|
|
|
|
|
|
Self-Regulation in the Information and Communications Industries Inquiry
January 1998
EFA takes the position that self-regulation is undesirable when it is taken to mean that industry organisations and users are forced to take responsibility for government censorship under the guise of self-regulation. EFA strongly supports the principle that content creators rather than carriage service providers should be responsible for online content, and that criminal culpability for such content should apply only to material that is globally and unequivocally recognised as illegal.
In the area of privacy, copyright and intellectual property, appropriate legislation is supported as a means of ensuring protection for individual rights in law.
However, there are other areas of telecommunications and on-line services where we propose de-regulation, e.g. media classification, cryptography and digital signatures.
A review of current law is recommended in respect of telecommunications interception, an area where EFA believes that existing law is over-reaching and threatens individual privacy.
Recommendations
That attempts at content regulation of the Internet be abandoned,
on the basis that publication of globally-agreed illegal material can
already be prosecuted under existing law, and that regulations concerning
contentious material are inappropriate in a world where cultural differences
cannot be easily reconciled.
That Codes of Conduct applicable to the Internet services industry should not impose liability on Service Providers for content that was not originated by them.
That ISP's should be given immunity from both Federal and State prosecution for the storage or transmission of material that they have not themselves provided.
That the existing ISP complaints mechanism operated by the Telecommunications Industry Ombudsman be reviewed to determine its effectiveness in this role.
That the OFLC be disbanded and classification of all media currently under the Office's scope become the responsibility of the relevant industry bodies.
That Australian government cryptography policy be totally overhauled and that the widespread use of cryptography be encouraged as a means of ensuring privacy and confidentiality.
That the Privacy Act be overhauled and extended to include the private sector.
That the interception provisions of the Telecommunications Act be reviewed so as to provide online users with remedy against unwarranted privacy intrusion and greater certainty that communications cannot be intercepted without appropriate authorisation.
That consumer or privacy advocates should be included on government regulatory authorities such as the Telecommunications Industry Ombudsman Board and the Law Enforcement Advisory Committee (LEAC), so that advice on privacy issues may be taken into consideration in any deliberations of such bodies.
EFA's position is that the broadcasting model is a totally
inappropriate one to be imposed on the online services industry.
Furthermore, we contend that the development of the industry is being stifled
by inappropriate regulation where it is not needed, and by lack of regulation
where it is clearly required.
We will address our response to the inquiry solely in the area of online
services, since some areas covered under the Terms of Reference are outside
our area of experience and knowledge.
Introduction
The Inquiry's Terms of Reference cover a broad range of services and industry
sectors, and suggest that the self-regulatory model applied to broadcasting
services is considered an appropriate one for the new information industries.
Internet Content Regulation
The most recent development in the interminable saga of official
inquires and proposals for regulating Internet content in Australia is the
Principles for a Regulatory Framework for On-line Services in
the Broadcasting Services Act 1992 proposed by the Department
of Communications and the Arts (DoCA) in July 1997.
EFA's response to the government's proposals was submitted on 10th August 1997. The full text of all submissions to the DoCA proposals are now available online.
The meeting of State and Commonwealth Attorneys-General (SCAG) in Hobart
on 12th December discussed implementing tough new laws which would
make ISPs responsible for Internet content. They also claim to have resolved
jurisdictional problems that have plagued the debate so far.
In the words of the Commonwealth Attorney-General's
Press Release
of 12th December:
On 19th January 1998, a further media release Regulation of Internet Content from Senator Richard Alston and Attorney-General Daryl Williams, appeared to soften the original ISP liability proposals but still suggests that ISPs bear considerable liability for content passing through their systems.
These recent announcements are most confusing and contradictory. It seems that the government wants on the one hand to encourage self-regulation in the ISP industry, but at the same time it is making noises about a "big stick" approach.
EFA's position is that the ISP industry should be encouraged to develop self-regulatory Codes of Practice which are primarily concerned with consumer issues. The ISP industry bears little resemblance to the broadcasting industry and it is entirely inappropriate to include ISPs under the Code of Practice provisions of Section 123 of the Broadcasting Services Act. Broadcasters assume responsibility for and transmit content to consumers, on either a free-to-air or subscription basis. In contrast, ISPs are carriage service providers, making available, for a fee, a communications link to the huge array of content stored on millions of computers around the globe.
Despite talk of "convergence" of these disparate media, there is little by way of commonality in the way the two systems operate. The Internet works on a point-to-point basis. Each communication must establish a separate connection, much like a telephone call. If too many users attempt to connect to the same site simultaneously, congestion occurs. Contrast this with a broadcast system, where the number of simultaneous viewers is utterly irrelevant to the performance of the system.
The point here is that an ISP essentially operates a telephone exchange, and should bear no responsibility for monitoring, let alone censoring, the conversations that take place over the network.
The handling of complaints about Internet content is an entirely different matter. EFA queries the desirability of regulating the Internet by linking ISPs with carriers under the Telecommunications Act 1997 (consumer complaints and carriage issues) and then linking ISPs with content providers under the Broadcasting Services Act 1992. Apart from using telephony on occasion and being a conduit to content providers, ISPs do not have enough common ground with other clients of these Acts to be properly treated. Nor are they to be confused with a hybrid of cabling service and entertainment medium.
Complaints about content are misdirected if made to ISPs - only the content provider can answer them. ISPs are often contractually bound to provide bandwidth and disk space irrespective of content, and are bound by laws of general application against criminal conduct. If content is illegal, the content provider has criminal culpability as the content originator but an ISP must rely on the criminal law to guide as to procedure for removing a user's contractual rights. If content is illegal, the appropriate remedy is a call to the police. If content is legal, then an ISP may be acting contrary to law in removing it and it is inconsistent with due process for a law to encourage removal of content unfairly.
Other legislation has suggested a "good samaritan" clause to exonerate ISPs from liability for removal of material "to be on the safe side". EFA submits that such a provision, which can be a back-door way of enforcing extra-legal content restrictions, is unnecessary if Internet regulation requires the ISPs to only remove unequivocally illegal material after written notice from the police, or a court order.
The oft-quoted issue of "protection of minors from exposure to material that may be harmful to them" invites debate over the means to that end. To keep the issue in perspective, EFA would point out that protection of minors is not part of all ISPs' training or competence. In the event that parents consider that filtering Internet content is a desirable alternative to adequately teaching minors to deal with all types of Internet content, this is only achievable with use of personal software programs and proper supervision appropriate to age and maturity. ISPs can neither hinder nor assist this process, and the emergence of specialist content providers for children will reduce the need for supervision in some cases. Minors are not all impressionable victims nor hardened hackers, and parents are better placed than ISPs to determine whether a problem exists with their child's use of the Internet. The development of a range of online services and market forces are a better means of giving parents control over their children's activities.
As President Clinton resolved, following the defeat of the Communications Decency Act, it is the role of the police to track down paedophiles and terrorists - and it is up to parents to supervise their child's use of the Internet.
As the Commonwealth Government is making an initial move into the regulation of Internet content, it is worth reflecting on the international perspective on a liberal democracy making judgments on access to a global network - at risk of imposing arbitrary restrictions that satisfy some individuals but may be seen as an abridgment of free speech by others.
Assuming that OFLC guidelines would be on the "publications" standard, rather than the more censorious standards for movies, videos and computer games, there is still a vast body of RC material that is available elsewhere than in Australia at absolutely no additional inconvenience to the user than if it were available on an Australian site. Much material that is classified by the OFLC (whether as a publication, movie or computer game) as Refused Classification by subject-matter routinely appears on the Internet as material legal in the USA and other countries.
The physical location of Internet content is a matter of little relevance. A content provider in any Australian State or Territory can have content hosted elsewhere in Australia or any other country. Realistically, to deny Australian content hosts the right to host content legal and protected elsewhere is to make Australian sites uniquely disadvantaged in a global market.
There is no need for the ABA to deal with complaints against ISPs concerning content or breaches of the Broadcasting Services Act, if a sensible decision is made by the Commonwealth to indemnify ISPs against liability for content. By legislating also upon the obligations of content providers, the Commonwealth, in co-operation with the States, can establish procedures for establishing whether content is legal or illegal.
All commentators accept that there is some Internet content that is universally condemned, and some consider international efforts to eradicate it are capable of success. The precise definition of this content in a new Internet-Illegal guideline statement would be the appropriate response by an Australian government intent on making an effective contribution to dealing with criminal content. Obviously, the narrowest definitions of illegal content are most likely to be successfully prohibited - a wide definition that includes material routinely available in other countries and protected as free speech in the United States would be pointless and unenforceable. ISPs should be entirely indemnified against content provided by another, simply because every censorship law of every other medium is directed against the content provider, not the supplier of the medium.
One of the most controversial of the DoCA proposals was that it should be made a Federal offence for an ISP to "knowingly allow" a person to publish material that "would be" refused classification under OFLC guidelines. The exact guidelines intended are not specified.
Other proposals to require liability for content that would otherwise be "illegal under a State or Territory law" would require an encyclopaediac knowledge of different laws even if neither user, ISP nor content provider is in that jurisdiction. Such proposals slump back to the sloppy definitions and technical impossibility that has categorised other attempts to make ISPs liable for the transmission of data by others.
In the event that the Government is determined to criminalise an ISP who knows that a user is providing or obtaining illegal material, at least the content must be defined with a precision greater than the vague guidelines for publications, movies or computer games. EFA submits that the only material that can be plausibly prohibited is that which is prosecuted in the USA and in all major countries - specifically authentic child sexual abuse images.
EFA is opposed to measures which leave to the States and Territories the task of determining liability for content published or obtained by content originators or end users. Enormous jurisdictional problems flow from such a position ... a Perth user may place content on a Sydney-based ISP's system which happens to store that content in Melbourne wherefrom it is accessed by a user in Tasmania. It is obvious that national laws fail to regulate all Internet content, and regional governments are less able to make an impact on the type of material available. There is also a real danger that one rogue State could ban MA-rated material, criminalising every Australian Internet user ; or that an effective national policy will be slow to develop when States-rights rivalries prolong the process towards consensus.
It would only take one State or Territory to drive all Australian ISPs, users and content providers off-shore - and this, EFA submits, is a poor environment for a national policy encouraging the information technology industries to expand into an export market. What benefit for Australia is there in local industries having to move between States or even go overseas?
EFA submits that Internet regulation is beyond the jurisdiction of State and Territory governments, and that consensus is too unlikely to be achieved to be the basis of content regulation. It is time for the Federal government to recognise that Internet content is primarily an international issue, and only limited regulation is possible even at a national level. A multiplicity of content classifications around Australia would be a burden on the development of Internet businesses and would result in differing rights of free speech on the Internet depending on State or Territory - in the view of EFA an unacceptable outcome.
Bureaucratic classification of such content in the traditional OFLC way would be a nightmare, and EFA is absolutely opposed to any such role.
Indeed, it may be time to consider moving the classification function for all media away from the nanny role of a government agency to a self-regulatory framework involving the appropriate industry sectors, i.e. the distributors of films, video, computer games, magazines and publications.
By its own admission (Classification Board Annual Report 1995/96), the major role of the board is now classification rather than rejection of material. There is no obvious reason why such classification should be performed by a government agency, especially as the OFLC is moving rapidly towards full cost recovery and is pricing its services at increasingly prohibitive levels.
The prior restraint framework under which the OFLC operates (Classification (Publications, Films, and Computer Games) Act 1995) is repulsively Orwellian and has no place in today's world where so much material deemed unsuitable for Australians to see is protected by free speech rights in other jurisdictions.
EFA therefore recommends the OFLC's role in media classification be abolished, and that its function should be reduced to that of final arbiter in respect of illegal material.
Following this shock announcement, a coalition of privacy groups, consumer organisations, businesses, trade unions and professional societies, including the Australian Privacy Charter Council, American Express, Ozemail and the Australian Consumers Association, warned that a privacy disaster was looming for Australia.
Privacy is a vital right for individuals, especially in the light of recent developments in technology and massive government plans to outsource information processing. Businesses have been fighting hard to reassure consumers that their privacy is still safe, but without federal legislation there is no guarantee. A Price Waterhouse survey of 120 large companies found that two thirds supported the introduction of national privacy legislation. The Government's turnaround on this matter is inexplicable.
Australia is set to suffer further embarrassment when international companies refuse to trade with Australia because of our lack of privacy protection. Australian companies will be left out in the cold, unable to enjoy the benefits of the booming international trade in information. These international laws have been prompted by the European Union Privacy Directive which comes into force on July 1, 1998.
Several state governments, including Victoria, NSW and Queensland, are now planning to introduce privacy legislation of their own. This inconsistency will be an administrative burden for business.
The Campaign for Fair Privacy Laws has been established by concerned consumer organisations, privacy organisations and businesses to campaign for the introduction of effective privacy legislation in Australia. The campaign is an informal alliance of organisations and individuals who believe that privacy protection can best be achieved through the development of a national scheme backed by legislation.
Members of the Campaign for Fair Privacy Laws believe:
Both the Campaign for Fair Privacy Laws and the boycott of the voluntary code have attracted international attention. With less than six months to go before the European Union Directive on Data Protection comes into force, there is a growing interest in the position of the various parties in Australia in relation to privacy protection.
EFA strongly urges the committee to recommend that the government reconsider this decision.
The Commonwealth Attorney-General's Department attempted in 1996 to review policy in this area with the commissioning of the Review of policy relating to encryption technologies, more commonly known as the Walsh Report. However, for reasons that have never been made clear, this report was never made public, despite an original intent that it should be. This report was eventually obtained by EFA under a Freedom of Information Act application.
The Walsh Report is an important review of encryption policy which has generated international interest. It takes a balanced look at the issues and casts strong doubts on the workability and desirability of key escrow/key recovery policies.
Current Australian regulations ban cryptography exports, claiming responsibilities as a party to the Wassenaar Arrangement, although the actual details of the latter regarding crypto seem obscure. However, an export license can be obtained on application to the Defence Ministry. The conditions of such a license are not openly stated, and at least one Australian software company has been refused a license. It would seem that even "public domain" software such as PGP is covered here.
The policy of the current government states:
The Australian position on cryptographic export controls can be found in the Customs (Prohibited Exports Regulations) - Schedule 13E and the Customs Act 1901 Section 112 (Prohibited Exports). Actual details of items prohibited under this legislation is listed in Australian Controls on the Export of Defence and Strategic Goods. Crypto software is identified under Part 3, Category 5/2 of these controls.
The existing export controls look ludicrous when one considers that the algorithms are in the public domain. Entire crypto-systems, of which Pretty Good Privacy (PGP) is the most widely known, are also freely available, throwing into question the usual justification for export restrictions, namely that criminals will use cryptography.
EFA believes it is time for the government to abolish these controls. They are unworkable, ineffective, and are constraining the growth of Internet commerce and a viable software development industry in Australia.
EFA's position on this matter is reflected in the views of Stanton McCandlish, Program Director of the US Electronic Frontier Foundation (EFF), extracts of which are reproduced below:
Current proposals by some governments to establish national bodies to control the issuing of digital signature certificates fundamentally alter the nature of a what a signature is, and, more to the point, strip citizens of their long-standing right to create and assert their own signature as valid - a right that has existed as long as writing and contracts have existed, and one which is so entwined with the basic democratic notion of innocent until proven guilty that it cannot be excised without harming liberty. Never before in all of history has a government agency, or someone regulated, certified or licensed by a government agency, had to stamp with approval anyone's regular signature before it was considered presumptively valid. To date, signatures are presumed valid until proven otherwise. The burden of proof is born by one who would challenge the signature as a forgery, or the certification of the facts asserted (the other purpose of such authentication technology as digital signature and notaries public) as falsified.
There are of course situations in which an assertion of authentication must be backed up with further evidence, be that presentation of a birth certificate, support by references, a seal of a notary, etc. These are the exceptions, not the rule, and do not require the creation of a certification authority "infrastructure" to handle them.
A more rational position would be that in situations in which a simple assertion of authentication is insufficient, and we demand a (somewhat) trusted third party's assurance that a signature or other statement or credential is valid, we turn to third parties. We require the seal of a notary public, we do a credit check, we call references for verification, we ask to see ID. It will prove expensive, time-consuming, and ultimately injurious to liberty as well as to commerce to require that in the future all authentications be backed up by the full faith of a governmental or quasi-governmental entity.
There remains an obvious question: Why do governments suddenly want control over this technology? One can only assume that it is because it would irrevocably shift power away from the people. Control over one's very signature, one of the most personal and innate expressions and statements a person can make, would be taken away from individual citizens and given to governments and entrenched power-brokers in the banking and credit industries, who could then charge people for exercising their own rights, thereby disempowering a large number of people.
The notion that we must pay for our own day-to-day signatures or be unable to legally sign is repulsively Orwellian, and must rationally be condemned by academics, attorneys, journalists or anyone with the slightest stake in freedom, or progress.
Amendments to the Telecommunications Act 1997, passed last year as the Telecommunications Legislation Amendment Bill 1997 applied radical new telecommunications interception (TI) requirements to carriers and carriage service providers and will transfer the onus of funding interception infrastructure from the government to the industry.
The new legislation extends the reach of interception compliance to a huge number of service providers and a wide range of new services, both voice and data. One has to seriously question the cost/benefit to the community of such wide-ranging communications surveillance.
The approach of forcing carriers and service providers to fund the up-front cost of interception facilities is forcing additional capital costs on emerging new technologies, with little corresponding financial restraint on the use of these facilities by law enforcement agencies. New technologies such as voice recognition and the relative ease with which data communications surveillance can be automated will make interception far more cost effective from the agencies' point of view compared with the largely manual activity involved with wiretapping in the past. The potential for over-use of these facilities must present a real threat to individual privacy.
Although the Bill is largely aimed at voice interception, the growth in Internet usage in Australia and worldwide is likely to see a corresponding increase in interest by law enforcement agencies. There is no doubt that Internet Service Providers are included under the provisions of the legislation and they will be required to provide law enforcement access to packet-sniffing software capable of intercepting specified IP streams.
The ready availability of strong encryption is one of the main threats to the effectiveness of TI. Issues such as key escrow and crypto software export restrictions, particularly in the USA, have subsequently become a dominant global topic in online discussion forums and elsewhere. This debate is concerned entirely with the dilemma of meeting the demands by law enforcement and national security agencies for a ready interception capability, as opposed to the competing demands of privacy interests and commercial security needs. The Walsh Report analysed this issue in some depth and cautioned against the unquestioning acceptance of "public safety" as an argument against the use of strong encryption. As Walsh comments (section 3.4.7):
The encryption debate raises some important questions in relation to the proposed TI legislation. A number of Internet Service Providers and financial organisations are currently establishing Virtual Private Networks and other mechanisms as a means of offering secure communications across the Internet. These networks depend on encryption to provide communications security, yet the legislation will require providers, where possible, to decrypt such communications if required under the terms of a warrant. The very fact that such a capability must be inherent in such facilities would deter many potential customers, not because they have criminal intent, but because network security has been compromised.
The ACA's (formerly Austel) Law Enforcement Access Committee (LEAC), and in particular its New Technology sub-committee, has a specific responsibility to monitor international developments in encryption and the usage of encryption by surveillance targets. LEAC was formally established in 1992 and at various times has included representatives from ACA, AFP, Police, ASIO, Customs, Attorney-General's Department, Department of Communications, Defence Signals Directorate, National Crime Authority, OTC and Telecom. The apparent absence of any privacy protection interests in LEAC itself, and the limited role such interests have been able to play in the debate on the proposed legislation, are matters of great concern.
The Coalition government, in its pre-election policy statement Australia Online took the view that the onus is on security agencies to demonstrate that the benefits of legislating against strong encryption outweigh the social and economic consequences of the loss of personal privacy and commercial security that this would entail. The same criteria should be applied to the current interception legislation, but we are yet to see any such justification.
The paper requested comment as to whether the Copyright Act should be amended to provide that Internet Service Providers would be exempt from copyright liability in circumstances in which they provide notices to their subscribers about copyright rights and the nature of permitted use of copyright material under the Copyright Act. EFA would propose that the Copyright Act define a statement which would be acceptable notice under this requirement, and to suggest that the Australian Government provide an information site which may be conveniently "hot-linked" by ISPs in order to discharge this obligation.
EFA would support such a position in the context of an otherwise complete indemnity against liability for copyright liability falling on ISPs in relation to content provided by others. The existing broadcasting, diffusion and publication rights set out in the Copyright Act make it unclear as to whether Australian law places the burden of paying royalties upon ISPs Claims by copyright owners associations such as APRA and AMCOS have given rise to the perception that ISPs are liable under Australian law for the activities of their users. This is an unacceptable position, as ISPs are not capable of restricting their users' access to copyright material nor are they capable of monitoring infringement of copyright or use of copyright material giving rise to a claim for royalties. Ultimately, only the content provider or the person obtaining content can reasonably be expected to be responsible for the costs of obtaining or providing such material.
EFA would request that the Government consult ISP and other on-line organisations with a view to establishing a form of words and procedure for ISPs to give appropriate copyright warnings to their users and content providers.
The definition of "to the public" which has been the subject of consideration for either law reform or alternatively for judicial interpretation, is an important issue to be determined in the context of the global Internet. There have been several occasions upon which copyright owners in other countries have contacted Australian users and content providers, under circumstances in which Australian copyright owners' associations also have claims. There is a real problem that in the absence of uniform international copyright law, a broad definition of "to the public" could result in unintended or unforeseen liability falling upon Australians.
Concern is expressed relating to the proposed enforcement provisions which would outlaw the unauthorised circumvention of technological copyright protection measures. Whilst it is acknowledged that commercial piracy of copyright material is an international problem, new legislation should carefully consider the consumer interest in being able to make proper back-ups of purchased copyright material. Digital media often needs back-up for consumer protection purposes, and there are several technologies and commercially-available products which are designed to permit owners of copyright material to back it up for personal use. If there is to be a new offence in relation to circumvention of copyright protection measures, it should only be applied in the context of a legislative scheme which permits backing-up of purchased content for personal use. This would include such things as the ability to back-up compact discs, copy-protected floppy discs and other media and to be able to examine certain proprietary data which may be concealed within programs. For example, the latter point would include the ability to examine "refused access" lists within filter software programs.
EFA strongly supports an exemption for libraries and educational institutions in relation to liability for the exercise of the proposed new transmission right and the proposed right of making available material to the public. Universities and libraries will in the future routinely provide Internet access as part and parcel of their roles as providers of public information. Such Internet access, used by students and patrons, could have the effect of making public institutions liable unreasonably for copyright infringement. It would be preferable if the legislation acknowledged that libraries and educational institutions, when they are acting solely in the capacity of providers of Internet access, ought not have any liability for copyright material obtained or provided by users.
Careful consideration should be given to the "fair dealing" provisions of the Copyright Act, especially with regard to incidental or automatic copying of material from the Internet when browsing web pages, replying to articles in email or making fair comment on matters of public interest. It should be noted that copyright owners will be anxiously testing the limits of new copyright legislation, and consequently the public interest in being able to easily view material on the Internet and to be able to review such material should be carefully defined. The new standard for the new right of "making available material" would be harsh if it had the outcome that merely viewing the material gave rise to an obligation on the part of the user or the ISP.
If further regulation is deemed necessary, it should be limited to the following: