EFA logo Electronic Frontiers Australia
PO Box 382 North Adelaide SA 5006  
Phone/Fax: +61 8 8362 5183  
Email: [email protected]  
Web: http://www.efa.org.au/  

30 September 1999

To: IIA Code Review Working Group
[email protected]

Dear Sirs

Subject: IIA Code of Practice (Draft Version 5.0)

Electronic Frontiers Australia (EFA) thanks the Internet Industry Association for the opportunity to review the latest draft code, and we submit the attached comments. We would appreciate the opportunity to further discuss the issues raised in due course.

Yours sincerely

Greg Taylor
on behalf of the Board
Electronic Frontiers Australia (Inc)

EFA Response
IIA Draft Code of Conduct, Version 5.0

(Code URL: http://www.iia.net.au/code.html)

Executive Summary

1. While EFA acknowledges IIA's efforts to implement an alternative to the more draconian provisions of the Broadcasting Services Act (BSA), the proposed alternative is vaguely defined, requires users to be willing participants in a charade, and potentially exposes users to privatised censorship even worse than the government mandated regime.

2. The Code wrongly requires ISPs, Content Providers and ordinary users to adopt controversial and discredited labelling technologies, to "guess" as to classification categories and to risk losing Code Compliance if they fail to do so.

3. The Code places unreasonable obligations on users to self-censor their Internet access, and even their private E-mail, far beyond any requirement imposed by law.

4. The Code places unreasonable obligations on Content Host subscribers to second guess the likely classification of online material, far beyond any requirement in law.

5.Further consumer and privacy protections are necessary to promote Australian e-commerce.

6. Definitions within the Code are careless and vague. The term "make available" has been used to avoid logical inconsistencies with the word "publish", but in doing so it has reopened liability on the part of ISPs for a user's content, and made hyperlinks an offence under the code.

7. While the composition of the Administrative Council has been improved, it is inappropriate for both user representatives to be appointed by the Australian Consumers Association.

8. The Code attempts to cover Internet Access Providers, Commercial Content Providers, E-Commerce Vendors and Programmers under one Code, which leads to many inconsistencies.

9. The Complaints mechanism needs to be reviewed so as propose a more logical sequence of entities or authorities that should deal with successive escalation of a complaint.

10. The vague term "Relevant Authority" is used indiscriminately throughout the Code. The intent would be much clearer if the authority was explicitly named in each case.

11. Although the Code claims to meet the requirements on the BSA, there are a number of areas where are inconsistencies between the Code and the BSA requirements.


This version of the Code has been prepared in a climate of self-regulation imposed under threat of Government intervention. In seeking to absolve Code Subscribers from the more draconian aspects of the recent amendments to the BSA, IIA has placed users in a situation where they become unwilling participants in a self-censorship regime.

The Code is based on a narrow view of the Internet in which users are passive consumers of content, products or services provided by commercial content hosts, a view apparently shared by some sectors of government who appear to view the Internet as a form of pay television augmented by home shopping facilities.

The mantra of industry assisted user empowerment now being chanted by IIA perpetuates this view. Users are already empowered, but they are rapidly being disenfranchised by governments and industry bodies intent on viewing the Internet solely as a tool for commerce.

The most participatory medium for democracy and freedom of expression the world has ever seen is being systematically eroded by increased restrictions imposed under the guise of self-regulation. Instead of being willing participants in this destruction, IIA and the government would be better advised to encourage greater participation, rather than chill creative thought by the combination of subtle threat, vague references to legal liabilities, and the charade of privatised censorship inherent in the new "alternative access prevention" arrangements.

IIA seems to be operating under the sincere but misguided notion that it should be seen to be out-censoring the censors, since many provisions in this version of the Code contain baggage from previous versions that go beyond even the requirements of the BSA.

Notwithstanding the provisions of the BSA, the Federal Government has indicated in the past that it is Government policy that material accessed in private homes is not to be subject to censorship as stringent as that applying in cinemas and public places.

It is strongly arguable that accessing material on the Internet involves as conscious a choice in the case of adults, and parents have the option of password-protecting a home computer against unauthorised access by children - an option not available for home videos.

Furthermore, it is not Government policy that ISPs should police the Internet. The Attorney-General, Daryl Williams QC, stated in a letter to The Australian newspaper printed on the 17th November 1998:

EFA submits that IIA's plans to censor the Australian Internet is more restrictive than the legislation recently passed by the Federal Government, and questions whether IIA considers this necessary, or whether these provisions are unnoticed leftovers from previous versions of the Code.

Despite the encouraging indications that user-empowerment may be embraced by the government, the provisions of the IIA Code are more censorious than any Government could or would enforce - and the requirements of adhering to the IIA's peculiar fascination with labelling and rating systems would be onerous to ISPs, Content Hosts and users. Obeying the IIA Code would be at huge cost for content providers and hosts - not only would there be the need to consult professional experts to classify content, but also a reduction in business as content hosts and users go offshore to avoid those requirements.

The Code of Practice would be much more relevant to the needs of the total Internet community if it addressed rights of users to:

EFA calls upon IIA to enter into discussions with privacy advocates, user groups and consumer organisations to develop Code provisions that would improve the Code from the user point of view.

One of the principal difficulties of portions of the Code requiring its ISP subscribers to "encourage" behaviour on the part of users is that certain ISPs will put tough terms and conditions into Internet Access contracts with a view to ensuring that they accept the "encouragement". Thus, a provision that ISP subscriber should "encourage" users to label content swiftly becomes compulsory when the ISP makes it a condition of access.

For this reason, EFA must take a firm position against propositions in the Code which, if vague or ambiguous in an attempt to mollify criticism from censors and users, may nonetheless be used by ISPs and Government to justify compulsion. A clause in the Code requiring ISPs to encourage, advise or persuade users to act in a certain manner may be interpreted by ISPs or regulatory agencies such as the Australian Broadcasting Authority as a positive obligation, to be a requirement of the Internet Access contract terms and conditions.

Essentially, EFA considers it is time that IIA recognise that labeling technologies are highly controversial, and should not in any way be compulsory. As such, much of the Code that relates to ratings, classifications and Prohibited Content needs extensive amendment.

As the motto of the Internet Society says, "The Internet is for everyone." EFA shares that view with our colleagues in ISOC. We invite IIA to consider adopting the same philosophy.

Index to comments on particular sections of the code:

Detailed Comments on the Code

Extracts from the Code are shown throughout this document as indented italic text.

These are lofty statements, but there is no strong evidence of understanding of the full breadth of the privacy agenda, particularly in relation to access monitoring and other content restrictions.

The URL for the UNCITRAL model is no longer current.

The paragraph is contradictory. While acknowledging that filtering isn't effective, Code subscribers must endorse its use. This central contradiction has led to ambiguous obligations elsewhere in the Code, which essentially require ISPs to pretend that labelling and rating technologies are workable.

EFA opposes labelling and rating systems for simple reasons:
(a) They don't work as advertised;
(b) They block 99% of content if used as recommended (blocking non-rated sites);
(c) They don't block more than a tiny fraction of controversial content in normal use (blocking by keyword or URL); and
(d) They mislead parents and educators into a belief that supervision of a child's use of the Internet is unnecessary.

Even if it is a matter of debate that software filters have so far failed to deliver, there is a considerable body of informed opinion that has determined this. Unless the IIA is being deliberately divisive, it should acknowledge that the use of software filters is controversial within the ISP industry and there are a large number of ethical ISPs who will never recommend to parents that they delegate parental responsibility to a computer program.

Note also that "all Internet Content" includes material that is not accessed by web browsers - and to date many filter products ignore ftp, email or IRC. Concentration on censorship of the Web is likely to become an anomaly of history as new tools are developed to operate over the Internet.

Again, by focussing on the Internet purely as a means of conducting commerce, the Code threatens to alienate a significant proportion of the Internet user population, e.g. the educational and research communities, community organisations, NGOs, writers, poets and ordinary users who utilise the Internet as a publishing medium. This is a curious approach. Admittedly the BSA calls for Codes of Conduct with a very narrow focus, but IIA will serve the industry poorly if it supports multiple codes regulated by numerous government agencies. It seems that IIA is aware of the folly of attempting to obtain coverage of too many disparate parts of the industry with a single Code. However, the Code would be more credible if it was split into two separate Codes, one for ISPs and another for ICHs. The attempt to include such incompatible groups as Vendors and Web page developers under an all-embracing code weakens the structure and leads to huge anomalies, as is pointed out later in this analysis.

It is unlikely that the public will gain much confidence from a Code which shares the government's myopia about "unsuitable" content. IIA should be prepared to take a stand for the proposition that the Internet is an adult medium with a huge variety of content, and ISPs are not content providers. The nearest analogy for the Internet is the telephone, not the television. There are several provisions in this Code where IIA attempts to impose censorship on users beyond any requirements under Federal or State law, existing or proposed. Classification of Internet content is an unworkable objective. It may be highly desirable for IIA to promote development of search engines, and this is at least an aspiration consistent with IIA's objects of association. Existing content classification (rating and labelling) systems do not assist users to locate appropriate material, they merely block access after material has been located. The clause should be changed to limit its scope to development of resource discovery schemes. As long as the Code continues to deceive users about the practicality of rating systems, and to unreasonably dictate user behaviour, this objective will not be achieved. Worryingly, the term "user" is later defined to be a resident of Australia, a matter which will do little to develop overseas user confidence in Australian E-commerce. The same comment about the definition of "user" applies here. Furthermore, users can have little confidence that their privacy is respected when later sections of the code impose unnecessary and unlawful restrictions on material users may access. This unfortunately raises the alarming prospect of monitoring of user activity by ISPs. IIA will need to work hard to establish sufficient credibility with the user base as to justify its claims to provide a mechanism for dispute arbitration. The sections of the code dealing with this issue are confusing, and appear not to recognise the statutory role of the TIO in this matter. A great deal of work needs to be done to this code before this objective can be realised. Voice communications over the telephone, fax communications and video conferencing are scarcely regulated at all, as laws of general application cover all conceivable crimes. There is no reason why Internet data communications should be treated differently. Furthermore, this lofty principle fails to take account of the reality of the BSA, which legislates that content that is perfectly legal to publish in other media is illegal on the Internet. Although the term Content Provider is now defined to include only commercial providers, a change which EFA supports, this clause still invites a legal liability on the part of ISPs for the content of users. This is yet another example of the futility of attempting to force the Internet to into analogy with broadcast media. The definition of "users" as Australian residents is again raised as a problem in respect of adherence to this principle. This is poor drafting. Content is surely not intended to include "all information", nor can content include a "content service". This clause can be construed to mean that IIA now claims to provide coverage for cable television operators etc. This is a wider definition of ISP than in the BSA. Does IIA intend the definition to include schools, universities, computer clubs, user groups, companies etc. who provide connectivity to the Internet? If so, there are anomalies created in respect of the intent of the Code to cover only commercial activities. It is unlikely that any providers of Internet connectivity outside the traditional definition of ISP would be candidates as subscribers to the Code. The term does not appear anywhere in the Code, and in any case suggests a misunderstanding of the scope of Usenet. The term defined in the Act is Potential Prohibited Content. As pointed out earlier, this narrow definition places overseas customers of Australian Code Subscriber sites outside the coverage of consumer protection and privacy provisions under the Code, surely not a desirable objective if Australia is be a serious player in global Internet commerce. This is an example of the type of anomaly created with an all-purpose Code. This implies that the Internet comprises only products and services provided in a business setting. Re-wording is called for. These provisions do not add to the law applied through legislation, and restatement in this Code tends to suggest that other matters will not receive the sanction of being a breach of the Code. If designed as a primer for ISPs of matters considered unlawful, it lacks accessibility - but it certainly does not cover all conduct by an ISP business that may breach the law. This is unacceptable, as the ISP determines what is "relevant and necessary", and there is no requirement of express user consent. This could lead to breaches of privacy such as the ISP demanding that users turn on Caller Line Identification. All information collected in relation to a user should be capable of being checked. Whether intended or not, this suggests that Content Providers must make judgements about future classification decisions of the OFLC. Under the Act, Prohibited Content refers only to material that has been classified by the OFLC. Potential Prohibited Content requires a value judgement that Content Providers should not be called on to make.

On the other hand, the wording of the following clause 9.2 suggests that 9.1 is included so as to comply with Section 30 of the BSA Bill. If that is so, clause 9.1 misreads the intent of the legislation. Content Hosts are only required to remove Potential Prohibited Content following a complaint to the ABA, and then only if the ABA determines that the content is likely to be classified X or RC. Potential R-rated material is not required to be taken down until after the classification decision confirms the ABA's opinion. Even then, the material may remain online if a restricted access system is subsequently implemented.

This clause needs to be re-written. As it stands, Content Providers are required to make value judgements to determine if their content may be Potentially Prohibited Content. EFA contends that clauses 9.1 and 9.2 are redundant, since obligations in relation to content are now covered by the BSA and there is no longer any justification, if indeed there ever was, for IIA to require its Code Subscribers to self-censor.

The intent of Clause 9.1 is made more obscure by the use of both terms Content Provider and Internet Content Host in the Code. Only the latter term is used in the legislation, and it is therefore unclear why a Content Provider would be the subject of take-down notices unless these terms are interchangeable. Subject to satisfactory explanation of this problem, Clause 9.1 could be made acceptable only by removing reference to "Potentially Prohibited Content".

Presumably the reference to 10.1 should read 9.1. As explained above, this clause is redundant. It also misreads the intent of the BSA since Prohibited Content that has been classified R may legally remain online if subject to a restricted access system. If IIA insists on restating obligations under the BSA, it should include the further requirement that Potential Prohibited Content must be removed if an Interim Take-Down Notice is issued by the ABA, which will occur if the ABA believes the material is likely to be classified X or RC.

This is a wholly unnecessary and unjustified ban on links. IIA should consider the "slippery slope" of making Content Providers responsible for hyperlinks. Links to active or changing material may result in liability under the Code where none would exist in criminal law, and "links to links" would invite liability based on an arbitrary degree of separation. There is no prohibition under the BSA against hyperlinking to all classes of Prohibited Material and it is unreasonable for IIA to impose unnecessary and onerous restrictions that are not required in law.

It is an offence to advertise Child Pornography under laws of general application, and criminal law provides the best means of establishing whether a link has that effect. This clause should be deleted in its entirety - it exceeds legal liability for similar "references" in an offline context.

This is a broad requirement, and would require Content Providers and ISPs to make judgments as to whether a meta-tag is "misleading". There is no established principle of law that misleading a search engine is an offence. The real problem with this clause is that, whatever the motivation, it imposes a burden of content classification that is too broad to be implemented.

Worse, the clause invites the Government to criminalise mis-rating of web pages - obviously a compulsory rating system will only work if mis-rating is strongly discouraged. It is beyond the capacity of the average Content Provider to determine whether a rating is precisely correct when fine gradations of rating may well be a matter of opinion. Effectively this clause would result in web pages having to be rated by experts, and at considerable cost.

This clause should be deleted. Ratings systems have failed dismally, and there is too much content already unrated on the Internet to ever classify manually. Content Providers such as news services are never going to be in a position to rate active content. The Administrative Council should not be given the power to enforce a failed technology at its own whim.

Whether or not services providing content support rating technologies depends on technological development, not on content providers. Reasonable steps should therefore be defined. It is inappropriate for the Code to restrict Code Subscriber Content Providers to providing content only by means which support rating technologies. For example, it is not technologically possible to embed rating labels in web pages dynamically generated from databases, nor in PDF documents and other documents created to be securely verifiable. As evidenced by Government web sites, documents which do not support rating systems are an increasingly common means of providing content. While it is possible to associate labels with such content, specialised software is required to be installed on servers, there are few products available, cost is a significant issue and installation is outside the control of most content providers.

An example is the law service Austlii - it contains a massive database of legal materials, including judgments from criminal law cases and family law cases. Some of the material is unsuitable for children, some is actually Refused Classification - but as the material is released from the Attorney-General's Department without content rating or labels it is beyond the resources of a sponsored organisation to have it rated by a third party. If a requirement for content rating is made compulsory, public resources such as Austlii would be at risk.

Content Provision on the Internet is a series of niche markets, each with its own dynamics and consumer issues. By trying to lump all Content Providers together, IIA attempts to have rules covering sites which have no controversial content (but high privacy and e-commerce considerations) as well as those that have controversial content with or without commercial considerations. It would be far preferable for IIA to focus on the role of Carrier Service Providers rather than Content Providers, as the latter have a more diverse market and wholly differing consumer issues.

These clauses relate to ISP responsibilities. An industry-wide policy protecting user privacy and reducing the exploitation of email facilities by mass commercial mailouts is necessary. This clause purports to affect the conduct of commercial interests, but does not define the problem or recommend suitable policy. The term "unacceptable content" is not defined, and a condition of this nature appears designed to intimidate users into self-censorship. An open-ended policy condition gives the ISP free reign to censor material without reference to established guidelines. EFA notes that this section refers to "ISP" rather than "Code Subscriber ISP". Presumably there is deliberate intent that this section of the Code might apply to all ISPs under an ABA declaration. Given broad definition of the term "ISP" in the Code, careful consideration must be given to potential problems in this section, especially as it may assign obligations to groups such as schools, universities and corporate entities. The proposition that separate codes should apply to domestic and international access is at variance with the express intent of the BSA, and makes no sense in terms of ISP obligations or user experience. Users do not necessarily know the location of a particular website, and the distinction between domestic and overseas content, while of jurisdictional importance under the BSA, does not warrant discrete codes for the purpose of registration. These sections should be amalgamated into one code module, with redundant clauses omitted. Given the broad definition of the term ISP as referred to previously, and the potential for the schools and universities to offer Internet access to students under 18, this is an unworkable restriction.

An absolute prohibition on minors obtaining an internet account without parental or guardian's approval is not required by the Federal law, and has only an incidental relationship with minors accessing unsuitable material or minors accessing material illegal to Australian adults. IIA needs to justify why a minor should not be able to use the Net without parental permission.

This suggests a poor understanding of the National Classification Code. The definition of "child" is any person under the age of 18. Given that the definition of Prohibited Content includes R-rated material, there is no scope for any other material that could be deemed "unsuitable for children". Arguments presented previously about the unreasonableness of encouraging undefined "appropriate labelling systems" also apply here. The ABA's obligations are to deal with Content Hosts, not ISPs. The BSA doesn't permit a breach of user privacy by an ISP, but this Code makes it a compliance issue. This is an outrageous requirement. It is not an offence for an Australian ISP customer to "obtain" Prohibited Content or Potential Prohibited Content, except for a narrow class of material in the RC category (child pornography) that is illegal to possess. Similarly, the "transmit" restriction could be interpreted, for example, as making sexually explicit private E-mail between consenting adults grounds for a breach of an ISP's Terms and Conditions. This entire clause should be deleted. It has no place in a Code of Practice. This is a repetition of Clause 12A2. Users do not sign up separately for domestic and international access. It makes no sense to impose an artificial separation arising from legislative jurisdiction for content regulation purposes to all aspects of ISP obligations. This clause is expressed in extremely vague language, and invites speculation that this is deliberate. What is meant by the term "make available"? It is of vital importance that IIA explains whether this is meant to imply mandatory use of filtering, or if the decision to filter content is left entirely up to the user. If the decision is entirely up to the user, the following clause 12B.4 becomes redundant.

It is unreasonable for IIA to issue this draft for comment before Schedule 1 is released. The detail is vital to any responsible debate on the proposed mechanism for implementing alternative access prevention methods.

This clause is central to the controversial question of whether Australian Internet users are to be subject to mandatory filtering or are free to exercise discretion about whether to filter content. The clause implies that ISPs will impose filtering on all users who have not advised the ISP that they have alternate filtering arrangements in place. The Code therefore invites users to lie in order to exercise their freedom of choice. Users should not have to resort to subterfuge and deceit in order to dance around the law.

This preposterous charade requires unambiguous explanation. If IIA has genuinely managed to obtain a concession from government empowering users to make their own decisions about filtering, in the absence of mandatory blocking, that needs to be clearly stated.

Alternatively, if mandatory filtering is to be imposed on all Australian Internet users who are not prepared to lie about client-side filtering arrangements, this implements a privatised censorship regime that goes far beyond the complaints-based regime proposed by the Government.

EFA draws IIA's attention to Section 60 of the BSA Bill:

Clearly IIA has an obligation to provide more information on how it proposes to meet this requirement.

The importance of a clear statement on this matter cannot be overstated. It goes to the very heart of the rights of users to make their own decisions about censorship. EFA strongly urges IIA to completely reword these two clauses so as to remove all vagueness and ambiguity about the intent and the manner in which the requirements of the BSA might be satisfied.

The comments made in respect of Clauses 12.1 and 12A.2 apply equally here. The comments made in respect of Clause 12A.2 apply equally here. Furthermore, the meaning of the term "obtain" in relation to Internet Content Hosts is obscure. Perhaps this clause has been copied from clause 12A6 without considering the difference in services offered by an ISP and an ICH. The ABA cannot "deem" material to be Prohibited Content. That determination can only be made by the OFLC. Furthermore, the BSA requires that the ABA issue take-down notices under threat of severe penalties, not merely "notify" Content Hosts.
Given the arbitrary nature of some of the classification requirements under the BSA, this is an excessively overbearing requirement. It is not necessarily an offence to host controversial content that has not yet been deemed Potential Prohibited Content by the ABA. An offence is only committed if the content is not removed in response to an ABA request. Customers of Internet Content Hosts should not be required to classify their material in advance of any complaint to the ABA or the issuance of a take-down notice, either in response to a complaint or following classification by the OFLC. This is a totally unnecessary requirement that can only serve to intimidate users and chill their freedom of speech. It also invites users to take the safe path and host their content overseas, an unfortunate consequence for the Australian industry. This section appears to be a token attempt by IIA to obtain coverage of a section of the industry that has little in common with IIA's main constituency. The ethical obligations of this group are better left to professional bodies such as ACS. Note grammatical error in first line. Notwithstanding the excellent work of the Australian Consumers Association, this proposal perpetuates the notion that all ISP customers are mere passive consumers. Furthermore, the ACA does not have a high profile as a representative of the interests of Internet users. It is recommended that the two user representatives be nominated jointly by ACA, ISOC-AU, the Australian Computer Society, ATUG and EFA. It should not be beyond these groups to develop an appropriate mechanism for reaching consensus on the nominations. This may incur upon the Council liability for defamation or breaches of section 276 of the Telecommunications Act, while the definition of "Relevant Authorities" remains so vague. This is far too broad, and invites irresponsibility and intransigence on the part of the Council. This is far too broad, and invites irresponsibility and intransigence on the part of the Council. Attempts to make an ISP's struggle to stay Code Compliant non-justiciable are unlikely to impress the Courts. Advice to complainants as to complaints procedures is the task of IIA, not the Code Subscriber under complaint. Again, the poor definition of "Relevant Authority" makes the operation of the clause especially problematic. This section appears to imply that the Code Subscriber and the Administrative Council should be the last resort in cases that are unresolved by complaint to the TIO. Given the degree of ISP dissatisfaction with the TIO's dispute resolution procedures IIA would be better advised to establish a structured dispute resolution scheme, with escalation leading to a complaint to the TIO as the last resort, rather than the first resort as this section implies. This begs the question of what Relevant Authority is intended in section 16.2(a). This whole section needs to be redrafted to remove the confusion over multiple Relevant Authorities. The ambiguity might be also remedied by naming the intended Relevant Authority in every case where this unfortunate term is used throughout the Code.