Finally the truth outs. I’ve been rumbled by an online comment on a talk I gave on the three strikes copyright law, reported in a Computerworld article Lawyer explains how to bypass file sharing Act.
“This seems like bad advice from a lawyer who doesn’t understand the technical implementation...” one commentator concluded. Seeing as I did my five minute talk in 30 seconds, I guess I should have a crack at explaining my views.
Here’s my talk from start to finish: “You’re a corporate and worried about this new three strikes copyright law, and how your staff could use your network for illegal peer-to-peer downloading. What to do? There are two things you can do to protect yourself. Get all your IP addresses from APNIC [the Asia-Pacific Network Information Centre] or stop all peer-to-peer traffic. That’s my talk, thank you very much.”
Why the two options? On the second point, stopping peer-to-peer traffic takes away the risk, as the new law only applies to that type of traffic. Many organisations don’t need to access peer-to-peer.
What about the other option: APNIC? That conclusion requires close review of the wording of the Act and the regulations.
• The regime revolves around the relationship between (a) copyright holders, (b) entities similar to ISPs (called IPAPs in the Act) and (c) their customers called account holders (the corporate in this instance).
• Copyright holders kick off the process by asking IPAPs to email the first of three notices to the account holder which has the relevant IP address allocated to it.
• In a corporate context, if a staff member (or contractor, etc.) uses the network to download a movie by peer-to-peer, the movie owner can require the corporate’s ISP (IPAP) to give a notice to the corporate related to that IP address. This can lead ultimately to the corporate being penalised up to around $15,000 and, when Government triggers the change, suspension of the corporate’s internet access for up to six months.
• APNIC is not an IPAP, as it does not supply ISP-type services: it mainly supplies IP addresses. Therefore rights holders cannot require APNIC to give notice.
• A key point under the regulations is that the copyright owner cannot require the ISP (IPAP) to implement the three strikes procedure if it has not allocated the IP address.
• If the corporate takes an IP address from APNIC, it is not allocated by the corporate’s ISP (IPAP). So, the corporate is not at risk of the three strikes process.
Some corporates will manage their own APNIC-sourced IP addresses, and some will ask their ISP (IPAP) to do that. There is some risk in that latter case that it can be said that the ISP (IPAP) “allocates” the IP addresses. So the safest course is for the corporate to manage the addresses. There are practical issues around getting IPv4 addresses from the diminishing APNIC pool.
There may be other work-arounds, but I’ve not seen anything yet that would work. For example, the idea of having the corporate set up a related company (NetCo) to manage its internet connectivity has been suggested. NetCo becomes an IPAP that services the trading company (OpCo). Leaving aside compliance cost in setting this up, including publicly published annual compliance reports, this leaves the problem intact:
• NetCo is likely still to use an upstream commercial ISP (IPAP) to provide services.
• NetCo is an account holder (customer) in relation to that upstream ISP (IPAP). Entities can be both account holders (looking upstream) and IPAPs (looking downstream).
• The rights holders can require the upstream ISP to implement the three strikes regime against the NetCo and that in turn can lead to compensation obligation and network suspension.
• Rights holders can also require NetCo as IPAP to implement the process against its account holder customer, OpCo, again leading to compensation and network suspension.
But CIOs need to put this all in context, with a realistic assessment of risk. There are heated views for and against the law, and in relation to the role of online copyright generally.
That needs to be put aside to enable an assessment of risk and benefit based only on relevant matters. For corporates, the real risk is not the monetary risk: around $15,000 per event in the worst case (i.e. low monetary and frequency risk).
It is the risk of suspension of the corporates’ internet access for up to six months once that law is triggered. But in reality, is that manageable?
At minimum, organisations, public and private sector should tighten their staff acceptable use policies and make sure they are legally agreed to by staff (in our experience, legal buy-in is the biggest issue).
Organisations like universities and those with transient users have additional issues to consider beyond the scope of this commentary.
Wigley is a lawyer specialising in ICT