Response to illicit filesharing legislation consultation

Author: P.T.B. Brett BA (Hons) MEng (Cantab) MIET
Date: August 13th, 2009


In the wake of the recently-release Digital Britain report, the Department for Business, Innovation and Skills recently opened a consultation on proposed legislation to combat illicit peer-to-peer filesharing. This document outlines my concerns regarding the scope, impact and applicability of the proposed measures.

This response reflects my individual views as a copyright holder on several widely-used software programs. It does not reflect the official views of any organisation.

Responses to consultation questions

Notification Obligation

Question 1. Is this restriction right? Is there anyone else who ought to have a right to trigger the obligation?

The restriction should be more restrictive. The recommendation:

This could include any rights agency acting on behalf of rights holders more generally if such an agency were to exist.


appears to allow industry groups who claim to represent the interests of all rights holders in a particular area (for example, a performance rights organisation) to make accusations of copyright infringement for any material that appears to fall within their purview.

This has a chilling effect on rights holders who have explicitly licensed their material to be shared over a peer-to-peer network. Accusations triggering the obligation should only be permitted to be made by parties explicitly authorised by the rights holder to act on their behalf.

In addition, only a single party should be permitted to issue accusations triggering the obligation for any particular work. For example, a rights holder of a particular work could issue accusations of copyright infringement of that work himself, or delegate the ability to issue such accusations to one other agent. This would protect account holders from receiving multiple notifications due to a single incident.

Question 2. Should there be a time limit from the date of a specific infringement by which a request needs to be made? If so, what should it be?

In order to ensure that account holders are notified in a timely manner of any possible accusations of illicit filesharing, a strict time limit should be set from the date of a specific alleged infringement to the latest date on which the account holder can be notified of the infringement. This is in order for an account holder to be able to preserve evidence of non-infringement in the case that the account holder wishes to challenge the accusation.

A reasonable time limit would appear to be 30 days. This would provide plenty of time both for a rights holder to prepare and send a request to the account holder's ISP, and for the ISP to process and send on the notification to the account holder.

Question 3. Is this list right? Is there anything else that should be specifically added to this list? Should there be any more detail on any of these points in the legislation, or is it OK to leave that for the code?

In order to allow the account holder to challenge the accusation of copyright infringement, the list of contents of the notification should also contain:

  • a copy of the original notification received by the ISP from the rights holder;
  • information on how to challenge the accusation of alleged infringement;
  • a statement informing those notified of how to access any data held by the ISP that may be disclosed to a rights holder on receipt of the ISP of a court order.

Ideally, the latter retained data should be available to the account holder free of charge and at any time (for example, by publishing it on the ISP's website in a location accessible with the account holder's username and password).

Question 4. Does this need to be set out in any more detail in the legislation, or is it sufficient to require it to be set out in the code?

The standard of evidence required must be set out in the legislation. Furthermore, it is important to note that the standard of evidence reasonable for the issue of a notification might well be lower than the standard of evidence reasonable in a civil court action for copyright infringement.

I recommend that the higher standard of evidence should be required for the issue of a notification, in order to reduce the probability of spurious notifications and also to ensure sufficiently high-quality evidence is available in the case that a civil court action takes place. I also recommend a consultation with relevant professional bodies (e.g. the British Computer Society and the Institute of Engineering and Technology) to establish how reliable evidence of internet copyright infringement can be gathered.

Question 5. This obligation is specified without any volume limit. Is that right? Should there be a restriction on how many notices a rights holder can serve, or that an ISP needs to honour (either from a specific rights holder or in total)?

A restriction on how many notices that may be served per rights holder would have the beneficial effect of encouraging rights holders to concentrate efforts on more valuable works, while limiting the load on an ISP.

On the other hand, a restriction on the number of notices that may be served per work would have the beneficial effect of encouraging rights holders to concentrate efforts on identifying more profligate filesharers in order to use the notice quota most efficiently.

Question 6. Alternatively should volumes be agreed (say) 6 months in advance between rights holders, ISPs and Ofcom to allow ISPs to prepare accordingly?

I have no comments on this question.

Question 7. Is this approach to costs the right one? Is there anything else in relation to costs that should be taken into account in the legislation? Should the legislation specific exactly how costs are to be shared or is it right to leave some flexibility in how the legislative requirements are reflected to the code?

Another option (which I support) is for rights holders to have to pay a statutory fee to the ISP on a per-accusation basis. The level of the fee would be set periodically by OFCOM based on consultation with rights holders and ISPs. This scheme would have the advantage that the amount contributed to the sc abheme by a rights holder would be proportional to the level of use by the rights holder.

The requirement that rights holders pay for ISPs to process their accusations of copyright infringement is based on the fact that ISPs are essentially providing a service to the rights holders, and that without the ISPs cooperation the costs to rights holders in enforcing their copyrights would be much higher.

Serious Infringer Obligation

Question 8. Do you see any legal difficulty with linking a new notification with a previously gathered set of anonymised data in this way? If so, what specifically is likely to be the problem?

This section contains a number of technical and legal difficulties.

Firstly, the account holder's identity must be anonymised in such a way that rights holders (or their agents) are not able to compare data received from an ISP 'behind an ISP's back.' Therefore the anonymised identifier (e.g. a number) used to identify an infringer to a particular rights holder's agent must be different to the anonymised identifier used with any other agent, even in the case that the agent is representing the same rights holder. There must be no way for the multiple anonymous identifiers relating to a single account holder to be matched up apart from by the ISP itself. This is particularly important in the case that a particular agent is representing multiple rights holders.

I recommend a consultation with relevant professional bodies (e.g. the British Computer Society and the Institute of Engineering and Technology) to establish a standard for securely generating appropriate anonymised identifier.

Secondly, the consultation document says that the rights holder would be enabled:

... to group infringements/notifications and hence identify the IP addresses associated with multiple alleged infringements.


The identification of an account holder by the ISP may be by a mechanism other than a particular IP address, and this part of the consultation document is thus technically flawed. Indeed, several experts in civil court cases involving alleged online copyright infringement have testified that an IP address does not identify a particular account holder or even a particular computer.

I recommend that the text, "...and hence identify the IP addresses associated with multiple alleged infringements" be deleted. After all, the intent is for the rights holder to obtain the account holder's information from the ISP by means of a court order, and all that would be required is evidence of repeat infringement by matching the anonymous identifiers discussed above.

Please note also my answer to Question 4 above. Because it may be used as evidence against the account holder in a civil court action, it is important that at the time of the initial notification an ISP gathers and retains high-quality evidence, in a secure manner.

This entire issue deserves a much more careful treatment than has so far been outlined in any of the documents available to the public.

Question 9. There is some evidence (research and empirical) that further warning letters result in a further reduction in people file-sharing. Do you think multiple letters should be sent (up to a maximum of (say) three) and, if so, what should trigger these? (for example, should this be on a strict, one infringement one letter basis or should there be specified levels (eg 1st letter on 1st infringement, second letter on 10th, third on 20th).

The consultation document seems to overlook the fact that there are two mechanisms by which an ISP may notify account holders:

  • By a printed letter, with enclosed leaflets. This is typically expensive for an ISP.
  • By an e-mail, containing hyperlinks to digital information on the ISP's website. This is typically of negligible expense to an ISP.

In order to protect the rights of account holders to challenge false accusations of illicit file-sharing, I strongly urge that ISPs be required to notify an account holder on every occasion when they receive an accusation of copyright infringement on the part of the account holder, even if only by e-mail. In addition to this requirement, I would recommend that ISPs be required to send physical letters to account holders at specified numbers of accusations.

Question 10. Do you agree to the approach on costs set out here? Are there any additional factors that we should take into consideration here?

As ISPs are likely not to be parties to any eventual litigation, I recommend that ISPs be awarded reasonable costs for producing evidence on receipt of a court order, payable by the rights holder [1].

Additionally, the consultation document says:

However, in recognition of the responsibilities that we are placing here on ISPs we also propose that ISPs should meet their own costs in collecting, maintaining and processing data in pursuit of fulfilling this obligation.


ISPs will have to collect, maintain and process high-quality evidence every time that an accusation is received, because a rights holder may choose to bring a civil court suit against the account holder at a time months or even years after the date of the alleged infringement, by which time such evidence may technically infeasible or even impossible to obtain. See also my responses to Questions 4 and 8. The costs of collecting the evidence should therefore be factored into the ongoing costs of processing notifications, possibly via the fee system proposed in my response to Question 7.

[1]I anticipate that, in the case that the rights holder prevails in a civil court action, the damages awarded would cover the rights holder's legal costs including the cost of acquiring any evidence from the ISP.

Ofcom power to impose other obligations

Do you agree with the list of further measures that could be imposed and the conditions to which their application must satisfy?

I would recommend that communication technologies or mechanisms, including so-called 'peer-to-peer' systems, should not be blocked or otherwise interfered with except in the case that:

  • The intervention is applied to a particular account holder at the order of a civil court injunction or ruling.
  • The intervention is applied to a particular communications service provider at the order of a civil court injunction or ruling.

For example, if rights holders identify a large amount of copyright infringement is taking place using the 'BitTorrent' technology, the correct approach is not for rights holders to seek blocking, shaping or capping of 'BitTorrent' per se (for which substantial non-infringing applications exist [2]), but for the rights holders to seek an injunction against particular ISP account holders or service providers who particularly facilitate copyright infringement.

This protects the right of individuals and organisations (who may well not be located in the UK) to use the most appropriate technology for any given application.

Furthermore, the cost to ISPs (which may well be very great for some possible obligations, such as content identification/filtering) is not mentioned in the application criteria, despite the fact that some ISPs may simply be unable to meet the obligation due to financial reasons. To make matters worse, modern 'peer-to-peer' protocols are rapidly approaching the level of sophistication where preventing their use by any of the suggested mechanisms would not be possible without severely interfering with the 'normal' operation of the Internet.

Finally, no details are provided in the consultation of what metrics are to be used to measure the level of Internet copyright infringement for the purposes of assessing efficacy of proposed additional obligations. The responsibility for creating an appropriate and unbiased measurement procedure must be delegated to an impartial agency, preferably the UK Statistics Authority.

[2]For example, the developers of the 'World of Warcraft' computer game distribute updates to the game using 'BitTorrent' technology.

Question 12. Is 12 months about right to allow a proper assessment of the efficacy of obligations? If not, what would be a better period, taking into account the need to react both expeditiously and on the basis of good evidence?

I am concerned that such technical measures will be forever playing 'catch-up' to the progress in technology, and may well do more harm to legitimate Internet applications than the benefit they accrue in terms of reducing copyright infringement.

This could be alleviated by making the assessment period shorter (4 months would likely be short enough). However, that would come at prohibitively high cost to ISPs, who would have to roll out any necessary hardware and software upgrades at impractically short notice.

Code of practice

Question 13. Do you agree with this list of things that Ofcom need to satisfy themselves of before approving a code? Is there anything else that Ofcom should be obliged to consider before approving such a code?

Since the code of practice materially effects ISP account holders, OFCOM must satisfy itself that the views of ISP end-users (either directly or via consumer rights organisations) have been taken into account in the preparation of the code.

In addition, 'large' ISPs (which, numerically, make up a minority of ISPs in the UK) are likely to have a lot of influence in an industry committee set up to develop a code of conduct, due to being able to afford to dedicate staff and time to the effort. OFCOM must satisfy that any code of conduct does not impose unreasonable or disproportionate obligations on small and/or specialist ISPs.

Question 14. Do you agree that a code needs to be in place in time for common commencement? Is it realistic to expect such a code to be developed in less than 12 months, could it be done sooner, and if not what would be a realistic estimate?

In order to protect the rights of account holders, the code of practice must be in place prior to the date of common commencement.

Question 15. This list seeks to set out all the requirements of the code to enable the operation of the first two obligations. Does it do so? Is there anything else that the code must cover in order to enable the effective operation of those obligations and if so, what?

I have no comments on this question.

Question 16. Are there any other restrictions or requirements that should be placed on Ofcom in pursuit of their role in relation to this code?

In addition to the requirements stated, OFCOM should explicitly be given the power to fine the ISP in the case that, in the absence of a court order, the ISP supplies inadequately anonymised data to the rights holder.

Any fines imposed by OFCOM must be sufficiently large to have punitive effect.

Time line

Question 17. What are your views on the time line suggested above, and the ways in which it could be reduced? Are there other ways in which this could be shortened without hazarding essential safeguards and the need for decisions to be made on the basis of the best available evidence? Do you think a 6 month review point during the initial assessment period would be useful?

I feel that the proposed (and impressively aggressive) timeline cannot be shortened without hazarding essential safeguards, particular with regard to consumer protection.

Role of a self-regulatory body

Question 18. Do you agree that this is an appropriate role and structure for the rights agency?

The consultation text says:

Ofcom would be responsible for approving the code and also responsible for ensuring that non-rights agency stakeholders (e.g.) consumer groups have proper input into the process.


I consider it critical that consumer groups actively take part in any industry body, rather than merely 'having proper input.'

It goes on to say:

However, if blocking of sites were to be a part of any new obligation imposed by Ofcom the identification of such sites would need to be subject to appropriate court processes to ensure that they were indeed operating illegally before ISPs could be obliged to block them.


... We do not intend to place the rights agency on a statutory basis for the purposes of addressing unlawful P2P file-sharing.


Both of these restrictions are essential, and must not be weakened.

Question 19. Do you agree that we should proceed with an intention to exempt small businesses? If so, have we chosen the right criteria?? Do you have a preferred method of exemption? Please give reasons if you object or if you foresee any unintended consequences not discussed here.

I agree that exemption of small ISPs is one possible appropriate way to reduce the risk of disproportionate burden on them. I believe that a small business exemption is most appropriate, due to problems with the other two options:

Named Inclusion Order
Holding the proverbial 'Sword of Damocles' over an ISP (in the form of being added to the Inclusion Order and likely being forced to go out of business as a result of the costs of compliance) will not be good for customers of that ISP. The ISP may well feel required to impose draconian acceptable use policies and possibly port/protocol blocking in order to protect itself from its own customers, possibly resulting in restrictions to non-infringing uses of Internet technologies going well beyond that intended by the proposed legislation.
Technical Exemption
There are only a tiny minority of providers of dial-up Internet connectivity that are not also providers of high-speed connections such as ADSL. As far as GSM mobile broadband is concerned, the available providers are all very large businesses for whom an exemption would not be appropriate anyway. A technical exemption as suggested would be ineffective.


Question 20. Do you consider there to be a case for considering any exclusions on other grounds including technical or proportionality? Please give reasons.

I have no comments on this question.

General comments on the proposed legislation

Notwithstanding my comments and suggestions in response to the specific questions of the consultation, I consider the the proposed legislation to be extremely poorly thought out. My principal objection is that this is a measure to deal with a problem which is not, in fact, a problem.

Statistics based on a fallacy

As discussed in detail by Ben Goldacre in The Guardian, it is almost impossible to substantiate the claims of losses made by the media industries. Despite a detailed search, he was completely unable to track down any sort of objective and rigorous study made of the actual losses due to Internet copyright infringement.

The (limited) studies that have been done seem to have been based on two assumptions, both dubious.

The first assumption is, 'Downloading from the Internet illicitly reduces licit media purchases.' In fact, according to a study carried out by Birgitte Andersen and Marion Frenz at the University of London:

Among Canadians who engage in P2P file-sharing, our results suggest that for every 12 P2P downloaded songs, music purchases increase by 0.44 CDs. That is, downloading the equivalent of approximately one CD increases purchasing by about half of a CD. We are unable to find evidence of any relationship between P2P file-sharing and purchases of electronically-delivered music tracks (e.g., songs from iTunes). With respect to the other effects, roughly half of all P2P tracks were downloaded because individuals wanted to hear songs before buying them or because they wanted to avoid purchasing the whole bundle of songs on the associated CDs and roughly one quarter were downloaded because they were not available for purchase.

The second assumption is, 'If he could not download media illicitly, an Internet filesharer would purchase it.' This is not necessarily true, either, particularly in the 'try before you buy' case but also in the case where the filesharer is downloading because he does not perceive the licit version to provide value for money.

I am not convinced that the statistics which justify the need for this legislation are not well-founded, and that a rigorous, peer-reviewed study needs to be carried out to discover the objective economic impact of illicit Internet filesharing.

Illicit filesharing as a market force

In addition to the evidence that the 'damage' due to illicit filesharing is exaggerated, it is worth examining the actual reasons why people illicitly download files from the Internet:

Firstly, someone may infringe because they cannot afford to purchase the media licitly; if they were unable to download the media they would not purchase any media at all. In this case, the illicit downloading is actually of net benefit to the rights owner; although they do not receive any direct financial payment, there is a corresponding increase in market awareness of their product (e.g. due to the filesharer telling his friends). In fact, Microsoft Chairman Sir Bill Gates has been quoted as saying, in a 1998 speech at the University of Washington:

Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though. And as long as they're going to steal it, we want them to steal ours.

Surprisingly, if this class of filesharers were stopped by legislative or technical means, it can be argued that it might have a detrimental effect for rights holders.

Secondly, someone may infringe because, to them, the illicitly downloaded product is technically superior or more convenient than the licit version. One excellent example is commercially-available DVD movies, which suffer from a number of flaws that reduce their attraction to consumers.

  • Un-skippable advertisements and/or trailers at the start of the movie, which many consumers find obnoxious. In this case, the illicit version is more convenient.
  • Susceptibility to accidental damage that renders the disc unreadable, leaving the consumer with no recourse but to purchase the DVD movie again. Although it is technically possible to make backups, it is considered to be copyright infringement in the UK. In this case, the illicit version is technically superior.
  • Region coding that means that a DVD movie purchased on one continent cannot be licitly viewed in another. In this case, the illicit version is more convenient.
  • Unavailability of licensed players for all operating systems. Users of some operating systems, like BSD variants or Linux, have the unenviable choice of downloading and installing illicit software to play DVDs (and thus infringing copyrights and infringing patents and breaking the law [3]) or downloading and playing illicit copies of the films (and thus 'only' infringing copyrights).

This is just one example of a business model to which illicit filesharing provides a valid economic challenge.

The effect of 'piracy' in the recording industry has been to encourage rights holders to enhance their licit offerings: consumers now receive more choice of products, at lower price points, on a more timely basis, without restrictive Digital Rights Management. Indeed, in recent months recording industry revenues have been increasing and piracy has been decreasing, despite the global recession, and notably without the need for any new legislation.

I therefore argue that illicit filesharing actually has a net positive effect, both in terms of providing product awareness for rights holders, but also by encouraging rights holders to adapt their product offerings to the latest technology in order to provide the best possible technical quality, value for money and convenience for consumers.

In my opinion, the prevalence of illicit Internet filesharing is primarily due to the failure of the media industries to adapt in a timely manner to introduction of high-bandwidth communications technology. I feel that the proposed legislation will merely motivate the development of filesharing software which is harder to detect, more secure, and better anonymised, with little direct effect on actual levels of illicit filesharing.

[3]Specifically, the EU Copyright Directive, which prohibits manufacturing, owning, using or distributing software which circumvents an effective protection measure protecting copyrighted content.

Legitimate applications of peer-to-peer technologies

As a final aside, I am concerned about the potential application of the proposed legislation (see especially 4.23 through to 4.28) in eventually leading to blanket blocking of all peer-to-peer protocols due to strident demand from the media industry. As an independent developer of electronics CAD software, I rely heavily on the bandwidth-sharing characteristics of technologies such as 'BitTorrent' when distributing my software. The proposal suggests the potential, in the future, for ISPs to be compelled to block (or otherwise cripple) this distribution system, and that would be severely harmful to my ability to publish my work.


I have outlined several ways in which the proposed legislation could be improved, if it is to be adopted. In particular, I am concerned that the proposed legislation neglects and/or undermines the rights of account holders in several significant ways.

However, I feel strongly that the proposed legislation is attempting to address the wrong problem, and that introducing it will increase the cost and decrease the convenience of general Internet access to no net positive effect. There are better ways for the government, ISPs and rights holders to spend funds than on implementing and operating the scheme as described.

Page Menu