DEA - Hidden Complexities
I've done a couple of presentations in the past week to audiences who turn out to raise similar problems for a literal reading of the Act. Looking at the duties imposed by the Act on "ISPs" it's clear that these imply that the ISP is both
- the publicly announced 'owner' of IP addresses (i.e. if you do a lookup on the RIPE database, it's the ISP's details that appear), and
- the 'owner' of user accounts, so that the ISP can work out which user was using each IP address at a particular time.
In fact that's not even true for domestic broadband ISPs, since most houses have more than one user and the ISP won't be able to distinguish them. However there Act skips over that issue by assuming that the person who signed the contract for the broadband connection can control what other users in the house do.
However it's even more obviously wrong when you look at schools and Oxbridge colleges. In the school sector, IP addresses are usually 'owned' at local or regional level - typically by a local authority or Regional Broadband Consortium - but user accounts are managed by individual schools. Similiarly, both Oxford and Cambridge Universities have IP address ranges allocated, but users will often be managed by individual colleges, which are separate legal entities from the university.
I really don't want to have to work out different reporting arrangements for these two communities, so in both cases I've been encouraging them to ensure that their internal policies and processes allow them to process infringement reports as if they were a single entity. In fact that's pretty much what they do already, as is shown by the remarkably low number of infringement reports they receive - keeping up that good work looks like a pragmatic solution, even if it requires a rather flexible interpretation of the Act.
