copyright cops’ meet these important tests, and what alternatives exist that could better reconcile protection of copyright and rights such as freedom of expression and privacy.

The Situation

File-sharers on P2P networks usually download and upload using pseudonyms, and so are difficult to sue. They can be identified as subscribers to a particular ISP by IP address, and the entertainment industries have used companies like Audible Magic to collect such IP addresses. Having obtained an IP address, the name of the associated subscriber can only be obtained by asking the ISP for details, but the effect of the Data Protection Act 1998[1] is that ISPs, in the interests of user privacy, will not normally give out subscriber data without a court order.  Although court cases so far have on the whole seen such requests rubber-stamped,[2]prosecuting or suing alleged file-sharers is still subject to this time-consuming and expensive court bottleneck. (Once subscribers are identified, they can almost invariably be persuaded to settle, so substantive court proceedings are rare.)

This situation has long frustrated the music industry, who would prefer that ISPs themselves police the content shared by their subscribers, thus avoiding court process altogether if possible. ISPs not only fear that they may be breaching user confidentiality if they do so, but they may also alienate their own customer base, who are unlikely to enjoy being monitored in the interest of rights-holders.

In June 2008, French President Sarkozy, a fervent supporter of artists’ rights, introduced a Bill to mandate ‘graduated response’, or colloquially, ‘three strikes and you’re out’[3]. Under ‘three strikes’ ISPs must warn a detected file-sharer on their network if they appear to be breaching the copyright in music down- or up-loaded. On the third such warning, access to the ISP is disconnected. If such a doctrine is applied by law (or as voluntary ‘soft law’) then effectively the price of allegedly illegal file-sharing becomes banishment from the Internet.

There are a number of ways of implementing such a law. The music industry might demand that ISPs allow rights-holders to monitor all traffic which flowed from and to subscribers to spot copyright material. Such ‘deep packet inspection’ would be technically extremely difficult and highly invasive of privacy and freedoms of speech and association. A more practical rights-holders’ approach would be to pass anonymous file-sharers’ IP addresses to ISPs (as at present), who could identify the infringer and implement ‘three strikes’ disconnections. This scheme would need imposing on the whole industry with governmental support, otherwise file-sharers would move to non-participating ISPs (if they had any sense), and rights-holders would continue to be frustrated.

Breaches of Rights

This process, even if it aids the content industries, is potentially in breach of both human rights and EC law. The Electronic Commerce Directive[4] provides ISPs and hosts with exemption from liability in respect of content they either host or transmit as a ‘mere conduit’ under Articles 13 to 15 of the ECD, unless the ISP or host has been given notice of such illegality, in which case they are obliged to take down that material to retain immunity. A ‘three strikes law’ would necessarily breach this immunity.

More importantly, ‘three strikes’ would also breach both the ECHR and the EC Charter of Rights. By avoiding the costs and time of court-based action, disconnection sanctions imposed without judicial authority also avoid due process.  And if due process is not followed, the risks are high that users who are not in fact downloaders might be penalised erroneously.  

IP addresses (along with a time-stamp) identify a subscriber account, not the actual person who uses it. In an ordinary household, access to the Internet for all family members might be suspended, even if only one person had downloaded illegally or perhaps where only a friend , guest or unknown ‘piggybacker’ of an unsecured wireless network had done so. Another problem is that home machines are often compromised by ‘zombie’ malware nowadays and so can easily be used by remote strangers to upload and download at will. Difficult legal grey areas also exist in relation to fair dealing and private use, which might require legal advice to plead.  Effectively an industry-run disconnection system can only operate from a presumption of guilt based on IP address; whereas courts start from a presumption of innocence.[5]

Even if we could overcome these procedural justice problems, there is a serious legal question about whether a disconnection law is a proportionate response. According to the recent Promusicae case[6] in the European Court of Justice, the rights of the music labels to protect their copyrights must be balanced with the basic human rights of users. Copyright does not simply trump privacy, or other basic rights. Having Internet access is now an everyday part of life in the developed world and is essential to enjoyment of basic rights such as free expression, freedom of association, education and employment.  Disconnection may be a very blunt response to three occasions of downloading if a student’s course or a person’s job depends on it. Indeed, digital inclusion is now one of the UK government’s explicit policy goal, and it can be argued that the EU Charter of Rights specifically protects the right to Internet access under Art 36.[7]

The Developing Politics

For all the reasons described above, MEPs in the European Parliament voted against  Europe undertaking ‘three strikes’ policies  in April 2008.  There is much evidence however[8] that – under Sarkozy’s EC Council of Ministers Presidency – attempts were made to covertly insert the infrastructure for ‘three strikes’ into the current EC Electronic Communications reform. International opposition greeted this stealth law-making, which did not stop the proposals, but watered down its most worrying parts. These texts may yet be used to legitimise disconnection sanctions in EU Member States (notably France, where the ‘three strikes’ Bill passed its first hurdle in the French Senate on 1 November 2008). 

In the UK, despite all this, BERR consulted on how the ISP industry could help the music industry prevent illegal file-sharing. Their July 2008 Memorandum of Understanding[9] proposed as their favoured solution that ISPs and the music industry sign up to Codes of Practice, which would be vetted by Ofcom in the public interest – a co-regulatory solution. The content of these codes was rather opaque, but they might include ‘technical measures’ against the ‘worst’ ‘repeat’ offenders, including traffic management (slowing user’s Internet access to make data-heavy file-sharing impracticable), filtering out copyright content to their accounts, and, as last resort, disconnection.

They also asked for comment on four alternative responses to the content industry ‘crisis’.

  1. Require ISPs to give subscriber details to rights holders without court order.
  2. Require rights-holders to pass evidence and details of alleged infringers to a third-party body, which would take responsibility for assessing the evidence that file-sharing of copyright material had taken place.
  3. Require ISPs to allow filtering equipment installation to block infringing content (reducing Internet copyright infringement).
  4. Require ISPs to take action such as disconnection against infringers at the request of the music industry without any Ofcom ‘co-regulatory’ involvement.

Confidential negotiations began between representatives of BERR, the music industry and the ‘big six’ ISPs which control Internet access to around 90% of the UK population, but a statement made by BERR on 16 January 2009 exposes deadlock:[10]

‘None of the options highlighted in the consultation won widespread support. Rather there was a marked polarisation of views between the rights holder community and consumers and the ISPs over what action should be taken.’

That day’s Financial Times [11] leaked details of a possible way forward – an extremely watered down version of any previous suggestion: ISPs would merely be required to take two actions:

(i) pass warnings to subscribers that they were alleged to have file-shared illegally; and (ii) keep track of repeat offenders who received these warnings and pass anonymised details of  such to rights-holders, so they could then make a decision to go to court to seek full identification.

A new body called the Rights Agency would also be funded by a small ISP tax.

This leaked solution is better than previous proposals from an ECHR point of view. It respects, to some extent at least, the privacy rights of subscribers, and the worst due process and proportionality problems of ‘three strikes’ are avoided since non-judicially supervised  sanctions such as disconnection or traffic-slowing are not employed.  From the ISP industry point of view, they are still forced not only to act on behalf of another industry’s profits (to the disgust of many of their customers), but in fact to pay for the privilege of so doing. This does not exactly conform to natural justice, given that ISPs never agreed to be law enforcers, but are commercial actors in what is a highly competitive and low-margin field.

A Better Solution?

Is there a better solution which would still protect IP rights but not involve encroachments on fundamental human rights, the criminalisation of a generation of young adults, and the enrolling of ISPs as copyright cops against their will? Yes, there is.  In Continental Europe, levy systems on the physical media of digital copying – CD-ROMs and the like – are commonplace, to reimburse artists and authors for private copying allowed by these legal systems. Academics, such as Fisher,[12] observed that such levy schemes (based perhaps on broadband subscription, instead of physical media purchases) might also finance royalty payments to recompense record companies and artists for P2P downloading.  This would allow free downloading for all users without fear of criminal or civil suit, encourage new artists’ development, provide  rights-holders with a revenue stream, and perhaps even, as Fisher suggests, promote ‘semiotic democracy’, the idea that society benefits from its citizens having free access to a wide range of cultural products. No human rights would be endangered by such a plan.

But the music industry has always vigorously resisted any consideration of levy (or tax) options, since they believe more profit can be made via a market-driven digitised distribution system, such as iTunes, than a flat-rate government-set levy. Given the defiant majority which persists in file-sharing (and the imminent arrival of even harder to police encrypted P2P systems as consumer broadband speeds improve), flat-rate revenue might be seen as at least better than a diminishing free market return.  For the average user, the levy solution would be simply marvellous: all you can eat culture, not for nothing but for a reasonable monthly fee (which could be collected fairly easily by ISPs). 80% of UK users said they would welcome such a ‘legal P2P’ approach, in the music industry’s own poll.[13]

So what will it be? A future in which legislatures continue to bend law and break human rights to satisfy the highly paid lobbyists of the content industry, or a future where a brave and sensible governmental agency – perhaps our very own BERR – decides to test out a solution which suits everyone – except the record companies, but even they may benefit from being forced to build new business models. I know which future this author would prefer to see.

Lilian Edwards is Professor of Internet Law at the University of Sheffield:


[1] See, however, the DPA 1998, s 39.

[2] See Totalise v Motley Fool [200] EWCA Civ 1897; more scrutiny was apparent however in Sheffield Wednesday [2007] EWHC 2375 (QB)

[3] See .

[4] Directive 2000/31/EC, implemented in the UK by the Electronic Commerce (EC Directive) Regulations 2002 No 2013.

[5] Copyright infringement for domestic use is primarily pursued as a civil not a criminal infraction. However there is a strong argument for saying that a penalty such as disconnection from the Internet (like disqualification from driving) must be disponed only as a result of criminal prosecution.

[6] Promusicae v  Telefonica, ECJ, Grand Chamber, Case C275/06, 29 January 2008, available at .

[7] Article 36: ‘The Union recognises and respects access to services of general economic interest as provided for in national laws and practices, in accordance with the Treaty establishing the European Community, in order to promote the social and territorial cohesion of the Union.’

[8] See Edwards, L. and Bradshaw, S. (with assistance from Monica Horten) 2008 brief prepared for Online Rights Group at .

[9] See .

[10] See BERR P2P Filesharing – responses to the consultation, available at .
[11] See Fenton and Bradshaw ‘Internet piracy regulations planned for UK’, FT, 16 January 2009, at .

[12] See Promises to Keep (Stanford University Press, 2004).

[13] See . 63% of survey participants admitted to having llegally downloaded.