Internet Society of Australia
A Chapter of the Internet Society
ACN 076 406 801

Who is an Internet Content Host or an Internet Service Provider
(and How is the ABA Going to Notify Them)?

Summary

The Broadcasting Services Amendment (Online Services) Act 1999 (BSA), in effect from January 1st 2000, regulates the behaviour of Internet Content Hosts (ICHs) and Internet Service Providers (ISPs) under a complaints-driven scheme for enforcing removal or blocking access to on-line prohibited or potential prohibited content, as classified by the OFLC and notified by the Australian Broadcasting Authority.

In general, ICHs must be prepared to take down hosted content when notified, and ISPs must attempt to block access to prohibited content when notified.

A core issue of the legislation is defining who is affected by it - who actually is an ISP or an ICH? At first pass this might appear straightforward, but closer examination shows that:

The BSA covers not only commercial Internet businesses, but also extends the definition of ISP or ICH to a far wider range of groups and individuals than previously recognised;
a further interpretation would put anyone who permits an external end-user to access their Web pages via the Internet into the category of ISP;
an assumption of the BSA was that there are around 650 online service providers in Australia, but the BSA itself shifts up to 20,000 businesses and individuals into the category of ISP;
if the second interpretation does not hold a further anomalous situation occurs, in that many groups providing access to the Internet are not covered by the BSA and will be able to allow access to content that is banned for other Australians;
the notification system required by the legislation is still not declared by the ABA, and will demand substantial resource investment by ICHs and ISPs for them to be capable of responding to notification by the 1st January 2000.

Given that the legislation expands the definitions of ICH and ISP to almost all public and private entities using the Internet in Australia for anything more than passive browsing, this will impose significant compliance costs on the fastest-growing component of the Australian economy. It will also make the scope of "industry self-regulation" so broad that it can have almost no practical implementation.

ISOC-AU calls for a revision of the BSA, particularly with regard to ISPs, so that it takes into account the reality and limitations of Internet technologies, the enormous power of control they confer on end-users, and the personal responsibilities of individuals to use the Internet wisely.

[A] Who is an Internet Content Host?

(1) What is "Hosting"?

According to the BSA, an Internet content host means a person who hosts Internet content in Australia. The activity "to host" is not defined in the legislation. In terms of commercial Internet services this normally means the provision of computer systems with:

multiple web or file-transfer sites - some commercial, but many for charities, activity groups, clubs, community organisations, NGOs, research, academic usage, and individual or personal home pages;
each site with its own disk storage space and access to software facilities to add, remove and maintain the site contents;
each site defined by a numerical IP address, or its own domain name, or as a subdirectory under a domain name;
associated system and network hardware and software for services such as DNS, so that Internet access is possible;
specialised server software that allows anyone in the world to get copies of those files transferred to their own computers, to view temporarily with browsers or to store on their own devices.

(2) What is "Internet Content"?

The above description refers to requirements for hosting via the World Wide Web and its protocols - the accepted commercial meaning. However, the legislation does not specify this at all. It refers only to "Internet content" - information kept on a data storage device and available for access via an Internet carriage service (excluding ordinary electronic mail and broadcasting services).

This definition expands the potential categories of "hosted" content far beyond the accepted scope. Other content kept on data storage devices and available through an Internet carriage service may include: Usenet News (newsgroups), mailing-lists (one-to-many email distribution, often accessible via the Web), caches (local storage of frequently-requested content), FTP sites (anonymous file transfer), public software and vendor archives, streaming audio and video files, phone-to-Internet messaging systems, personal chat and contact messaging systems, and other "Internet content" that was apparently not taken into account when the legislation was drawn up. Any take-down or blocking systems that are suitable for regulating Web content will not be applicable to these other forms of content.

Another difficulty is that "ordinary electronic mail" is excluded from the category of "Internet content", but the term is not defined, either in the legislation or in real-life usage. Electronic mail is an enormously flexible protocol and it appears that the legislators of the BSA did not understand that almost any Internet content, including Web pages, may be both requested and automatically delivered by email under "ordinary" conditions. The only way to know whether an email is delivering business documents or prohibited content is by examining it, which would lead to major concerns in the area of commercial confidentiality and privacy.

(3) Who are the Internet Content Hosts?

Hosting is not necessarily an activity restricted to commercial Internet businesses. In many cases, Internet content is directly hosted without the involvement of a commercial Content Host, by a wide array of other groups and individuals with their own computer equipment - corporate, government and private - for example:

banks, ecommerce traders, insurance firms, stockmarket companies;
web developers, Internet analysts, systems integrators;
applications providers, hardware vendors, software archivists;
training institutes, professional and technical support companies;
universities, tech colleges, research institutes, libraries, law firms;
State, Territory and Commonwealth government departments and authorities;
community organisations, charities, computer clubs, hobby groups;
book, magazine and music vendors;
hardware, travel agencies, florists, food merchants, clothes shops, etc;
Any individual with a computer connected to the Internet running the (free) software which enables the world to access content on their computer.

To expand upon the final point: the most widely-used Web server software in the world is available for free and is run on all types of systems, from large commercial sites to personal sites. It provides access to Web content over the Internet and can offer the same content to many thousands of end-users simultaneously.

Businesses with their own permanent connections would normally use it on their servers, but even someone with just a PC at home could run it and serve whatever content they wanted to the world. Even individuals or groups who simply use a cable modem rather than a permanent Internet connection can and do provide Internet accessible content.

The implication of the imprecise definitions and lack of understanding of the implementation of the Internet in real terms is that all of these groups and individuals may be regarded as ICHs under the BSA, so are exposed to potential liability under legislation that they probably have no idea would apply to them. They have to be able to be notified by the ABA to take down prohibited content if necessary.

A major education campaign pointing out their responsibilities and potential liability should be implemented as soon as possible by the government.

[B] Who is an Internet Service Provider?

(1) What is an Internet Service Provider?

The BSA states that an Internet Service Provider is a person who supplies an Internet carriage service to the public.

An Internet carriage service is a "listed carriage service" (under the Telecommunications Act 1997) which enables end-users to access the Internet.

A "listed carriage service" is a carriage service between points in Australia, or with at least one point inside Australia (Telecommunications Act, Sect 16), while a "carriage service" means a service for carrying communications by means of guided and/or unguided electromagnetic energy.

(2) Who is "the public"?

The BSA states that a service is supplied to the public if:

an Internet carriage service is used for the carriage of information between 2 end-users, and EACH end-user is outside the "immediate circle" of the supplier of the service;
an Internet carriage service is used to supply point-to-multipoint services to end-users, and at least ONE end-user is outside the "immediate circle" of the supplier of the service;
an Internet carriage service is used to supply "designated content services" to end-users, and at least ONE end-user is outside the "immediate circle" of the supplier of the service. (Designated content services are determined in writing by the Minister.)

It is clear that the definition of immediate circle is fundamental in determining who is the public.

(3) What is an "immediate circle"?

Telecommunications Act Sect 23: A person's immediate circle consists of:

the person (including a partnership) and the person or partnership's employees;
if the person is a body corporate, then it includes officers and employees of the body corporate;
if associated with another body corporate, the officers and employees of that other body corporate;
if the person is a tertiary institute, the members of the governing body, employees and students;
if the person is the Commonwealth, a State or Territory - the authorities, institutions, officers, employees, members of defense and police forces, members of the legislature and office-holders under the law;
if the person is a Commonwealth, State or Territory authority or institution which carries on a business as a core function, its members and employees.

In general, officers and employees of an institution comprise the immediate circle of the institution. However, patterns of employment are very different today compared to even ten years ago: many services are provided to institutions by individuals who are not employees, hence they are outside the immediate circle of the institution.

(4) Who are the ISPs?

This leads to an interesting re-consideration of the concept of ISP. If a business offers access to the Internet to its officers and employees only, then it is not an ISP. However:

if a business offers access to those outside this group, such as external consultants or beneficiaries of an associated trust company who are not in the immediate circle in some other way, it is an ISP.
If a tertiary institution offers Internet access to academic visitors, who are neither employees or students, that institution is an ISP.
Any companies that run outsourced computing resources on behalf of government, tertiary institutes or businesses, which also provide access to the Internet, are now ISPs because their customers are not employees of the outsourcing business.

(5) Point-to-multipoint

The number of "ISPs" in Australia, estimated in the Explanatory Memorandum to the Bill to be around 650 service providers, is now seen to run into thousands from organisations offering access to those outside their immediate circle, and explodes to the level of tens of thousands as a result of a further interpretation of the term.

The BSA states that a service is supplied to the public if:
an Internet carriage service is used to supply point-to-multipoint services to end-users, and at least ONE end-user is outside the "immediate circle" of the supplier of the service.

Point-to-multipoint services are defined in the Telecommunications Act as "a carriage service which allows a person to transmit a communication to more than one end-user simultaneously".

In the case of the Internet, many services allow an end-user to transmit a communication to more than one end-user simultaneously. In particular, Web servers, as mentioned above, can supply the same content to thousands of simultaneous Internet users, so may be regarded as point-to-multipoint services.

So it only needs one end-user to be outside the immediate circle of the supplier of the service for that supplier to be regarded as an ISP. By this interpretation, anyone running a Web server whose contents are available to someone outside the immediate circle, such as a business advertising its products via the Internet to the world, becomes an ISP.

If this is so, then every time the ABA needs to notify "ISPs" to block prohibited content, the population they must notify has now expanded to all of the entities in Australia who allow content on their Web sites to be accessed by Internet end-users.

If, on the other hand, the provisions of the IIA Industry Code are accepted, with their apparently less onerous requirement of providing filtering software and blocking blacklists, the task of implementation and compliance is still a massive one which will impose major costs on large and small businesses, none of whom are aware that they are liable as ISPs under the legislation from 1st January 2000. The requirement for the ABA to provide mechanisms to update blocking blacklists to such a large population may also create substantial difficulties.

Many businesses provide their Web services from their own machines with a permanent connection to the Internet - industry estimates put the existing numbers of permanent connection at around 16-20,000, with three times that number expected to be installed over the coming year at current rates. This suggests that right now up to 20,000 entities could be ISPs under the BSA, and as many as 60,000 may be in a year's time.

However, should the point-to-multipoint definition not hold, we are left with a further paradoxical situation. In this case, the entities who offer Internet access to only their immediate circle are not ISPs, and have no obligation to block access to overseas prohibited content. However, a large proportion of these groups have direct access (permanent connections) to the Internet, their traffic is normally not filtered in any way by upstream ISPs, so the responsibility for blocking access does not rest with any other entity.

So under two definitions of "ISP" the legislation forces some very unexpected organisations into that category with its associated penalties, but if one of these definitions does not hold, the legislation then permits many other organisations to avoid its requirements altogether, which is presumably not the intended outcome.

[C] How will ICHs and ISPs be notified of Prohibited Content?

Clauses 30 and 34 of the BSA state that in the case of prohibited or potential prohibited content hosted in Australia, the ABA will notify the relevant Internet content host of take-down notices or revocation of those notices by means of "a written notice".

In the case of prohibited content hosted outside Australia, the ABA must notify ISPs to take steps to prevent end-users from accessing the content, either by written notice (clause 40) or by unspecified electronic means (clause 51). Revocation notices (44) must be by means of a written notice.

If the ICH or ISP does not comply with a take-down notice by the end of the next business day, the financial penalties are severe. The implication is that all of the above businesses, organisations, clubs, institutions, as well as anyone running software that provides Internet access to content upon their computer, must:

be able to be located in a physical sense for delivery of a written notice;
or if the written notice is delivered by electronic mail, have a valid and functional email address for receiving the notice;
have in place administrative procedures for reading, acting upon a notice, and notifying the ABA that the notice has been complied with;
have in place technical procedures for locating and taking-down the notified content;
have in place human resources or legal procedures for dealing with the actual producer of the prohibited content.

Currently the notification scheme to be used by the ABA is not declared. The ABA has publically discussed their development of a database of prohibited Internet content which may be open to "strictly controlled" external access (http://technology.news.com.au/news/4162220.htm) for the updating of lists of prohibited Web sites.

This does not address the requirement of the ABA to notify ICHs and ISPs by means of a written notice. It does not address the sheer diversity and enormous range of Australian entities that are ICHs or ISPs under the loose definitions of the legislation. It does not address the need for those entities to set up administrative and technically viable procedures for them to be able to respond to ABA notices by the 1st January 2000. It appears likely that the remaining time available at this stage will not be enough for compliance to be achievable.

Given that the range of public and private entities who are categorised as ICHs and ISPs under the legislation appears to comprise a large proportion of all Internet users in Australia, including but not limited to most e-commerce initiatives, this will be a major planning, logistical and procurement problem, and will probably have a significant impact on the fastest-growing component of the Australian economy.

It is the government's expressed intention to bring about industry self-regulation through voluntary Codes of Practice. When the industry was estimated to comprise around 650 ISPs, this was a perfectly achievable goal. However, in the case of 20,000 entities now classified as ISPs, some problems arise:

How will the government inform these businesses and individuals that they will be affected by an industry Code? If they do not register they are still bound by the Code yet they may have no idea that this is the case.
How will it enforce sign-up to the Code? To most organisations the Internet is a tool, not their primary business, so they may feel that they should not have to comply with a Code from what may be a completely different business sector.
In general, how can industry self-regulation operate within an "industry" that is so poorly-defined?

[D] Proposal for Amendment to BSA

In general, these anomalies have arisen because legislators understood the Internet only in terms of existing media such as video or television and did not recognise that its implementation and the control of end-users over its technology is very different from any previous model of telecommunication service.

The BSA has two main areas of application: ICHs and ISPs. While they are both Internet activities, in some respects this is their only similarity - in fact, bundling them together in the same legislation means that the useful aspects of the Act have been overwhelmed by the anomalous ones.

The legislation on ICHs refers to hosting content within Australia, and seeks to bring it under the same controls as TV and video classification. In general, most people would agree that content hosted within this country should be under legislative control like any other content so long as this is consistent with the requirements of our society, although questions remain about whether these are the most appropriate classifications.

The legislation on ISPs, however, is where the BSA is greatly flawed. The technology of Internet connectivity and world-wide packet flow means that trying to classify and restrict particular components of this flood, which is quadrupling in volume every year, is as futile as trying to classify the electrons in a high-tension power line.

Analogies are always imperfect, but what we must never lose sight of is that the transport of Internet traffic is very like the delivery of electricity, expect that it's simply ones and zeros being delivered. Content does not exist except in the hands of content suppliers and end-users: in between there is only the transmission of data packets.

There is no content until these are re-assembled at the end-point of a network, at the display where a human being can observe and make a judgement. That is the stage at which responsibility and care must be exercised - by the end-user. With electrical technology we appreciate that that there are dangers involved, but we teach our children responsible usage at the levels at which we can have control: the personal, the family, the school. Users must be trusted, just as they are trusted with the life-and-death power of electricity, to make appropriate choices, and to to educate their children about those choices.

On the other hand, ISPs, whether the 650 businesses first assumed, or the 20,000 potentially affected under the legislation, should not be forced to try to implement something that simply cannot be implemented at their level of operation.

ISOC-AU calls for a revision of the BSA, so that the legislation that applies to ISPs is removed or substantially altered, so that it takes into account the reality and limitations of the multitude of Internet technologies, the enormous power of choice and control they confer on end-users, and the personal responsibilities of individuals to use the Internet wisely.

Who is an Internet Content Host or an Internet Service Provider (and How is the ABA Going to Notify Them)?