Last updated: 
3 months 2 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Blocking "Internet locations"

Monday, April 29, 2013 - 13:08

I had a meeting with Ofcom this morning as part of their review of section 17 of the Digital Economy Act 2010. That section, if enabled by the Secretary of State, would allow courts to order a service provider “to prevent its service being used to gain access to [an Internet] location”. This power could only be used against locations involved in a “substantial amount” of copyright infringement (s17(4)), and only after consideration of “whether the injunction would be likely to have a disproportionate effect on any person’s legitimate interests” (s17(5)). Persons whose interests might be affected would presumably include both the service provider who was required to implement the block and any third parties whose lawful use of the location would also be stopped.

Interestingly the Act doesn’t say how an “Internet location” would be specified. It seems to me that there are at least three ways this could be done, that these would have different effects (and costs) for service providers, lawful and unlawful users, and that the courts might therefore reach different conclusions on that test of proportionality:

a) An “internet location” could be specified by URL, as is currently done with the Internet Watch Foundation’s list of indecent images of children. This is the most precise form of blocking, with very little risk of accidentally blocking other material, however it is also the most expensive for ISPs to implement, as it requires all traffic to be analysed at the application layer and could require a different blocking system for each Internet protocol. It is also probably the easiest type of block to circumvent – the IWF notes that its list can only protect against accidentally tripping over material and will not stop those actively seeking it. Anyone deliberately evading this type of block would also expose themselves to all other URL-blocked material. And, of course, the operator of the blocked location can relatively easily change its URLs.

b) An “internet location” could be specified by its domain name. Blocking access by domain involves modifying the process of domain name resolution (for example returning either a no-such-domain response, or one pointing to a notification page), rather than the traffic to and from the location itself. For a service provider that (unlike JANET) controls the DNS resolution process used by its users, this may well be simpler and cheaper. However it is also more likely to block lawful use by those not infringing copyright, especially if the domain name hosts multiple services. For users, getting round a DNS block requires a little more technical knowledge at present but could be done in a way that did not impact on other URL blocks; providers of blocked services would need to change domain (as wikileaks recently did) if they wished to avoid the block.

c) Finally an “internet location” could be specified by IP address or range. Implementing such a block could be as simple as telling routers to drop or re-direct all traffic to that address or range. The potential impact of this is wider again, since a single IP address may serve many different domains all of which would become inaccessible to all services. Indeed once such a block was in place it could be tricky to send the location operator an e-mail to tell them about it! I also suspect that, unlike a DNS block, there is no way to work out in advance what the extent of such over-blocking might be. For determined users, many of the same techniques as used for avoiding URL blocks are likely to work for an IP address block; changing the IP address of a blocked server may be a little harder than changing its domain name (in IPv4 space, at least, the supply of addresses is limited whereas DNS domains are not).

Thus there seems to be a trade-off between the cost to the service provider of implementing the block and the likelihood that over-blocking will cause significant damage to other parties. And none of these forms of blocking actually meets the Act’s requirement to “prevent” access – both users and hosts can work around any of them. If the courts are ever called upon to use these powers it will be interesting to see how they judge this balance.

Finally, it’s worth noting that this part of the Act refers to “service providers” (a term defined in the Electronic Commerce (EC Directive) Regulations of 2002) rather than the terms “ISP”, “Communications Provider”, etc. used in the rest of the Act. So there is a possibility - though at the moment it seems unlikely - that a court might be able to make such an order against JANET or a connected site even if we are not subject to the other copyright enforcement provisions of the Act.

[UPDATE: There's an interesting paper by a number of real DNS experts on the equivalent US legislation and why interfering with DNS resolution is likely to have highly undesirable side-effects]