The new Defamation Bill promised in the Queen’s Speech has now been published. Although it also contains changes to what statements can give rise to liability for defamation, the most interesting part for network operators is likely to be the new provisions on liability for those who host third party content on web sites and blogs.

Section 1 of the current Defamation Act 1996 essentially gives hosts two options when they receive a complaint that a statement on their site is defamatory:

• remove or modify the statement promptly, and be sure that they cannot incur liability for the defamation;
• leave the statement untouched and risk being found liable for publication if it is subsequently found to be defamatory.

Paragraph 5 of the Bill would create two more options:

• If it is possible for the claimant to identify the person who posted the statement, then the host is protected from liability and does not need to do anything;
• If it is not possible for the claimant to identify the poster, then the host is protected from liability so long as they follow a process or processes that will be specified in a subsequent Statutory Instrument.

While the new options are welcome, the current wording creates three obvious questions:

• What is included within the scope of “website”? And how will this affect future publication technologies that haven’t yet been invented?
• Is the “operator” of a website the person that runs the server, the website software, the main author of a blog, etc.? I would hope that at least those three are covered.
• What is meant by “identifying” the person who posted the statement? This posting says that it was written by “Andrew Cormack”, but searching the web reveals several individuals with that name. Or is it sufficient that a complainant could request a Norwich Pharmacal Order against the operator of this site and discover which of them it is? I would imagine that a website operator would want to be very sure  that the poster was indeed sufficiently “identifiable” before they left an allegedly defamatory statement untouched.

Section 5(4) of the Bill also specifies what needs to be in a notice in order to trigger this process: a welcome clarification.

During the consultation process that led to this Bill, it was also suggested by the Joint Parliamentary Committee that it might change the current legal position that encourages a website operator to wait for complaints rather than proactively checking for defamatory statements. This Bill doesn’t seem to do that. [UPDATE: I've a feeling that the double negatives in the Bill do actually have that effect, but I need to study them a bit more to be sure. If so, as noted below, this would only apply to proactive checking for defamatory statements, not to other types of unlawful publication].

The consultation also suggested that there might be a process to allow a website operator to ask for a judicial ruling on whether an anonymous posting was defamatory, if it felt that there was good reason not to remove it (for example because of the statutory duty on universities and colleges to promote free speech). That doesn’t seem to be in the Bill, but it could still be included in the Regulations.

And, of course, this Bill only affects liability for defamation, not for other types of civil or criminal illegality, such as copyright breach. Those will continue to be covered (by default) by the notice and takedown procedures in the eCommerce Directive.

According to the Dutch digital rights organisation, Bits of Freedom, the Netherlands has just passed a new Network Neutrality law. Their unofficial translation into English suggests that Public Electronic Communications Service Providers will only be permitted to throttle or block traffic on their networks if this is necessary:

a. to minimize the effects of congestion, whereby equal types of traffic should be treated equally; [or]

b. to preserve the integrity and security of the network and service of the provider in question or the terminal of the enduser; [or]

c. to restrict the transmission to an enduser of unsolicited communication as refered to in Article 11.7, first paragraph, provided that the enduser has given its prior consent; [or]

d. to give effect to a legislative provision or court order.”

Items B and D on that list seem relatively uncontroversial, but it seems to me possible that C and A may prohibit desirable services. C appears to allow an ISP to offer a spam-blocking service to users, but to prohibit offering services (either opt-in or opt-out) that filter any other kinds of unwanted material. The effect of A seems to depend on what is meant by “equal types of traffic should be treated equally”. If it means that a network operator can only apply controls at the level of an IP address or range then it seems to prohibit treating time-critical services (such as audio and video) differently from other things like e-mail; but if that sort of discrimination in favour of real-time services (which may be necessary to deliver acceptable performance even on uncongested networks) is permitted then it may also allow the discrimination against peer-to-peer and VoIP traffic that was recently identified by European regulators.

It will be interesting to see how those issues are resolved, particularly as the Netherlands appears to be the first country in the world to try this approach. I understand that the Dutch telecoms regulator has indicated that ISPs will be given an opportunity to develop practical implementations before the law is enforced.

Yesterday at the State Opening of Parliament the Queen’s Speech announced the Government’s plan for legislation in the next year. A couple of the proposed Bills seem likely to affect network operators.

First is a Defamation Bill, which was the subject of a consultation last year. Although the Internet isn’t the main focus of the legislation, the consultation did recognise that there were problems with the current system of liability for hosting providers, which encourages them to remove any comment that is the subject of a complaint, without considering whether the complaint is justified. A posting by Julian Huppert MP on the Liberal Democrat Voice blog suggests that the draft legislation may be published as soon as tomorrow.

[UPDATE: he was right, see http://services.parliament.uk/bills/2012-13/defamation.html - more when I've had a chance to study it]

Second is the Communications Bill, in which the Government intends “to maintain the ability of law enforcement and intelligence agencies to access vital communications data under strict safeguards”. At the moment ISPs are required by the Data Retention Regulations 2009 to keep information about e-mails and phone calls sent using their services; law enforcement agencies can then use powers in Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 to access that information. The Government doesn’t seem to have published any information about this, so it’s not clear whether one or both of these Acts will be changed by the new Bill. Julian Huppert’s blog suggests that a draft bill will be published for consultation before a final version is considered by Parliament.

Given the outcome of previous hearings on copyright infringement, the court’s conclusion this week that the UK’s major ISPs should be ordered to block access to The Pirate Bay was no surprise. However the judgment raises an interesting technical issue. In a previous hearing, it had been pointed out that there was a way to get around blocks on individual web pages that would not be possible if the block instead referred to the IP address of the website as a whole. IP address blocking is recognised as carrying the highest risk of blocking legitimate material (“overblocking”) but it seems that the current IP address of The Pirate Bay is only used by the site, so the judge was prepared in this case to permit blocking of all access to those addresses.

However there are many other evasion techniques that get around both URL and IP blocks and the legal action against The Pirate Bay has been accompanied by a lot of publicity for those. According to a BBC report, there has been a significant increase in their use by young people in recent years. Unfortunately such techniques don’t just open up access to sites blocked for copyright reasons, they inevitably evade all other filters implemented by ISPs as well. So those using them may well increase their risk of exposure to images listed by the Internet Watch Foundation (earlier orders explicitly required ISPs to use the same systems to block copyright and IWF material), malicious code, and phishing sites that steal banking and other passwords. ISPs can no longer protect these users by filtering: all that will be left is any protection that may be implemented on the individual’s computer, smartphone, etc. Techniques such as the Virtual Private Networks described by the BBC also mean that the VPN operator can see all the user’s Internet traffic, creating a significant privacy threat if the operator, or their country, doesn’t protect that information as the user expects.

Such a significant risk to individuals, their computers and – by hindering attempts to control the spread of malicious code – the rest of the Internet seem a high price to pay for free music

A bot is a program, maliciously installed on a computer, that allows that computer and thousands of others to be controlled by attackers. Bots are one of the major problems on the Internet, involved in many spam campaigns and distributed denial of service attacks, as well as allowing attackers to read private information from the computer’s disk and keyboard. Some bots even allow cameras and microphones to be monitored by the attacker. Detecting and removing bots is therefore in the interests of both individuals and internet providers. RFC6561 describes the technical issues around detecting and notifying Internet users whose computers may have been infected by a bot, and also highlights the need to take account of legal, economic and reputational issues when doing so.

One of the main problems with bots is that they are now very good at concealing themselves alongside legitimate programs and internet traffic. The RFC notes that

With the introduction of peer-to-peer (P2P) architectures and associated protocols, the use of HTTP and other resilient communication protocols, and the widespread adoption of encryption, bots are considerably more difficult to identify and isolate from typical network usage.  As a result, increased reliance is being placed on anomaly detection and behavioral analysis, both locally and remotely, to identify bots.

Unfortunately neither anomaly detection nor behavioural analysis can be perfect: both may be triggered by legitimate Internet activity that happens to generate patterns that look like those of a bot. This means that any detection and notification process must be aware that some of the computers “detected” will not be in fact be infected. Even for computers that are infected, removing the bot may require more than the average level of technical skill, or involve actions such as deleting and re-installing the operating system that users are not willing or able to do. As an increasing number of devices are connected to the Internet, it seems likely that bots will infect equipment that the user simply cannot disinfect, such as games consoles, set-top boxes or smart meters.

Detecting infected systems also raises significant legal and technical concerns. Since Internet Service Providers know who their customers are, examining their traffic to identify devices that may be infected will involve processing of personal data; detailed inspection of traffic may even come within the scope of Interception law. Such laws may have exemptions for particular actions by network operators, but these are likely to be tightly constrained and require additional privacy protection. Even if the action is lawful, attempts to protect users in this way can be mis-understood – either as unjustified “snooping” or as an attempt to sell security services – resulting in end-users rejecting them.

There are some examples of successful botnet mitigation schemes, and a UK Parliamentary committee has recently called for ISPs to do more in this area. However it’s clear that any scheme needs to be very carefully designed, with input from technical, legal and communications experts.