PO Box 382 North Adelaide SA 5006
Email: [email protected]
Fidonet: [email protected]:632/552
Phone: 08 8384 7316 Fax: 08 8373 3829
http://www.efa.org.au/

30 November 1996

Mr Patrick Fair
Chair Code of Practice Task Force

Dear Patrick

Please accept our congratulations to INTIAA for the initiatve shown in attempting to develop a Code of Practice which may eventually be adopted widely by the various industry associations and user groups in Australia.

Attached is the Electronic Frontiers Australia Rebuttal of the second version of the INTIAA Code of Practice for your consideration. It has been passed on to the various State based industry associations for their consideration and comments. At this time all state industry associations, that is, WAIA, SAIA, ACTIA and TIA have endorsed the EFA Rebuttal whilst reserving their position on their own responses to the second INTIAA draft Code of Practice.

Attached, along with this Rebuttal, are two supporting emails, one from ACT PCUG spokesperson, Karl Auer, and Andrew Connor, Spokesperson for TIA.

We would be very happy to work with INTIAA in the revision of version 2 in order to develop a Code of Practice which deals more appropriately with the issues mentioned in the following rebuttal.

Regards and best wishes

Brenda Aynsley
Vice-Chair
Electronic Frontiers Australia

COMMENTARY ON THE INTIAA CODE OF PRACTICE VERSION 2

Summary:

The draft version 2 INTIAA Code is unnecessarily bureaucratic and censorious. It does not represent the views of the Internet Industry and it is essential to redraft many of the provisions , especially:

2. Objectives - the whole Code merely classifies content by tagging.
4. Terminology - Definitions are clumsy and not consistent with Industry use of terms.
5. Scope - does not include users. Does not define "reasonable steps".
7.5 ISP duty to report "illegal" sites to Admin Council and authorities. - no allowance for error or libel , and this is no task for ISPs.
7.6 ISP duty to report RC material to site owner in Australia - noting that the Code considers X-rating = RC in the States (clause 10.2)
10.4 Use of PICS compulsory - this is to be condemned.
12.1 Invitation to users to complain must be provided by ISPs.
12.3.4 Admin Council may set minimum hardware/performance standards.
13.1.1 No under-18 accounts without parental permission.
13.2 Admin Council may rule PICS etc compulsory .
13.3 Duty on ISPs to take reasonable steps to avoid RC transmission by users.
15. Admin council
- Chair nominated by Fed Minister for Communications
- 2 Industry reps nominated by INTIAA
- 1 user rep nominated by Internet Society
- 1 lawyer nominated by INTIAA
15.6 Funding from Industry - not the Minister for Communications. The proposed levies are much too expensive.
15.4.8 Admin Council to report breaches of law to authorities
15.5 Admin Council may amend code , on notice to members but no vote.
15.8 Annual Fee to members , also Admin Council may accept sponsorship.
15.11 (After labyrinthine complaints procedure) Members agree not to sue INTIAA over procedure in investigating complaints.

The Code purports to define standards of behaviour , but merely promotes the controversial use of labelling classification for censorship purposes. The Code wrongly makes ISPs responsible for classification and access to content on other sites.

DETAILED COMMENTARY

(Quotes from the INTIAA code are marked with ">" marks)

> 1. INTRODUCTION

> 1. This Code of Practice establishes general standards of behaviour
> for those involved in the Internet industry.

The use of the undefined term "Internet industry", in conjunction with "involved in", in this clause implies that the Code covers all persons who provide services or content on, or connected with, the Internet. However, the vast majority of those providing content on the Internet are ordinary individuals. They, and many small commercial providers of Internet services, will be unable to afford the fees required by INTIAA to become a Code Subscriber. This Code should therefore not seek to set standards of behaviour for people who are unable to obtain any benefit from compliance with it.

Furthermore, some of the "standards of behaviour" required by the Code are not in fact required of service providers by all consumers of Internet related services, nor are same required under law. This Code should therefore not purport to establish standards to be complied with by the entire "Internet industry".

To the extent that the Code requires adherence to standards of behaviour as commercial suppliers of services , there is an unnecessary reiteration of basic rules of contract and standards of ethical commercial behaviour. If these exceed, or are seen to exceed , standards applicable to other industries these standards should be put to a vote of Code subscribers.

> 2. The Code will be administered by an Administrative Council.

This body is undemocratic and exercises too much unchecked power.

> 3. Members of the industry who choose to adhere to the Code may indicate that they
> have adopted the principles of the Code by use of the "Code Compliance Symbol"
> endorsed by the Administrative Council from time to time.

It should be noted in this clause that somewhat more than "choosing" to adhere to the Code is required, that is, a fee is also required.

> 2. OBJECTIVES

> The aims of this Code include:

> a. to establish confidence in and encourage the use of the Internet.

The most effective manner in which this Code could assist to "establish confidence in and encourage the use of the Internet" would be for the Administrative Council to provide a web page containing information and links to appropriate software and the Code to require all Code Subscribers to prominently link to that page from their Home Pages.

> b. to support a system for the classification of content on and management of
> access to content on the Internet.

This assumes that this is a desirable aim , and a practical one. Classification of content by content providers is not a reality on the global networks , and may never be so.

Whilst this Code requires Content Providers to classify content by tagging, it offers nothing remotely effective in regard to managing access to content. Tagging of content, of itself, has no affect on access to that material unless users of the Internet, who wish to limit their access or that of minors under their supervision, use software programs able to read those tags. Nowhere in this Code are Code Subscribers required to provide information about such programs or make new users aware of the existence of such programs.

> c. to improve the fairness and accuracy of disclosure to users of the Internet
> and the community in general

It is hoped that in this clause "users" means just that, not "customers" of Code Subscribers as the word is re-defined to mean under the Code.

> d. to provide standards of confidentiality and privacy afforded to users of the
> Internet.

This Code provides no standards of confidentiality and privacy to "users of the Internet". Standards herein are only applicable to Code Subscribers' dealings with their own customers.

> e. to provide a transparent standard for complaint handling for the Internet
> industry.

What exactly does "transparent" mean in this context? Without guidelines as to the appropriate classifications of complaints , the complex complaint handling procedure specified elsewhere would be a nightmare for small service providers - and there is no place for input into the process of establishing such a standard by those affected by it (such as users, content providers and service providers).

> f. to improve user relations by the Internet industry.

It has not been demonstrated that there is a deficiency in "user relations by the Internet industry" of any magnitude , let alone one which requires the provisions of this Code.

> 3. PRINCIPLES

> In seeking to achieve its objectives this Code applies the following principles:

> 1. the Code is technology neutral.

This is an aspiration not achieved in this Code. Ethernet , Intranet and cable modem services may in time replace dial-in connections as the principal means of accessing the Internet, and the role of the service provider will change with technology. For example , a supplier who chose to use personalised , non-standard software incompatible with some Internet tools and filter software can be required by the Admin Council to change it.

> 2. requirements are intended to be fair to all concerned.

Controversial use of the Internet and the right of voicing an opinion as to the Code's terms are two obvious challenges to this proposition.

> 3. requirements should not adversely affect the economic viability of the parties
> to the Code and the services they make available.

The financial and technology requirements of this Code are beyond the resources of small ISPs and web services.

> 4. to ensure that the primary responsibility for content made available from
> within Australia on the Internet rests with the relevant Content Providers.

This would be admirable , if it did not suggest a "secondary" responsibility of uncertain legal liability .

However, the Code requires Code Subscriber ISPs to undertake a role of censor, in requiring them to prevent availability of material which, in their opinion, would be classified RC, and of law enforcement authorities in removing users' content and cancelling accounts. This does not indicate that the primary responsibility for content rests with the Content Provider.

Most of the content providers on the Internet are not "industry bodies". They are ordinary individuals and not Content Providers by the definition of this Code. The Code seems to be passing responsibility onto a group of people to whom it extends no protections at all. "Primary" responsibility is meaningless - either a service provider is legally responsible or not. This Code , by implying some "secondary" responsibility for content provision on the part of service providers, assists opponents of the Internet in blurring the distinction between content provision and access provision.

> 4. TERMINOLOGY

> In this Code:

[...]

> "Content Provider"
> means a person who controls the content of a Web Site or database on the
> Internet and includes:

This definition makes all ISPs Content Providers under the Code, including ISPs who solely provide a host service for content created by their users. Under Clause 13.4(b) ISPs are required to remove users' material "which remains at a Web Site or other content database within [the ISPs] control". As ISPs have control over users' content, they meet the definition of a "Content Provider" and thus appear to have joint responsibility with their users for content under Section 10. Given ISPs have a responsibility to remove certain material, users control of their own material is limited.

It is also necessary to define "control". Content providers certainly have a level of control over material they make available. However, they are also reliant, to a considerable extent, on the host service to ensure security is maintained to prevent other persons obtaining access to and control of material on their site, as is evidenced by recent instances of hackers placing material on Web Sites "controlled" by others. After material is placed on a host service by a content provider, it is dubious who has primary "control" of the material.

Does this definition intend to include only "industry bodies" (potential INTIAA members), or does it include ordinary users? An inclusive definition is inappropriate for a Code that may ensnare ordinary users and service providers in legal proceedings, or potentially protect responsible behaviour by such individuals.

The use of "person" for these, while technically accurate, is seriously misleading, because it obscures the fact that the Code is designed for commercial entities, NOT for ordinary users.

> "copy"
> when used in relation to written information includes the electronic
> display of a copy.

The law also recognises the notion of a copy existing in RAM , and for a user or an ISP copies may inadvertently be made in caches created automatically by Web browsers , Gopher clients and any form of window history.

> "Home Page"
> means in relation to a Code Subscriber, a Web Page used
> by the Code Subscriber as the starting point for users
> to obtain information regarding or products or services
> of the Code Subscriber.

Delete first "or".

> "ISPs"
> stands for Internet Service Providers and includes:
> * those providing connectivity to the Internet.
> * those hosting Web Pages for users.

Does it include a person who has their own permanent connection and runs their own Web server? If they host pages for family members and friends? Non-profit bodies? Again , an inclusive definition is inappropriate for a Code that has legal ramifications.

[...] > "Internet"
> means the public network of computer networks known by that name which
> enables the transmission of information between users or between users and
> a place on the network.

The definition under this Code of a "user" is "a customer of a Code Subscriber". In describing "the public network" known as the Internet, the definition suggests that "Internet" in the context of this Code means an Intranet available only to customers of Code Subscribers. However, for the purpose of the following comments, it is assumed that is not actually what is meant. The above definition, however, needs to be amended.

[...]

> "user"
> means a customer of a Code Subscriber.

This definition makes the Code unduly difficult to comprehend, and in parts misleading. User, in relation to the Internet, commonly means ordinary individuals using the Internet. The use of the word "user" throughout the code should be replaced with "customer".

Furthermore, the word "customer" needs to be defined. Refer comments under Clause 8.1. The definition of a "person" elsewhere is similarly flawed - as including bodies corporate and the Crown but only used in the context of Admin Council and Code Subscriber membership. Either this Code is for the benefit of members of the public (whether contractual customers of Code subscribers) - the implication of the complaints procedures is that INTIAA accepts this position - or the Code is to be narrowly defined by these troublesome definitions.

[...]
> "Web Page Developers"
> means those who make Web Pages for users.

This means only a Code Subscriber who makes web pages for its customers, based on the definition of "user". The Code therefore does not have anything to do with the majority of people who make or provide web pages, unless an expanded definition of "control" of web pages defines the ISP as being responsible for all material on his or her server , or conceivably linked from his or her server's web pages. Most ISPs would be horrified to think that they could be held liable for material of a controversial nature that is hyperlinked from a user's own web page.

> "Web Page"
> means a file of content accessible on the World Wide Web by a single URL.

The use of URLs is being phased out , and URNs will not be the same sort of information , especially for 'refused access' lists. This , and the definition of "World Wide Web" by reference to the http protocol is certainly not "technology neutral". By attempting to define secondary responsibility for content provision by reference to 1996 technology, the Code risks becoming irrelevant as technology evolves - perhaps through the deliberate circumventing of these definitions. What will the Admin Council do about a Code Subscriber who obeys the letter of the Code , but defeats the censorious purposes by use of innovative technology and protocols ?

[...]
> 5. SCOPE

> This Code is intended to cover those agree to be bound by the Code and whose
> business is to provide the products and services that comprise the Internet or who
> make use of the Internet to supply or service their customers.

That is to say, this code is not intended for "persons" in the ordinary sense of the word. It is a corporations code , yet the ABA report stated that a system of self-regulation of Internet content would also require users to be both bound by and protected by adherence to appropriate codes of practice. "Users" cannot avail themselves of the defence of compliance with the INTIAA Code, and as such it is inadequate to address the legal issues arising from a genuine self-regulation regime.

Again, by the use of "business" above, this code has nothing to do with people who do not seek to profit from services they provide on, or in relation to, the Internet. This excludes for example Universities, Government/Freenets etc service providers from coverage.

Cable services and dial-in services such as the "Big Pond" service may be far more relevant to the general population than ISP services in the future , and would be entirely untroubled by the provisions of this Code.

> The Internet industry includes:
> Content Providers
> ISPs
> Programmers
> Vendors
> Web Page Developers

By defining these terms in this way , the Code invites ISPs and other service providers to devise means of circumventing the censorious and bureaucratic procedures set up therein. It would be preferable to find instead a consensus within the Industry that all providers and user groups are comfortable with , and markedly reduce the incentive to circumvent the Code.

> 6. PROMOTION OF THE CODE

> 1. Code Subscribers will: [...]
> 2. institute training of their relevant employees and agents in the principles and
> procedures described by the Code, and

Including becoming qualified classifiers of controversial material ?

> 3. use reasonable endeavours to ensure compliance with the Code by their employees
> and agents.

This would promote Code Subscribers delegating those "reasonable endeavours" , or else binding employees and agents by contracts of needless complexity. In the event vicarious liability for the acts of servants and agents is needful of express provision in a Code such as this , a simple phrase such as "Require employees and agents to comply with the Code" would seem more appropriate.

> 7. GENERAL CONDUCT OF ALL CODE SUBSCRIBERS

> 1. When first entering into a transaction with a user Code Subscribers will: [...]
> b. provide particulars to each user of:
> the nature and characteristics of the service or product which the
> Code Subscriber intends to provide.

"intends" to provide is too loose. Code Subscribers should know which services they will provide, and advise same, before entering into a transaction.

[...]
> 3. Code Subscribers will not:
> a. inaccurately represent the benefits of their product or service.
> b. engage in conduct which is misleading or deceptive.
> c. engage in conduct that is in all the circumstances unconscionable.
> d. knowingly exploit lack of knowledge of users regarding the Internet or the
> products or services to be provided.

As stated above , are these terms intended to extend consumer protection laws or to restate them ? In either event , the Code needs to be more explicit as to the standards of commercial conduct it is purporting to regulate , and the purpose for which such standards are to be set.

[...]

> 5. Code Subscribers will report to the Administrative Council > and the relevant authorities any service available on the
> Internet from within Australia which they consider is:
>
> a. fraudulent.
> b. misleading or deceptive and likely to cause loss or
> damage to third parties.
> c. illegal.

This obliges Code Subscribers to report material located on servers around the world which are accessible from within Australia. It is not clear whether, in reporting material located overseas, Code Subscribers are required to report: - solely material which is illegal in Australia, or also - material which they consider may be illegal in other countries. In the former case, as Australian authorities can do nothing about material located overseas which is legal in that country but illegal in Australia, there is no point in requiring Code Subscribers to report same. In the latter case, it would require Code Subscribers to acquire and maintain knowledge of non-Australian law.

In either case it places a burdensome obligation on anyone who subscribes to the Code to maintain knowledge of laws for which they may not otherwise have any need of in depth knowledge.

Even if this is cleared up, this whole clause is oppressive. Television stations are not required to report other television stations in violation of the law, for example. There will be commercial incentive for business rivals to "dob" each other in, of course, but to institutionalise this in a Code of Practice actively encourage an atmosphere of suspicion and mutual distrust.

> 6. Code Subscribers who become aware of an instance whereby content that is or
> would be rated "RC" in accordance with the National Classification Code [ link to

It is not possible for Code Subscribers to know what "would be" rated "RC". The words "or would be" should be deleted.

Requiring Code subscribers to judge what is or would be RC rated is beyond the training and resources of a service or content provider , and as "RC" is used to include legally X-rated and R-rated material it would appear that Code subscribers will be obliged to spend much time classifying the content of others.

This clause suggests Code Subscribers are not required to take any action in regard to content covered by State laws, some of which are more restrictive than the National Classification Code (NCC). For example, in Queensland computer images are defined as computer games for which there is no "R" classification. Material which cannot be classified as MA15+ or lower, is classified "RC".

> be inserted ] is or has been placed on the Internet, obtained through the Internet or

What is the intent of "has been"? As set out in the remainder of this clause, if it is not "on" the Internet, i.e. does not "remain" at a Web Site etc, there is no need whatsoever for Code Subscribers to be required to take any action.

> transmitted using the Internet, and remains at a Web Site or other content database
> which is located at an identifiable Web Site or other content database within
> Australia it will use reasonable efforts to inform the owner and/or controller or
> apparent owner and/or controller of that Web Site or other content database of the
> presence of the such material.

In the case of material which "would be" classified "RC", this places Code Subscribers in the role of censors. Under no circumstances should Code Subscribers be allowed or required to become moral arbiters in deciding what "would be" classified "RC".

> 8. SECRECY OBLIGATIONS
> c. not sell or exchange the business records or personal
> information of a user other than to another Code
> Subscriber as part of the sale of the Code Subscriber's
> business as a going concern.

This appears to prohibit the sale of a Code subscribing business to a non-subscribing buyer (unless it is sold without any user records!). Is this really intended? It would seem to be an unlawful restraint of trade.

An explanation of the "personal information" to be kept confidential is necessary. For example, does this section require Code Subscribers to keep confidential information on users' activities and the type of information they access? Or does it leave them free to collect such information and, for example, provide marketing information to third parties?

It must also be noted that "user" means a customer, which is not defined under this Code and is normally considered to be a person paying for service. Therefore, this Code presently places no obligation on Code Subscriber Content Providers to maintain confidentiality of information collected by them, eg. regarding the type of information a user (as normally defined) accesses on their web sites. It is arguable that the laws of other jurisdictions would be infringed by making ISPs responsible only for the protection of the privacy of customers of Code Subscribers in this Code.

> 2. Clause 8.1 does not prevent disclosure of information with the express or implied
> consent of the user or as required by law.

It is unacceptable to disclose information based on "implied" consent. What is implied is often a matter of opinion. Furthermore, implied consent could simply be an off-hand comment made in, for example, a newsgroup.

> 9. DATA COLLECTION AND USE

> 1. Code Subscribers will collect data relating to a user only:

> a. which is relevant and necessary for the provision of the service that the Code
> Subscriber is engaged to provide, or

The data to be collected under this sub-clause should also be make known to the user prior to collection, the same as required by sub-clause (b).

> b. for other legitimate purposes made known to the user prior to the time the
> data is collected.

A requirement to provide adequate advance notice of data to be collected should be inserted and the method by which it is to be provided. A Code Subscriber could send a letter by post, and commence collecting data the next day. If the letter is delayed, users will not know data is being collected.

> 2. Code Subscribers will use collected data relating to a user only for:

> a. the Code Subscriber's own marketing, billing and other purposes necessary
> for the provision of the service, or

The use of the word "marketing" in this context is concerning. It suggests Code Subscribers are permitted to publish or provide to third parties, for example, the names of their customers to promote their business. This clause should be subject to the provisions of Clause 8.

> b. legitimate purposes made known to the user prior to the time the data is
> collected, or

> c. other purposes with the consent of the user.

> 3. Code Subscribers will take reasonable steps, having regard to the nature of the data,
> to ensure that data collected in relation to a user:

> a. to the extent that it comprises business records or personal information can
> be checked by a user.
> b. is accurate, and if necessary, kept up to date.
> c. if inaccurate, is erased or rectified.

Why do only "reasonable steps" need be taken ? As this clause only covers business records or personal information (whatever that is) about a Code Subscriber's customers, compliance with this clause should not be difficult. Legislation as to the use and reportage of database information does and will vary , and an ISP will be required to comply with legal standards depending on jurisdiction and the nature of the data.

> 4. In this part of the Code references to the collection of data include collection of data
> by active request or inquiry and collection of data by passive recording of actions or
> activity.

This type of data should also be included under Section 8 with a view to ensuring such information is kept confidential.

> 10. CONDUCT OF CONTENT PROVIDERS

> 1. Code Subscriber Content Providers will not knowingly place material on the Internet
> or allow materials to remain on the Internet which would be classified "RC" by the
> National Classification Code.

Refer comments under 7.6 regarding the use of the National Classification Code, as opposed to State legislation, in this regard.

Although covered under 10.3, initial understanding of this clause would be enhanced by amendment to "allow materials under their control to remain on the Internet".

This could be worded better. "allow [RC] materials to remain on the Internet on a server under their control located within Australia" would be better. Otherwise it would appear to require Content providers to control the entire Internet, and would require multinational signatories to the Code to use Australian definitions of RC everywhere in the world. However , this will require service providers to rate the content of others , a task they are not trained or equipped to do.

> 2. Code Subscriber Content Providers will ensure that services which provide content > that is or would be rated "R" or "X"
> ("X" is RC in the States of Australia (not the Territories), accordingly
> this provision does not apply to "X" material made available
> by a Code Subscriber Content Provider located in a State of Australia)
> in accordance with the National Classification Code are:

This clause is impossible to fully comply with. Content providers cannot be sure what rating "would be" given to any particular material nor is there presently any service offered in this regard to enable them to find out. Content providers will therefore err on the side of caution resulting in unnecessary restriction on minors access to suitable material.

Content providers cannot be expected to apply classifications which OFLC officers undergo training in order to understand. As stated in the ABA report: "The ABA agrees with those submitters who cautioned against attempts by untrained personnel to apply the existing OFLC guidelines."

A further problem with requiring content providers to know what would be the rating is the difficulty of applying the various sections of the NCC to "multimedia" content.

The specific exclusion of the provisions of this clause to material rated "X" in States is noted. However this clause takes no account of differing laws between States. For example, in Queensland publications classified Category 1 and 2 restricted (i.e. not "RC" under the NCC) are "prohibited publications" and, insofar as advertising, sale, distribution and display are concerned, are effectively "RC". Presumably the provisions of this clause are not intended to allow to such material to be made available unrestrictedly by content providers located in Queensland.

Attention also needs to be given to specifying which State or Territory law is to apply to Content Providers with a presence in more than one location. Are they to comply with law in the State of their head office, or the State in which the equipment hosting the material is located (and what if they have mirror sites in several States or Territories), or the most restrictive law of the States in which they maintain an office or presence, etc?

As long as this Code requires a Code Subscriber to bear a secondary responsibility for the content placed on the Internet by others , this section cannot be complied with. A better requirement, although it is doubtful that it is desirable, to restate the law relating to censorship in this Code , would be to state that a Content Provider must comply with the laws relating to that State or Territory (or Federal law if such is enacted).

If compliance with this Code is intended to provide a defence to Content Providers under State or Federal legislation, it is essential that it clearly identify the requirements with which content providers must comply. Presently that is not clear.

> a. segregated and have clearly identifiable signatures which can be recognised
> by network management filters;

This clause is meaningless. What is meant, in this context, by "segregated" - stored on physically separate servers to other material? and "signatures" - PICS labels? and "network management filters"? What is a "signature"? These are not terms defined elsewhere , yet compliance with these crucial concepts is to be the basis of "standards of behaviour in the Internet industry". It is not sufficient to say that the Code empowers the INTIAA Board to define these requirements later.

> b. accompanied by suitable on screen warnings on a Web Page which appears
> to the user before the content can be viewed; and

This is unnecessary. Supervisors of minors, and others wishing to limit their exposure to material they consider inappropriate, are able to restrict access with the use of filtering software.

> c. managed by subscription enrolments to exclude under age subscribers.

This would constitute an invasion of privacy of adults, and an opportunity for unnecessary collection of information about Internet users' activities and interests.

The development of children-specific Internet services is a separate issue to censorship of RC material , and an Industry Code ought not confuse the two.

Furthermore, it would adversely affect the economic viability of Code Subscribers' services, which is contrary to Principle 3.3, as summarised in the findings of the Court in relation to the CDA: 106. There is evidence suggesting that adult users, particularly casual Web browsers, would be discouraged from retrieving information that required use of a credit card or password. Andrew Anker testified that HotWired has received many complaints from its members about HotWired's registration system, which requires only that a member supply a name, e-mail address and self-created password. There is concern by commercial content providers that age verification requirements would decrease advertising and revenue because advertisers depend on a demonstration that the sites are widely available and frequently visited."

How is ensuring adult-only access supposed to be managed? The CDA judgment explained very well why this was not at all plausible. Users who choose to permit minors under their control to access their accounts , or content providers who rely on standard remote means of confirming name and age details , will by those arguably reasonable acts make it impossible for service providers to verify that this is taking place.

Compare the Censorship Act (WA) , which requires only reasonable attempts to restrict access to adult material. Mandatory restriction is not technically possible and does not represent a plausible objective. Requiring Content Providers to restrict access in this manner will undoubtedly result in many Internet users using similar overseas services which do not require them to "enrol" resulting in the flow of Australian dollars to other countries.

Placing these restrictions on Australian content providers will have a minuscule affect on limiting the access of minors to content on a global network. The only effective method is supervision by parents assisted by readily available filtering software if they choose to use same.

> 3. A Code Subscriber Content Provider shall have complied with 10.1 and 10.2 if on
> becoming aware that such material remains at a Web Site or other content database
> within its control it, having regard to the nature of the content either removes it or
> institutes compliance with 10.2 (a), (b) and (c).

If a user has a page on an ISPs Web server, is the ISP the Content provider? What about if the user has a permanent connection and runs their own Web server? Is the ISP providing upstream connectivity considered to "have control" over such a Web server? As stated above , an ISP cannot be reasonably required to classify content of others.

> 4. Code Subscribers Content Providers will take reasonable steps to ensure that
> services which provide content support the Platform for Internet Content Selection
> ("PICS") and shall classify and tag content in accordance with the system or
> systems approved by the Administrative Council.

It is unclear what is meant by "reasonable steps". Whether or not services providing content can support PICS depends on technological developments, rather than on a content provider.

In any event , PICS is a work in progress rather than a reality , and compliance with this clause would presently require Code Subscribers to block 99% of content.

Content Providers should not be required to tag all material, particularly that which they have no interest in making available to minors. Tagging does not prevent minors' exposure to unsuitable material unless same are using Web browsers which can read the tags. These browsers can be set to prevent access to untagged material and that is the only reliable setting for those wishing to prevent access to material, on a global network, which they consider unsuitable. Notably, this Code does not require Code Subscribers to advise new users of the existence of these programs and yet Content Providers are required to tag material.

Content providers who provide large amounts of material online, and who cannot afford to pay a large staff to review all of their content, will find themselves unable to make available all but a small proportion of their content. This will have the undesirable effect of providing market advantage to large organisations to the detriment of smaller businesses.

Additionally, compulsory tagging has the potential to subject Content Providers to liability for, or the need to respond to complaints about, content which is claimed to be incorrectly rated. Content Providers should not placed at risk of this against their will.

Use of PICS ratings to label pages should not be mandatory. Such a system would be worse than the L18 labelling system which the CDA judgement rejected (because implementing something like RSACi ratings is far more complicated). PICS is a commercial project and does not yet have substantial application to or acceptance by the Internet community. It is quite wrong for INTIAA to endorse a commercial project designed for labelling purposes other than compulsory censorship as a classification standard for censorship.

> 11. CONDUCT OF VENDORS This section appears to be primarily an attempt to rewrite existing consumer and trade practices legislation. Whilst it is assumed that these clauses comply with existing law, if the law changes and this Code is not updated immediately, Code Subscriber Vendors may be subject to complaints under Clause 7.3(b).

So far , there is no evidence that Vendors on the Internet are in any way requiring specific regulation ... it is merely another form of mail order. The only contentious area is security of financial transactions , an issue not dealt with at all in this section.

This section is unnecessary.

> 12. GENERAL CONDUCT OF ISPs

> 1. Code Subscriber ISPs will make available to each user:

> a. a copy of this Code of Practice upon request.

Code Subscribers should be required to provide a link to the Code from their Home Page , at most. Why bother giving a copy to users , given that this Code of Practice makes no attempt to describe what ordinary users should do , nor provides any defence at law for transmission offences? A copy of the Crimes Act section 85ZE would be more useful.

> b. a copy of rules identifying unacceptable posting or conduct that may lead to
> removal of the unacceptable content, suspension or cancellation of the users
> account or prosecution by the authorities in Australia as published by the
> Administrative Council from time to time.

The Code should require Code Subscriber ISPs to provide this information to intending customers, before they become a customer. It is unacceptable for users (in the normal meaning of the word) to be required to provide credit information or payment of monies without knowledge, in advance, of the rules with which the ISP will require them to comply.

> c. information on how to resolve any difficulties which might arise with the
> product or service of the Code Subscriber.

> 2.A Code Subscriber ISP will agree with each user at the time of engagement:

Above should be reworded to "at a time prior to engagement". ISPs should not be able, under this Code, to enter into a contract with a user and then, for example, tell them that the extent of information referred to under (a) below is "nil".

> a. the extent of information that the user will receive regarding the basis of each
> charge made by the ISP to the user. [...]
> d. an Acknowledgment that the Code Subscriber ISP must comply with this
> Code and that the user must not do any act or make any omission which
> would put the Code Subscriber ISP in breach of this Code.

This clause appears to require users to label their material and restrict access to certain types of content they may make available etc. It is entirely inappropriate and unreasonable to enforce these requirements upon people who are afforded no protection whatsoever by compliance with this Code. Furthermore, if a more general code of conduct is developed applicable to ordinary users/content providers, compliance with which offered a defence under State or Federal legislation, ordinary users may find themselves required to comply with two separate codes.

The requirement for users to comply with this Code to protect ISPs from breach of same, again suggests that ISPs are primarily responsible for content. If the primary responsibility for content rests with content providers, then it should be up to content providers whether or not they wish to label their content or "segregate" "R" and "X" rated material.

It would be preferable for the obligations created herein were to be detailed. Does it mean that individual users are required to rate their own pages (like Content Providers above)? Does it mean that they are required to judge whether material on their own pages is or would be R-rated, X-rated, or RC?

> e. the basis on which the user may terminate the service.

> f. the arrangements for transfer of service that will apply if the service is
> cancelled at any time.

This is an exercise in speculation that no ISP could volunteer. Obviously it is good business practice to offer customers a continuation of service with another ISP if the service is cancelled ... but an ISP is not an incorporated association (in most cases) and ought not be required to commit to future plans of a commercially-sensitive nature.

> 3.A Code Subscriber ISP will:

> a. make reasonable efforts to resolve any difficulty or failure of service
> encountered by a user within one working day of notice from the user.

Sometimes this will be too slow , other times an ISP could not diagnose a problem in that time frame. The requirement of "one working day" is arbitrary , and would be a poor basis for assessing the reasonableness of an ISP's response. Given that the term "difficulty or failure of service" is undefined , this represents no protection for customers and an incentive for ISPs to provide token "reasonable efforts". This is a consumer protection matter that this Code should either leave alone or , in consultation with ISPs , define in much more detail.

> b. ensure that un-moderated forums provided by the Code Subscriber ISP are
> clearly identified and the users notified that the forum is un-moderated.

This is bizarre. The vast bulk of all "forums" (which presumably includes newsgroups) are unmoderated, so a generic warning that the Internet is unmoderated would seem more reasonable. (Also, note that rec.arts.erotica is moderated, so there is no correlation between being moderated and being "safe".) Where do "retro-moderated" newsgroups fit?

Alternatively , mailing lists and newsgroups carry their own rules, guidelines , complaint procedures and moderation policies ... so many of which exist that it would be beyond the resources of a service provider to notify users on a universal basis as required above.

[...]
> 4. Code Subscribers who host Web Sites will ensure that the user is informed at the
> time of engagement:

(Why is the emphasis about "Web Sites"? Is this technology neutral? What about hosting an FTP site, etc)

[...]
> b. that the user should obtain advice regarding the user's potential liability for the
> consequences of the publication of material on the Web Site

This is odd - in 12.1(b) it requires ISPs to inform users what can lead to prosecution by authorities, now it requires them to advise users to "obtain" advice. The Code seems to imply that the secondary responsibility for the content of others may be limited if the Content Provider has first taken "advice".

> 13. CONTENT CLASSIFICATION AND SELECTION

> 1. Code Subscriber ISPs will:

> a. not knowingly provide unrestricted access to the Internet to users under the
> age of 18 years without the written permission of the user's parent or
> guardian.

What is meant by "unrestricted" access to the Internet? It appears ISPs could comply with this clause by not allowing minors to access, for example, Usenet but still give them full access to the Web, IRC, etc.

> b. request that new users confirm that they are 18 years of age or over and that
> access to the Internet will be supervised by a person over the age of 18 when
> the service is used by a person under the age of 18

There seems to be some indecision between a and b. If a parent decides that their child is capable of coping with unrestricted access to the Internet without supervision, are they or are they not allowed to permit this?

> c. take reasonable steps to verify the age of each user by requiring each new
> user to confirm on-line that they are 18 years of age or older.

If a parent gives permission under sub-clause (a), a minor will have access permission and probably their own account. They should not be required to say they are 18 years or older online to actually gain access. Additionally, compliance with this sub-clause would unduly complicate the programming of scripts many ISPs provide to their customers to enable easy login to their service.

> 2. Code Subscriber ISPs will encourage Platform for Internet Content Selection
> tagging (PICS) or tagging using other non-PICS technology in accordance with the
> National Classification Code and the rules and procedures published by the
> Administration Council from time to time on:

There is currently no rating system available which enables tagging in accordance with the National Classification Code. Furthermore the ABA Report identified difficulties in attempting to impose "any existing model of classification online" and recommended the development of purpose built scheme for labelling online content.

There is no need for this sort of filter software usage to be mandated or even "encouraged". Rating of pages is something to be worked out between content providers (lower case, including individual users) and ratings services. Just as sites voluntarily register with search engines, sites will obtain ratings from ratings services so that their sites are accessible to as many people as possible.

It is probable that in the medium term the overwhelming majority of Internet content will not be PICS-rated , resulting in the laughable situation that Australian ISPs will be required to provide their users with a crippled Internet access of minimal use.

> a. all Web Sites and other content databases which the Code Subscriber hosts;
> and

It is noted that users will be encouraged to tag their content, not forced, and that no sanctions apply to those who choose not to do so. This is as it should be. (See Clause 10.4 in this regard.)

> b. all of the Code subscriber's Web Sites and other content databases.

> 3. Code Subscriber ISPs will take reasonable steps to prevent users of their service
> from placing on the Internet, obtaining through the Internet or transmitting using the
> Internet, material which would be classified "RC" by the National Classification
> Code.

Again, neither Code Subscribers nor users can be expected to know what "would be" classified "RC" and this also varies between States.

Some clarification of "reasonable steps" would be appropriate, given that this Code purports to set standards of behaviour. EFA has doubts as the extent to which this overrides privacy considerations. A recent legislative draft suggested "random monitoring of transmissions" and it is quite obvious that there is no way at all to control private access to RC materials hosted overseas without infringing privacy.

Possession of "RC" material, other than child abuse material, is not illegal. It should be of no interest to ISPs whatsoever whether or not their users obtain material which is legal to possess. This clause has the effect of requiring ISPs to prevent users located in States from obtaining, for example, "X" rated material via the Internet, although they can legally do this via Australia Post.

"Reasonable steps" should be limited to the matters in sub-clause 4 with a view to ensuring users' privacy is maintained and monitoring of users' activities and email is not carried out by ISPs.

> 4.A Code Subscriber ISP shall have complied with 13.3 if:

> a. it has informed its users that they will not place on the Internet, obtain or > transmit material which would be classified" by the National Classification
> Code.

Presumably "RC" needs to be inserted after "classified" in the above paragraph.

> b. when it becomes aware that a user has placed on the Internet, obtained
> through the Internet or transmitted using the Internet such material which
> remains at a Web Site or other content database within its control it:

> promptly removes any offending material from the Web Site or
> database;

What is a "database" in this context? Could this include directories etc containing, for example, users' email files? RC material, other than child abuse material, is not illegal to possess in Australia therefore ISPs should not delete files containing RC material which is not illegal to possess and is not displayed.

Furthermore, content providers whose content is removed by an ISP who is of the opinion that same would be rated "RC", may subsequently be able to obtain a lower classification than "RC" and take action against the Code Subscriber for loss of business whilst the material was unavailable and perhaps also under clause 7.3(b).

> informs the user that the user's conduct is a breach of the user's
> service conditions and, if applicable, a criminal offence; and

If a users' dealings with certain material is not a criminal offence it should be of no interest or concern to an ISP.

> cancels the account of any user that repeats offending conduct after
> being informed that the user's conduct is a breach of the user's
> service conditions and, if applicable, a criminal offence.

Users have no control over unsolicited material they may receive by, for example, email. ISPs should take care not to further victimise users who may be the victims of criminals.

It would be more logical to see some explicit restriction against users knowingly obtaining RC material. (ie, some recognition that a user may repeatedly receive such material via email without in any way being responsible for it. An example was the recent child porn email spam.)

ISPs should not be required to cancel user accounts, under this Clause, unless required by a Court order.

[...]
> 15. ADMINISTRATIVE COUNCIL
> 1. The Administrative Council shall be made up of 5 members as follows:
> a. an independent chairperson nominated by the Federal Minister for
> Telecommunications.

This is absolutely offensive to the Industry. It is incomprehensible why INTIAA has sought to be compromised in this way.

> b. two senior managers from the Internet industry nominated by the
> Board of INTIAA.

Not elected by Code Subscribers ?

> c. a user representative nominated by the Australian chapter of the
> Internet Society.

However , the Internet Society does not represent , at least exclusively , users. If the objective is to protect consumers' interests , perhaps the Australian Consumers' Association (which has IPAC membership) would be preferable. In any event , ISOC-AU is still in formation and may end up with its own Code of Practice.

> d. a lawyer admitted to practice and holding an unrestricted practising certificate in a state of Australia nominated by the Board of INTIAA.

It is clear Patrick Fair wants to be on the Admin Council , and for some reason this clause discriminates against academic lawyers and those from the Territories. Given the tone of the Code , perhaps a qualified Censor is of more use here.

[...]

In any event the balance of this clause offends democratic and accountability aspirations of the Internet Industry , and ought to be replaced with a system of elections.

> 4. The Administrative Council will: [...]

> c. when considered appropriate , request the Board of INTIAA to make amendments to the Code.

Given the composition of the Admin Council , this shouldn't take long. There is no scope for Code Subscribers , other ISPs or users to have any input into such amendments.

> f. obtain from the Internet industry adequate finance for administration of the
> Code and preparation of budgets and financial reports.

(One would hope the "Internet industry" means Code Subscribers. )

> g. maintain and promote awareness of a Web Page on the Internet which
> provides users with information regarding:
> the benefits and availability of authentication procedures whereby
> individuals and organisations communicating using the Internet can be
> assured of each other's identity

This is a worthwhile value-added service which is highly desirable , but the extent to which a service provider should be required to provide such guidance is a matter for market forces rather than compulsion.

> the law which is relevant to use of the Internet.

Experience has demonstrated that there is difficulty in persuading governments to make available legislation on private web pages and lawyers to provide legal information in circumstances which may give rise to a duty of care.

> h. report any breaches of the law which come to its attention to the relevant
> authorities.

The membership of the Admin Council does not include anyone necessarily competent to know what is a breach of the law. Even the lawyer is only required to be knowledgeable of the law of one State. This is a job for "the relevant authorities" , and in such circumstances the Industry would expect the support of the Admin Council rather than such amateur law-enforcement.

> 5. The Administrative Council may amend the Code on request or by its own initiative.

And then the Code Subscribers shall have no option but to comply , or lose protected legal status as signatories to a Code of Practice. This would enable any provision that 3 members of the Admin Council thought a good idea to be inflicted on every Code Subscriber.

> 6. To amend the Code the Administrative Council must complete the following steps:
> a. resolve the terms of any proposed amendment.
> b. give notice of the terms of the proposed amendment to each Code
> Subscriber.
> c. allow 60 days to provide comments to the Board of INTIAA

If the law changes they'll need to move much faster than that.

> d. receive comments from Code Subscribers.
> e. adopt or reject the proposed amendment with or without modifications (not
> including modifications which would make the substance of the proposed
> amendment substantively different to the substance originally proposed).

> f. give notice of the Code as amended to each Code Subscriber.

There isn't any requirement for Subscribers to notify their customers.

> 7. Amendments to the Code will come into effect 45 days after completion of the step
> described in clause 15.6 (f).

To which one hopes Code Subscribers will respond "no taxation without representation". Other Internet Industry associations and user groups have adopted the process of circulating drafts for comment and then having a meeting vote and/or vote from members by post - these being standard procedures in every other professional organisation.


[...]
> 16. HANDLING OF DIFFICULTIES AND COMPLAINTS

[...]
> c. the Chairperson of the Administrative council will appoint a mediator,
> acceptable to both parties, to conduct a mediation.

There appears to be nothing to prevent this Chairperson taking 12 months to getting around to doing anything about this.

The costs of the mediation must be paid by the Code Subscriber , rather than costs in the cause. This would require an expense of unlimited size to be incurred every time a user and a Code Subscriber are unable to agree. Surely it would be appropriate to allow the Chairperson to dismiss a frivolous complaint , to make a swift ruling in a case of apparent fault , and to award out-of-pocket expenses, the considerable fees of a mediator and legal fees as the justice of the case deserves.

> 4. If resolution of the dispute is not achieved by the process described in clause
> 16.3 , either party may seek alternative legal remedies.

So after spending money on a mediation under this Code , the legal dispute resolution processes may then be invoked , at further expense. A Code Subscriber must therefore risk more expense in resolving disputes than an ISP who scorns this Code.

This section should be wholly redrafted to make mediation :
- affordable , using Internet tools such as IRC.
- optional , at the election of either party.
- at the expense of the obdurate party.

> 17. REGISTRATION AND DEREGISTRATION UNDER THE CODE

The purchase of Code registration is an important legal protection , and very costly for a small ISP . It is unfortunate that 3 members of the Admin Council have the power to remove Code certification without any appeal , or (as stated previously) accountability to the body of Code Subscribers.

This section should be redrafted to embody a mediation/appeal process better than a 30 day notice from a government appointee.

***************************

SUPPORT FROM ANDREW CONNOR SPOKESPERSON TIA

Resent-date: Tue, 26 Nov 1996 10:38:42 +0800
Date: Tue, 26 Nov 1996 13:40:16 +1100
Resent-from: [email protected]
From: Andrew Connor <[email protected]>
Subject: Re: INTIAA response - TIA endorsement
Resent-sender: [email protected]
To: [email protected], [email protected]
Reply-to: [email protected]
Resent-message-id: <"uzFMH3.0.wF3.oWbco"@gospel.iinet.net.au>
Priority: normal X-Mailing-List: <[email protected]> archive/latest/811
X-Loop: [email protected]
Comments: Authenticated sender is <[email protected]>
X-Authentication-warning: gospel.iinet.net.au: list set sender to [email protected] using -f

On 26 Nov 96 at 13:13, [email protected] wrote:

> >I'm not sure what you mean by SAIA notifying INTIAA. Are we still
> >attempting to lodge a *joint* submission from EFA, WAIA, SAIA, TIA
> >etc?

FWIW, TIA fully endorses EFA's response to INTIAA's code of conduct. (too many acronyms?)

EFA's response shows how unrepresentative and out-of-touch INTIAA really are.

Regards, Andrew.
Tasmanian Internet Association
http://www.sim.com.au/tia/

***************************

COMMENTS from KARL AUER'S SPOKESPERSON ACT PCUG

Return-path: <[email protected]>
Resent-date: Thu, 21 Nov 1996 13:55:55 +0800
Date: Thu, 21 Nov 1996 12:07:15 +1100 (EST)
Resent-from: [email protected]
From: Karl Auer <[email protected]>
Subject: Final draft INTIAA rebuttal
Resent-sender: [email protected]
Sender: [email protected]
To: [email protected]
Cc: [email protected], [email protected]
Reply-to: [email protected]
Resent-message-id: <"5gLYA.0.4D3.hx-ao"@gospel.iinet.net.au>
X-Delivered: at request of bin on beldin
X-Mailing-List: <[email protected]> archive/latest/789
X-Loop: [email protected]
X-Authentication-warning: gospel.iinet.net.au: list set sender to [email protected] using -f

Kim -

[Ref: ftp://ftp.iss.net.au/clients/iss/pub/efarebut.txt]

Having read your comments on the INTIAA Code of Practice, I would like to offer the support of the PC Users Group (ACT) for your comments.

We too are concerned at the lack of representation, the craven submission to Government influence and the lack of meaningful, practicable, achievable or enforceable protection for ISPs and their customers that permeate the entire document.

We regard the Code as worthless except perhaps as a starting point for discussion and major modification.

You may quote us on this, and you may (indeed we request that you do) remark that your comments have our support.

One point you did not make that might be worth pointing out to INTIAA is that mandatory adherence to this Code would be a MAJOR reason not to join INTIAA.

Regards, K.

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Karl Auer ([email protected]) +61-6-2486607 (h)
http://www.pcug.org.au/~kauer/ +61-6-2494627 (w) Join the Internet Society of Australia! http://www.isoc-au.org.au