Are you an ISP? -
Ambiguity in the Internet Censorship Legislation

Are you an ISP? Don't be so fast to answer 'no'. Under the Commonwealth Government's recently introduced Broadcasting Services Amendment (Online Services) Act 1999 (the 'Act'), your business may be considered an Internet service provider, with potentially significant effects. Much national and international attention has recently been focussed on the Act, often referred to as the Internet Censorship Act. Attention has been concentrated on the merits of one country attempting to impose a censorship regime on the Net, but another issue of concern is the ambiguous way in which those persons regulated by the Act are defined. These definitions expose to regulation many entities which at first glance might not be considered ISPs, and call into question the extent to which the Act can be enforced in practice.

Regulation under the Act

The Act was drafted with the dual aims of restricting access to Internet content that is likely to offend reasonable adults and protecting children from exposure to unsuitable Internet content. This is done by restricting access to the following material:

material rated NC or X, or R rated material which is not subject to a restricted access system such as a password requirement ('Prohibited Content'); and
material which has not been rated by the Australian Classification Board but would be likely, if rated, to be Prohibited Content ('potential Prohibited Content').

These restrictions will be imposed through regulation by the Australian Broadcasting Authority ('ABA') of 2 types of Internet entities: 'Internet content hosts' and 'Internet service providers' ('ISPs'). Access to prohibited material which is hosted by Australian Internet content hosts will be restricted by take-down notices being issued to the relevant host. These notices will require the host to cease hosting the relevant prohibited material. Access to prohibited material hosted outside Australia will be restricted by access-prevention notices being issued to ISPs. The notices will require ISPs to take reasonable steps to prevent end-users accessing the prohibited material.

ISPs and hosts who fail to comply with these notices are liable to be fined $27,500 per day in the case of a corporation, and $5,500 per day in the case of other people.

The definitions provided in the Act for ISPs and content hosts provide scope for some unlikely businesses to find themselves on the receiving end of a take-down or access-prevention notice.

'Internet content host'

The Act fails to provide a meaningful definition for 'Internet content host', stating only that the term refers to a person who hosts or proposes to host Internet content in Australia. 'Internet content' is defined to mean information available for access using an Internet carriage service, but does not include e-mail. The Act does not state which activities are considered to constitute 'hosting' of Internet content.

A draft Internet Industry Code of Practice (the 'Code'), recently submitted to the ABA for approval, simply adopts the Act's definition of 'Internet content host'. However, the use of the term throughout the Code suggests that the Code's drafters intended the term to refer to entities which provide facilities on which the Internet content of other people can be stored and centrally administered by the host.

The reality of website management these days is quite different from that anticipated by such a definition. These days, many hosts (which are usually ISPs) offer their customers a permanent 'direct' connection to the Internet. While the host supplies the technology which provides the customer with Internet access, the customer sets up and administers its website itself. Alternatively, another common practice is 'telehousing', where a customer's server is located on the ISP's network, but is completely controlled by the customer. The number of Internet users utilising these kinds of arrangements is growing extremely rapidly. Representatives of a large commercial ISP have reported to us a 300% increase in the number of direct connections provided to customers within the last year. Both corporate and non-corporate customers utilise the services.

The Act's ambiguous definition of 'Internet content host' means that these businesses and people who manage the content of their own website may, despite the wording of the Code, be liable to be served with a take-down notice by the ABA. This also raises the issue of what action can be taken by an ISP/host which provides direct Internet access for its clients, if it is served with a take-down notice. In such a situation, a host could only ensure that even a small amount of prohibited material is taken down by taking the drastic action of blocking access to the entire website, preventing any of the customer's material being accessible via the Internet.

'ISP'

While the Act's definition of 'ISP' is more substantial than the definition of 'Internet content host', it is a definition which creates even more uncertainty. Under the Act, the term 'ISP' includes any person who supplies an Internet carriage service that is used for:

the carriage of information between 2 end-users outside the 'immediate circle' of the supplier, as defined in the Commonwealth Telecommunications Act 1997. Where one person uses an Internet carriage service to view the Internet content of a second person (eg by visiting a website), both of those people are considered to be 'end-users' of that carriage service; or
the carriage of information simultaneously to more than 1 end-user, at least 1 of whom is outside the immediate circle of the supplier.

To be an 'Internet carriage service' under the Act's definition, the service supplied must enable end-users to access the Internet.

Close examination of this definition suggests that some surprising types of entities may be covered by the Act as ISPs.

Entities considered 'ISPs'

All persons operating their own Web servers, whether for business or personal purposes, appear to be included as ISPs under the second limb of the definition outlined above. This is because servers enable such people, through their website, to transmit communications simultaneously to thousands of end-users. In most cases, the end-users accessing a website will not have a sufficiently close connection to the site owner to fall within the site owner's 'immediate circle'.

However, even if a business does not own its own server, it may still be considered to provide services enabling end-users to access the Internet. A business which enters into an agreement with an ISP under which it is provided with access to the Internet, and which in turn permits other people to access the services provided by that ISP, is arguably providing those people with a service enabling them to access the Internet (in much the same way as many companies now offer repackaged telecommunications services, despite not actually owning the telecommunications infrastructure such as telephone wires, etc). On this basis, even businesses which do not own their own servers may, in some circumstances, be considered ISPs under the Act's definition.

Consider, for example, a business which allows its employees to place information on its website, or even to use the business's computers to place information on Internet bulletin boards unrelated to the business. By doing so, the business is arguably providing employees with a service enabling them to access the Internet and communicate simultaneously with many people. As it is possible (and practically inevitable) for at least one of those people to be outside the immediate circle of the business, that business is an ISP under the Act, liable to be served with an access prevention notice.

Companies providing independent contractors with access to the Internet also appear to be ISPs under the Act. Although employees of companies and partnerships are considered to be within the 'immediate circle' of these entities, according to the Telecommunications Act, independent contractors are not included within the 'immediate circle'. By providing independent contractors with facilities on which they can access other people's websites, a company is providing a means for information to be passed over the Internet between 2 end-users outside its immediate circle. It therefore falls within the Act's definition of 'ISP'.

These days, the staff of many businesses are composed of a combination of employees and independent contractors (depending on the basis on which a staff-member is hired and how the continuing relationship between the business and the staff-member is conducted). It is also not uncommon for businesses to provide their staff with relatively unrestricted access to the Internet. On this basis, many businesses could be considered to be ISPs, liable to be served with access prevention notices.

On a similar basis, other entities which appear to fall within the Act's definition of ISP include:

Specialists to whom businesses outsource management of their IT services, including internet access arrangements;
Tertiary institutions which provide Internet access to visitors to the institution;
In certain circumstances, trust companies created by partnerships to own the legal interest in the partnership's business infrastructure, such as Internet servers, or to enter Internet access agreements with ISPs on behalf of the partnership; and
Businesses which allow clients to access their intranets, provided a link exists from the business's intranet to the Internet (as is usually the case), and this link is available to clients accessing the intranet.

In each of the examples discussed above, the entities would appear to fall within the Act's definition of 'ISP' even if their primary business does not involve the supply of Internet-related services.

The businesses and people outlined above will also be regulated by the Code, should it be approved by the ABA. The Code adopts a broader definition of 'ISP' than that used in the Act, but includes all entities considered to be ISPs under the Act.

Obligations imposed on ISPs under the Code include not providing access accounts to persons who are under 18 (unless consented to by a responsible adult), and informing 'subscribers' not to obtain prohibited material from the Internet. Most importantly, the Code requires ISPs to make available to 'subscribers' mechanisms which enable restriction of access to particular content. Such mechanisms include filtering software, password controlled limited access systems, and optional differentiated services (ie the provision of access to a limited selection of Internet content, from which undesirable content has been censored).

'Subscriber' is not defined in the Code, and does not appear to describe accurately the basis on which, for example, an employee is provided Internet access by his or her employer. Despite this, such an interpretation may be applied by the ABA or the courts, requiring the types of businesses outlined above to comply with the Code's extensive requirements.

Conclusion

Whether by accident or by design, the application of the Broadcasting Services Amendment (Online Services) Act 1999 to the entities outlined above gives the Act a far broader scope than is suggested by the Government's decision to use the terms 'Internet service provider' and 'Internet content host' in the Act. It is therefore imperative that the Commonwealth Government and the ABA either limit the application of the Act, or commence an extensive educational campaign to make the general community aware that they may be subject to take-down and access-prevention notices.

The Commonwealth Government also needs to reconsider how a regime of censorship of the Internet can and should be enforced. Seeking to regulate entities such as those outlined above will impose unwelcome costs on businesses generally using the Internet to facilitate the conduct of their business. Such a course of action will also create such a large number of ISPs that it will become almost impossible for the ABA to enforce the Act effectively. Aside from the issue of how the ABA can effectively monitor the operations of so many ISPs, it is questionable how the ABA will even be able to identify which businesses and other people are ISPs subject to regulation.

With take-down and access-prevention notices capable of being served by the ABA after 1 January 2000, these ambiguities within the Act and apparent inconsistencies between the Act and the Code require urgent resolution by the Commonwealth Government.