DEA 2010: Wi-fi Liability

July 5, 2010

Setting the Scene 

Many homes connect to the Internet using a Wi-Fi router. This is a box which dials into the Internet to establish a ‘broadband’ connection and then broadcasts a radio signal allowing any computer within range (usually 100m radius or so) to use that broadband connection to access the Internet. That radio signal can be password locked so that only a computer with the right ‘key’ can access it but Wi-Fi routers are usually sold by default with no password set. 

Watching the Play Overseas 

A few weeks ago, the Karlsruhe court (Germany’s top court) ruled that a Wi-Fi owner is liable for what a third party does via the owner’s Wi-Fi Internet connection, where the owner fails to password-protect the Wi-Fi Internet connection. The court said: 

‘Private users are obligated to check whether their wireless connection is adequately secured against the danger of unauthorised third parties abusing it to commit copyright violation…’ 

What happened in the case was that a particular musician sued the owner of a Wi-Fi network connection through which that musician’s music had been uploaded onto a file-sharing network. The Wi-Fi owner-householder was able to prove that he was on holiday at the time of the uploading. He argued that since he clearly could not have undertaken the uploading (because he was away) he should not be held culpable in any way, as it must have been some unknown third party who uploaded the offending material. 

However, the German court said that it was the responsibility of the householder to ensure that his Wi-Fi connection was protected by a password – so no-one else could use it for nefarious purposes by accessing the Internet through it. The court ruled that the householder (i.e. the owner of the Wi-Fi network) could be fined up to €100 as he was ‘partially responsible’ for the copyright infringement that had occurred – even though he was not guilty of actual copyright infringement himself or liable for the content (whatever that may be) that was infringed. Even in Germany an owner cannot be held liable for the actual content that is downloaded by a third party. 

Interestingly, the German court did not mandate what form of password or encryption a Wi-Fi connection needs to use. For example, older WPA keys are nowadays relatively easy to crack, as opposed to the newer encryption WEP or WEP-2 keys used by newer Wi-Fi routers. It seems that, under German law, an owner is merely required to password-protect a connection in some way – or risk a fine. However, the court was saying that, as a matter of law, an owner must take a degree of responsibility for his Internet connection being used to break the law

Prior to the Final Act 

In English law, there has been no duty at law (or otherwise) to secure a Wi-Fi connection. Consequently, there has been no liability on the owner of a Wi-Fi Internet connection for the acts of a third party if that third party misuses that Wi-Fi Internet connection. Similarly, there is no statute which imposes any criminal liability on the owner of a Wi-Fi connection for failure to secure that connection. 

It seems clear that, certainly until now, an English court would not follow the principles established by the German court in the case above. For example, on 20 July 2005, Gregory Straszkiewicz was found guilty in the Crown Court of ‘dishonestly obtaining a communications service’ and related offences. Specifically, he was convicted of using a neighbourhood wireless (ie Wi-Fi) broadband connection of an Ealing resident without permission. He was fined £500 and given a 12 months conditional discharge. The network was not password-protected. However – and importantly – the owner of the network, who had not protected the network with a password, was not charged or deemed legally culpable in any way.  

In the UK, even initial steps to enforce the law for someone over their own network connection seem to have failed (never mind if someone else is doing something illegal over one’s own network). The first prosecution in the UK of a person charged with illegal peer-to-peer file-sharing ended with a not guilty verdict. A man ran an unauthorised music-sharing web site called Oink from his home in the North East. The site allowed members to share files. From its launch in 2004 until police closed it down in 2007, over 20 million music files were shared. Users had to make a donation to the site so that they could invite friends to become members too. The site operator made £10,000 a month, in donations. However, he was found not guilty of conspiracy to defraud. There are too few cases to see if this is part of a ‘trend’ or whether this case is confined to its own facts. 

In Australia, a court has ruled that an ISP was not liable for the unauthorised peer-to-peer file-sharing habits of users to whom that ISP merely provided access. Roadshow Films claimed that iiNet (an ISP) had authorised copyright infringement by its users, but the Australian Federal Court disagreed. The judge said that the fact that copyright infringement was occurring on a wide scale across the ISP’s network did not mean that the ISP had authorised the wrong-doing as it was not compelled to stop the infringements. Mere knowledge that infringement was taking place was not enough. As with English law, Australian copyright law forbids the doing or authorisation of the doing of anything which infringes someone else’s copyright. The two legal systems have common roots, and the decision may therefore be persuasive (although not binding) on similar English court cases. 

Clearly, existing laws have been insufficient. 

The Final Act?

In April 2010, despite much opposition from ISPs, many MPs and many user groups, Parliament passed the Digital Economy Act 2010 (DEA). The outgoing Labour Government was very keen to pass it into law before the election and much of the drafting was rushed through at top speed in the face of a letter-writing campaign targeting MPs (more than 18,000 letters were sent) and also in the face of protests outside Parliament. All calls from various consumer and industry groups were ignored. 

The DEA actually comprises 48 sections and two schedules covering a fairly broad range of eleven ‘digital’ topics. It is Topic 2, however, which has generated the most controversy as it covers online infringement of copyright. The relevant sections impose obligations on ISPs aimed at the reduction of online infringement of copyright. OFCOM is responsible for the specification of the procedural and enforcement aspects of these obligations through the approval or adoption of legally binding codes of practice. Regulations may be made about the granting by a court of injunctions requiring service providers to block access to web sites that are used, or are likely to be used, to infringe copyright. It is interesting that the passing of the DEA followed a Third Reading in the House of Commons, which saw some considerable last-minute power-plays. This resulted in certain stricter new powers to block pirates being dropped. 

In short, ss 3 to 18 of the DEA and the regulations proposed to be made under those sections will see file-sharers being identified, warned and ultimately stopped from having full Internet access.  There is some recent uncertainty whether the DEA adopts a stricter or a more lenient line in practice in respect of illegal peer-to-peer file-sharers. Instead of cutting off persistent file-sharers from the Internet, the outgoing Labour Government had said that their accounts would be ‘temporarily suspended’ – although it is unclear what this means – and it is unclear (at least at the time of writing) what approach the new Con-Lib coalition government will take. According to Jim Killock, of the Open Rights Group – a body against the legislation – nothing has really changed and he says that temporary account suspension still means that families will be stopped from using the Internet. 

So much for the law. Although the DEA may provide powers to cut people off from the Internet after following a process, the technical ability to identify file-sharers is far from fool-proof. The German case has illustrated just the sort of problems involved – because although it is fairly easy to check technically which Internet connection has had copyright material unlawfully passing through it – it is quite another to tie a particular person definitively to having used that Internet connection. Indeed it would seem to be a pre-requisite to any enforcement under the DEA that file-sharers are identifiable. Recently, Virgin Media announced that it was planning to trial new software called CView which will analyse file-sharing by its customers. However, Privacy International – a privacy rights watchdog – has taken issue with the ISP’s actions and has asked the European Commission to report on the legality of the proposed software use. Privacy International claims that the trial would breach the Regulation of Investigatory Powers Act 2000, under which it is a criminal offence to intercept communications without consent unless certain exemptions apply. However, Virgin Media counters that it is not actually identifying individual users. Instead, it is conducting the trial to see how much of the traffic through its service is illegal file-sharing. It wants to find out what it can do to reduce illegal file-sharing and the trial will give it useful information to help to achieve that. Virgin Media has admitted that it would be possible technically to use the deep packet inspection software to identify Internet protocol addresses (from which individual users could be identified) but has announced that this is not currently its plan. Importantly, Virgin Media claims that CView will not help with the DEA precisely because it says that CView does not actually identify anyone. And it is of note, that CView will not prove either way in a Wi-Fi setup which person (as opposed to which computer) was using that connection. 

It seems that the ability to identify people as file-sharers beyond a reasonable doubt (the criminal standard of proof) or even on a balance of probabilities (the civil standard of proof) remains in doubt at present. There seems to be no immediate prospect of trying to force network owners into taking responsibility for ‘open’ home networks which may be hijacked or otherwise used by third parties. In other words, whether the DEA powers can be applied in practice is in doubt, unless the courts were to follow the German approach of a sort of deemed culpability for a network owner. There is no indication that the courts (or Parliament) have any intention of moving to what would be a radical new position under English law.

Ways to deal with file-sharing therefore seem to be in state of flux. For example, Talk Talk has said it will not co-operate with measures that will force it to police illegal file-sharers – something which could see it clash with OFCOM. However the DEA does already seem to be affecting behaviour in practice. Many consultants report that Wi-Fi sharing has already dramatically reduced because individuals are nervous about the uncertainty of liability (even if that uncertainty is illusory). It is worth noting that even if there is no legal liability, there might still be an issue if a broadband package has a limit on how much can be downloaded or terms and conditions about how a broadband connection should be used. Allowing someone to piggy-back through a Wi-Fi connection may make a Wi-Fi owner incur extra charges or breach the terms and conditions of the broadband provider.

Some thought the DEA to be the final ‘Act’. But in reality, the script is still being written. 

Mark Weston is a Partner at Matthew Arnold & Baldwin and Head of the Commercial/IP/IT Department there. He is also Chair of the SCL‘s North London and Home Counties Group.