Tuesday, 20 January 2015

Is over blocking legal?

One of the concerns with ISP filtering (e.g. porn, etc) is the risk of over blocking. One question is whether that is legal. For example, if an ISP's porn filtering setting blocked access to this blog, could I do anything about it, legally?

The best candidate I can see for this appears to be the the Computer Misuse Act 1990 (as modified to include DoS attacks).

Section 3 appears to be the relevant part. The first part (1) says that someone is guilty of an offence if they do any unauthorised act in relation to a computer, knowing it is unauthorised, and part (2) or (3) apply. (2)(b) is to prevent or hinder access to any program or data held in any computer. Part (3) covers being reckless as to such things.

It seems to me that a block on a web site is clearly within (2)(b) as the whole objective is to prevent or hinder access to data on a web site (i.e. held in a computer). So that is pretty clear.

The issue seems to me to hinge on whether the action was unauthorised or not. Clearly, the person setting up the filters had authorisation to do so on the "computers" that run the filters. But the action was in relation to a different computer - it is in relation to the web site in question as that is the computer to which access has been hindered.

Thankfully section 17 comes to the rescue, and says An act done in relation to a computer is unauthorised if the person doing the act (or causing it to be done) is not himself a person who has responsibility for the computer and is entitled to determine whether the act may be done; and does not have consent to the act from any such person.

Now, this means that the person doing the filtering to stop access to a web site would have to have responsibility for that web site. Clearly, someone in an ISP somewhere setting filters up does not have responsibility for the computers hosting the web sites to which those filters relate.

Someone with proper legal training - tell me where my loop hole is in reading this?

Otherwise it seems that not only is over blocking illegal (reckless) but the blocking in the first place, and even pirate bay blocks, are criminal under section 3 of the Computer Misuse Act 1990.

Thinking about it - this legislation is trying to catch a DoS attack, where someone does something to hinder access to, say, a web site, by flooding traffic or some such. It is hard to see how a filter on access is not logically just the same as a DoS attack really, and how you would word a law to allow one and not the other. Essentially, in DoS or filtering, the computer to which you are hindering access is not one for which you are responsible - so the same! I suppose a carefully worded exception specifically covering this sort of web filtering at the request of the end user could work - but even so, that would possibly leave over blocking as illegal.

30 comments:

  1. Are you going to update your user agreement, to ensure that AAISP is authorised to undertake maintenance work and the like, if this would lead to an interruption of connectivity and thus affect my ability to reach any website of my choosing?

    On a quick scan of your service terms, I can see that you agree to try to notify me, but it is not clear that you actually have my authorisation to do anything which you know will stop my connectivity, even temporarily. ;)

    ReplyDelete
    Replies
    1. Fun one, maybe we'll have to.

      Delete
    2. Bigger issue is that anything we do, even blocking for credit reasons, is hampering access to other people's web sites without those people's permission. That could get awfully tricky.

      Delete
    3. I guess a block at the end users end is not acting in relation to a computer - i.e. not blocking a specific web site, so maybe that is not an issue. As you say, issue is access to customer's computers, and that could be authorised within the contract terms.

      Delete
    4. I am not sure — by disconnecting me, or otherwise interrupting my connectivity, you are performing an act in relation to a computer (e.g. your LNSs, or your provisioning system), with the intent of to preventing or hindering access to any site a user might pick. Or, put differently, I regularly access computers on my home network remotely, over an AAISP-provided connection: if you were to suspend or even just temporarily interrupt my connection, you intend to stop me access any machines on my home network.

      Delete
    5. Ah, an action relating to our LNS and provisioning system is fine as we authorise ourselves to do that :-) But you may be right for access to your computers on your home network, and as such the terms have indeed been updated as you suggest.

      Delete
    6. I couldn't immediately spot the change but, since it's a unilateral modification to a contract anyway, it clearly can't apply in respect of my current contract with you. I reckon that you are on the hook for anything AAISP does now which causes my line to reboot between now and the beginning of the next billing period at the very least.

      Delete
    7. Unless the contract allowed for such unilateral changes, and even defined consequences that would apply and options to terminate early and so - oh, wait, it does.

      Delete
    8. FYI services terms under suspension and termination...

      Delete
    9. You also have the very realistic possibility that a judge would consider the fact that the contract allows for suspension and restriction and maintenance to mean that the authorisation to impact access to your computers was implicit in those terms anyway. I have just made it more explicit now :-) Nice debating it though.

      Delete
    10. Not that your contractual change matters anyway. My wife owns all the kit on our home network, but I am the subscriber with AAISP. I can't sign away my wife's rights, and she is not a party to our contract, so, even though *I* may give authorisation, since it's my wife's computer with which you would be interfering, you're still on the hook!

      Delete
    11. Brilliant. Yes, I can see that being a problem - so I now have to make it that you, as customer, indemnify us against such actions. I'll adjust accordingly.

      Delete
  2. > Unless the contract allowed for such unilateral changes

    The contract might purport to allow for unilateral changes, but whether that is actually a valid, enforceable term in a contract with a consumer, I am less sure.

    (Whether I would suffer any damage if it gives rise to immediate termination right, is perhaps different, although I suspect I could make a reasonable enough argument on that in a small claims court, given that we have a big nasty telco stamping on a poor little unrepresented consumer...)

    ReplyDelete
    Replies
    1. LOL, yes, but you find that most consumer contracts do indeed allow for unilateral changes with consequences such as early termination being allowed. We do spell that out, and so I think we meet the normal consumer contract and unfair contract terms rules quite well. At the end of the day, if you are unhappy with the change, you can terminate, or we can agree to offer the contract without the change applied for the term at our choice. Given that the consent to restrict the service is not just implicit but in the terms anyway before, I suspect "authorisation" under CMA is clear anyway. Again, a fun debate, and one day I must study law properly.

      Delete
    2. Absolutely - very interesting debate, and, were I acting for an ISP, I would of course be making an argument that this kind of blocking is entirely lawful and nothing to do with computer misuse.

      (If you do think about studying law in the sense of doing something formal, I'd recommend either Ian Walden's LLM in computer and communications law at Queen Mary, or Ian Lloyd's LLM in telecoms law through Southampton. I suspect that, unless you want to dig through the basis of trusts under English property law, or consider the legitimacy of co-regulation under EU law, an undergraduate law degree is not the way to go. Although I survived :))

      Delete
    3. Interesting, one day maybe. But as you say, I am sure as an ISP we are fine, but you know I like to be "technically correct" if at all possible, hence the extra para in the terms now. Good suggestion.

      Delete
    4. Indeed, and I am sure you appreciate also that "technically correct as a matter of law" does not necessarily mean "case found in your favour, if it gets heard at all"! One of the interesting distinctions between law in academia and law in practice, where "knowing the law" is just a tiny (albeit, in my view, important) part of the overall picture.

      Delete
    5. That is one reason I have done quite a few county court cases for things like spam and late payment penalties - to understand the practical process. So few get to a real judge, but they are massively informative when they do.

      Delete
    6. Oh, and every contract related case starts with "show me the contract"...

      Delete
    7. There is very little written about the reality of securing damages for breach of the ePrivacy directive in terms of spam, which is one of the reasons I've expressed my keenness on here to hear when people are taking action and, to the extent anyone is happy to share such things, to see what people submit and sit in on court cases. I'd like to write an article about it, even though I am really supposed to be focussing my writing on other things at the moment :)

      Delete
    8. I have a case now - defendant offered to pay £100 but to pay it to NSPCC! He even stated so in defence, which I am hoping addresses the matter of "value" of damages if/when we have a hearing.

      Delete
    9. I saw that — it's on my list of "if it goes to a public hearing, I'd see if I might be allowed to sit in" cases!

      Delete
  3. With the changes of the terms do you keep the old versions and highlight the changes?

    ReplyDelete
    Replies
    1. We have them under svn, but not highlighted. Happy to provide a diff for anyone if asked.

      Delete
  4. With your AAISP hat on, you should ask your MP, "If the government asks us to block a website, are they asking us to commit an illegal act."

    ReplyDelete
    Replies
    1. If ever there was a request, e.g. court order under copyright, I might try this as a challenge. We have the "we don't have any blocking systems, so it'll cost you" anyway for that, but this would one to try as well. Not happened yet.

      Delete
    2. You could also take the angle "We don't have such a system in place so we won't" such as some mobile operators took with ACR in PECR.

      Delete
  5. A different look at it is, as you asked what could you do, if an ISP filter blocked your blog, would be to take the 'defamation' angle. Most ISP filters are for porn/piracy. By blocking you, they'd be implying strongly that you were a pornographer, or a pirate.

    ReplyDelete
    Replies
    1. Indeed, and that is yet another good angle.

      Delete
  6. If an ISP decided to block your site as they classified it as "porn", surely you'd have a case under libel or defamation. It'll be quite interesting as then they may have to provide a definition of porn which covers your site but not their own - and if they say it was blocked by mistake, it still happened and cost you time and money to investigate as well as making people think you were promoting that sort of content....

    ReplyDelete