Online harms and the role of intermediaries as enforcers

Routers with blue cables1

In my last blog post, I commented on the UK government's current proposals to impose obligations on a hugely broad range of online actors, thanks to the proposals' extra-territorial scope.

This blogpost looks at one of the proposed backstop enforcement mechanisms, to deal with sites and services which do not meet the obligations imposed on them under the online harms framework, with a particular focus on ISP blocking orders.

Summary of concerns with the current online harms proposals

In short, the current online harms proposals lack detail. This means that we cannot have detailed discussions about the necessity and proportionality of what is planned. These need fleshing out urgently. An alternative, even less satisfactory, reading is that the proposals do indeed have all the planned detail, and that the proposal is to have blocking obligations without the restrictions and safeguards which exist in blocking obligations available elsewhere under English law.

In particular, as the proposals currently stand, there is:

  • a very broad scope of actors on whom "business disruption" obligations could be imposed, going beyond the frameworks which exist today
  • lack of clarity around the tests which Ofcom or a court must meet before imposing a blocking order
  • no indication of the number of sites or services which the government expects ISPs will need to block, and this could be significantly higher than ISPs are required to block today

  • no indication that it is to be limited to ISPs with large numbers of customers (as is the case with copyright blocking orders today, and would have been the case under the Digital Economy Act 2017), or only to residential connections (which was to be taken under Part 3 Digital Economy Act 2017)

  • no indication that it is to be limited to ISPs which already have blocking kit in place (unlike the approach taken in respect of copyright blocking orders)
  • no mention of cost recovery, for ISPs whose networks are used by the government as enforcement tools (again, unlike the approach taken in respect of copyright blocking orders)

The Online Harms proposals and intermediary obligations

The white paper

The government's online harms white paper set out two proposals for intermediary enforcement measures:

  • disruption of business activities
  • ISP blocking

For disruption of business activities, the white paper posited:

In the event of extremely serious breaches, such as a company failing to take action to stop terrorist use of their services, it may be appropriate to force third party companies to withdraw any service they provide that directly or indirectly facilitates access to the services of the first company, such as search results, app stores, or links on social media posts.

For ISP blocking:

Internet Service Provider (ISP) blocking of non-compliant websites or apps – essentially blocking companies’ platforms from being accessible in the UK – could be an enforcement option of last resort. This option would only be considered where a company has committed serious, repeated and egregious violations of the outcome requirements for illegal harms, failing to maintain basic standards after repeated warnings and notices of improvement. Deploying such an option would be a decision for the independent regulator alone.

It went on to say that:

We are exploring a range of options in this space, from a requirement on ISPs to block websites or apps following notification by the regulator, through to the regulator issuing a list of companies that have committed serious, repeated and egregious violations, which ISPs could choose to block on a voluntary basis

The government's response

A judicial framework?

The government's response gave a little more information on blocking, saying that:

As a last resort in cases of repeated or particularly egregious non-compliance, Ofcom will be able to take measures to disrupt a company’s business activities in the UK, including blocking access in the most serious circumstances.

Although this suggests that the power would be granted to a regulator, it seems that Ofcom would be granted only be the power to seek a blocking order, not issue one:

The regulator will be required to obtain a court order for Level Two sanctions ahead of requesting a provider to block access to the non-compliant company’s service in the UK, to safeguard freedom of expression online

This would be an improvement on the position under the Digital Economy Act 2017, where the BBFC could issue administrative blocking orders without needing a court order.

Left unstated is the exact role a court would have, or the standard of scrutiny which it would apply. For example:

  • would a court need to be satisfied beyond reasonable doubt that the service in question has breached its obligations under the online harms rules? Or just satisfied on balance of probabilities?
  • Does a court need to find that a service has breached its obligations, or just that the service is likely to done so (akin to regulation 3 of The Drug Dealing Telecommunications Restriction Orders Regulations 2017)?
  • Does the court need to be satisfied that the order being sought is necessary (in the sense that no lesser measure would suffice), effective, and proportionate?

It is also unclear what constitutes "particularly egregious non-compliance". The devil will be in the detail, especially if it comes down to some kind of measurement of harm resulting from the non-compliance.

An expansion of blocking order recipients?

The full response appears to merge the white paper's two categories of enforcement activity, since it says that:

The regulator will have the power to take measures that block a non-compliant company’s services from being accessible in the UK, by requiring the withdrawal of services by key internet infrastructure providers (e.g. browsers, web-hosting companies, app stores, online security providers or Internet Service Providers)

If a broader range of actors is to be within scope of "blocking" obligations, this requires even more detailed consideration.

For example:

  • what obligations could be imposed on "browsers" (or, perhaps, their developers)?
    • a requirement not to support DNS-over-https/TLS, if DNS-based blocking is to be the main vehicle for ISP blocking? A limitation on which DoH providers can be included in a user-friendly pick list / by default?
  • how will obligations on software developers work in respect of open source software? Upon whom would the obligations be imposed? The package maintainers? The repository operators?
  • will browser developers be forced to issue updates to their software and, if so, will these be "mandatory" updates or will it be left to each user?

Extra-territorial blocking

Building on the theme of broad extra-territorial jurisdiction, the full response says that:

enforcement powers have been designed to be able to be used against companies with and without a physical or legal presence in the UK

It will be interesting to see how that works out, and whether companies outside the UK are unduly concerned by an order of a court in the UK. In the Young Turks Recording stream-ripping case, Miles J held that:

"Seeking to pursue [a website operator in Russia] (or enforce judgments of the High Court) would be very difficult."

Do we need to get somewhat meta, and ensure that the regulator has the power to impose blocking obligations on intermediaries who do not comply with their own blocking obligations?

In other words, if an overseas browser developer declines to abide by whatever obligation is imposed on it by a court in the UK, will ISPs in the UK be ordered to block traffic to that browser developer's own website (to attempt to suppress installation of that browser), or will app stores be ordered to remove that non-compliant browser?

What is left unstated

Expected volumes of blocking

The government's initial response said that:

industry requested ... clarification on the anticipated volume of websites that would be in scope

There was no clarification in the government's full response.

The anticipated volume is likely to be significantly higher than the number of sites within scope of blocking obligations today, since the framework is proposed to apply to sites which host user-generated content, and those which facilitate public or private online interaction, wherever they are in the world.

These two functionalities are so common, that many, many sites and services around the world would meet these threshold conditions and thus — presumably — would be at risk of being blocked if they do not comply. Exemptions and limitations could limit this number, but the detail on this still needs to be worked out.

By way of contrast, the number of sites which meet the threshold conditions under existing English law covering blocking orders — for example, that they infringe trade mark or copyright, or host pornography on a commercial basis — and thus could potentially be susceptible to blocking, is likely to much smaller. Most sites are not commercial porn sites, and most sites do not have as their main purpose the distribution of infringing content.

Aside from the issue of ISP planning (because ISPs may need to invest in additional kit, if blocking volumes increase significantly), this will lead to questions about minimising the risk of over-blocking. The larger the blocklist, the more time and resource someone — presumably Ofcom — will need to spend in ensuring that the URLs or IP addresses remain allocated to non-compliant sites, and are not re-used by other operators who end up being blocked incorrectly.

Perhaps, a bit like the approach taken by the IWF for dissemination of its list of URLs which it considers contain illegal child abuse material, Ofcom will issue a blocklist to ISPs a couple of times a day, every day, to lessen the burden on ISPs trying to keep track of what is blocked and what is not?

Which ISPs and services would be in scope

The full response gives no indication that the blocking obligations are to be limited to intermediaries with large numbers of customers.

By way of contrast, s97A copyright / trade mark injunctions have been imposed on only the largest fixed line ISPs, and the plan under Part 3 Digital Economy Act 2017 was to limit blocking orders to ISPs with more than 100,000 residential broadband subscribers.

As smaller intermediaries are likely to shoulder a disproportionately heavy burden if obligations are imposed on them, a threshold-based approach would likely be welcome.

Similarly, there is no comment on whether blocking obligations would be imposed solely in respect of residential connections, or if ISPs would be required to maintain them in respect of business connections too.

Again, the proposed approach under the Digital Economy Act 2017 was to limit obligations to residential connections unless there was a "specific need" to extend them to business connections (and it was never clear to me what that "specific need" might be).

What about private networks, such as JANET? Are they in scope?

Whether obligations can be imposed on ISPs which do not have blocking systems

Not all ISPs have systems in place for blocking access to sites and services, and — currently – there is no legal requirement for them to do so.

To date, to the best of my knowledge, there has been no attempt to seek a blocking obligation against an ISP which did not already have the capability of meeting it by virtue of kit already in their networks.

The government's response is silent on this and, if the proposal is to compel all ISPs to block, including those without the means to do so, that would be a substantial shift from the current approach in this area.

And, as I set out below, the cost of buying, installing, operating, updating, and supporting this kit can be significant.

Cost recovery, for ISPs whose networks are used by the government as enforcement tools

The proposal is silent as to costs.

In the context of the blocking of between 1 and 50 sites per year under the Digital Economy Act 2017, the government's impact assessment estimated that costs "were in the range of £100 - £500k for a system update", on an ongoing basis. This was in the context of DNS-based blocking, which the government considered was the "cheapest option".)

Presumably, the greater the system capabilities needed, the higher the cost, but it is not clear that this has been considered. And if DNS-based blocking is not sufficient, the costs could be even higher.

If ISPs are to be used as the government's enforcement tools, I would have thought that the government should be footing the bill for the costs they incur in doing so, and so would want to get a grip on costs pretty quickly.

Notably, those costs related only to the incremental cost of adding a small number of sites to the blocklist. For ISPs which do not have blocking infrastructure in place, the costs could be much, much higher — see below.

Obligations to interfere with Internet access today

Imposing obligations on ISPs and other intermediaries is not new, and there is plenty of literature on the use of "choke points" to deliver on policy objections.

I thought it might be helpful, in the context of examining what the online harms proposals might deliver, to lay out a high level summary of the key framework in the UK dealing with blocking and service disruption by intermediaries — the copyright framework – and to examine what would have been the situation under the now-abandoned porn site blocking rules. (I have omitted voluntary approaches.)

Copyright and trade mark-based blocking orders

Perhaps the most prevalent form of mandatory site blocking in the UK comes through orders under s97A Copyright, Designs and Patents Act 1988. This provides for "Injunctions against service providers".

What is the power?

s97A empowers the High Court to:

grant an injunction against a service provider, where that service provider has actual knowledge of another person using their service to infringe copyright.

This power has been used extensively in the UK to impose website (e.g. selling counterfeit goods or hosting stream-ripping services) and live-stream (such as football matches and boxing matches) blocking orders.

Although s97A deals solely with copyright infringement, the threshold conditions in s97A have been used as the basis for an injunction against ISPs in respect of trade mark infringing sites, underpinned by s37(1) Senior Courts Act 1981.

Who can impose the obligations?

The High Court.

Who is in scope of the obligations?

The High Court can impose obligations on a "service provider".

This is defined by reference to regulation 2 of the Electronic Commerce (EC Directive) Regulations 2002, as:

any person providing an information society service

So pretty broad, but not as broad as the current online harms proposals.

In practice, blocking injunctions have been imposed to date only on the largest fixed line providers, which already had the capability to give effect to them.

What is the scale of the measures?

Although reports of the judgments imposing blocking orders are public, the precise detail of what is being blocked under them is not.

For example, in the context of a recent judgment imposing blocking orders in respect of boxing matches, Birss J said:

On the first point, Counsel reiterated and explained his clients' case why it is that the court was being asked to keep Schedules 2 and 3 of the order confidential. The reason is simply that all of it is information which would, if publicly available, undermine the purpose of the order itself. That is because it would help those seeking to circumvent the web blocking system to avoid it in various ways. Schedule 2 is a list of target IP addresses. It needs to be confidential because it would otherwise provide a list of addresses to use to try and get access to these infringing streams. Schedule 3 sets out the detection conditions and requirements which an IP address must satisfy in order for that IP addressed to be notified so that it will be blocked. I had hitherto thought that there might not be any risk caused by explaining the conditions and requirements at least in broad terms, but I am satisfied that even doing that bears a tangible risk of undermining the blocking and assisting the infringers. Accordingly I am satisfied that the public version of this order should not contain any of the content of Schedules 2 and 3.

However, as far as I know, the orders apply only to specific sites / services found to be infringing, and not to things like third party DNS services or VPN services.

Virgin Media has published a list of the sites it has blocked under these injunctions.

How it is done in practice: Hawking, Cleanfeed, Wolf, Hawkeye, Web Blocker 3, and others

Schedule 4 to the Matchroom ruling, and paragraphs 38 to 51 of the Cartier ruling, give an interesting insight into the various tools used by the in-scope ISPs to carry out the blocking:

  • Matchroom says that BT and Plusnet use systems known as "Hawking" and "Cleanfeed".
    • According to Cartier, BT "spent a six figure sum purchasing [Cleanfeed] and has spent the same amount subsequently on renewals and upgrades". BT also used a separate DNS blocking system, "Nominum", which cost BT "a seven figure sum".
  • Matchroom says that EE uses something called "Wolf".
    • Previously — the dates in Cartier are unclear; possibly 2010 or 2014 — it used a system called "Procera", and, before that, "Arbor". Although it appears that Procera is no longer used, Cartier notes that "EE paid BT a seven figure sum to implement the Procera system in 2010".
  • Matchroom says that Sky uses "Hawkeye", which — according to paragraph 40 of Cartier — it spent "a six figure sum" developing, and which it uses "for the sole purpose of implementing section 97A orders".
    • It has (or had) a separate system, "Mohawk", for IWF blocking.
  • Matchroom says that Virgin Media uses the less futuristic-sounding "Web Blocker 3".
    • Somewhat boringly, from 2006 to 2012, it used something called "Web Blocker". It replaced this in 2011 with "Web Blocker 2". I wonder what the next iteration will be called?
  • Matchroom says that TalkTalk doesn't have a fancy-named system at all, and just has to do "blackholing".
    • According to Cartier, TalkTalk has (or had) a Detica-provided system for IWF blocking. The judgment says that "TalkTalk does not have a record of how much it spent on this system originally, but earlier this year it spent a six figure sum on upgrading it. In addition a four figure sum is spent on monthly running costs."
    • It also has, or had, a Huawei-supplied system, which it uses (or used) solely to comply with website blocking orders. Eye-wateringly, Cartier says that "[t]otal capital expenditure on this system since 2010 has been an eight figure sum. In addition, a six figure sum is spent on annual maintenance and running costs." Ouch.

Who bears the cost of the blocking measures?

The Supreme Court held in Cartier that:

Website-blocking injunctions are sought by rights-holders in their own commercial interest. ... It follows that in principle the rights-holders should indemnify the ISPs against their compliance costs ... limited to reasonable compliance costs.

Since the ISPs in the case all had the capability of doing what was ordered, this question related to the additional costs of implementing a specific order.

As there has been no injunction issued against ISPs which do not have blocking systems already, there has been no reason to discuss the cost burden for the seemingly significant capital expenditure necessary to put a blocking system in place. However, based on the principles in Cartier, one would expect (hope?) that the same logic would apply.

Part 3, Digital Economy Act 2017

What was the power?

Under the now-shelved Part 3, Digital Economy Act 2017, the "age verification regulator" — the BBFC — would have had the power to issue notices to ISPs, which would:

require the internet service provider to take steps specified in the notice, or (if no such steps are specified) to put in place arrangements that appear to the provider to be appropriate, so as to prevent persons in the United Kingdom from being able to access the offending material using the service it provides.

The legislation did not specify what an ISP would have to do, but the UK government said that:

the presumption that DNS blocking of an ISP’s DNS will meet the requirements of section 23(2)(c).

The government's guidance goes on to say that:

ISPs will not be expected to block third-party DNSs

A clarification that this remains the intention under the online harms proposals would be welcome.

Who could impose the obligations?

The age verification regulator, acting alone.

The age verification regulator did not need to secure an order from a court to impose a notice, so the framework established a non-judicial administrative blocking order.

Who was in scope of the obligations?

The age verification regulator could impose obligations only on "internet service providers".

This is a relatively narrow definition:

a provider of an internet access service within the meaning given in Article 2 of Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015

In practice, the intention was that obligations would be imposed only on larger ISPs, being those with 100,000 or more residential broadband subscribers.

Additionally, the government said:

it is not anticipated that ISPs will be expected to block services to business customers, unless a specific need is identified.

What was the scale of the measures?

The government's expectation (page 13) was that:

the number of sites to be blocked would be in the range from 1 to up to 50 per year

Who was to bear the costs?

This was not resolved before the legislation died in a ditch.

The government's impact assessment said that "some ISPs ... indicated that ... they may be able to absorb on-going operational costs".

Other notes

As if the lack of judicial oversight was not bad enough, the framework expressly permitted overblocking:

The steps that may be specified or arrangements that may be put in place ... include steps or arrangements that will or may also have the effect of preventing persons in the United Kingdom from being able to access material other than the offending material using the service provided by the internet service provider.

It is hard to see how this can be reconciled with the right to freedom of expression.

  1. This image is licensed under the Pexels licence↩︎