ISP issues
This guide is based on UK law. It was last updated in
October 2008.
Overview
ISPs play a central role in the development of e-commerce and
use of the internet. Presently, the majority of people use an ISP
to access the internet. The 2005 case of Bunt and Tilley settled
the dispute over who is liable for unlawful third party content
that passes through an ISP's network. It is now accepted that ISPs
have a qualified immunity provided they do not perform an editorial
function. Despite this victory, the landscape of e-commerce is
continuing to change. It is likely that advances in technology and
new user profiling software will expose ISPs to new risks and
increase their regulatory burden.
This guide is intended to provide an overview of some of the
issues which face ISP s, V ISP s (Virtual ISP s) and web hosts in
respect of their day to day business. For ease of reference this
guide will only refer to ' ISP s', although the same issues will
apply to all three. The guide will look at issues relating to
connectivity, an ISP's relationship with its customers, third party
content, spam, data protection and areas of increasing regulation.
Where there are other related guides, you will find links to them
within the text.
Connectivity
The main business of an ISP is to provide its customers with a
connection to the internet. So far as the customer is concerned, he
or she wants to be able to dial into the ISP and get connected
without getting an engaged tone. They also want a fast service and
will not necessarily recognise that the speed with which they can
download information will be governed by their own connection and
equipment.
No one can control all of the interconnections between the
various networks, and any network failure may be outside the
control of the ISP. An ISP needs to make sure that in its terms and
conditions it makes it clear that it does not give any guarantee
that the service it provides will be uninterrupted or error-free.
Where the services are being provided to consumers free of charge
or for only a relatively small fee, then such a clause will
probably suffice.
When an ISP is hosting a commercial web site and is being paid
to do so, its customers will often expect a more comprehensive
guarantee in some form of service level agreement. Typically this
will be expressed as being the percentage of time which the server
on which the web site is hosted will be available for access via
the internet.
When considering a service level agreement, it is particularly
important to bear in mind two things. First, that allowance should
be made for any planned downtime for maintenance of the server
which should be excluded from the calculation of the time during
which the server is unavailable. Second, it is not possible for
anyone to guarantee a 100% connection success rate. However,
depending on the period over which the availability is to be
calculated, the percentage will most likely be in the range of
98%-99.9%. It is also necessary to consider what "teeth" (if any)
the service level agreement is to have. An effective service level
agreement will usually contain a provision for a rebate of part of
the fees paid to the ISP and the right to terminate the agreement
if the service levels are not achieved.
Another big issue for ISP s is that of bandwidth. At the moment
bandwidth is very expensive. It is important that in its terms and
conditions an ISP limits the amount of bandwidth that its customers
can use at any one time. Where an ISP is providing a free service,
it will want to be able to restrict the availability of bandwidth
for any particular customer. Where a customer is paying an ISP to
host its web site, it is essential that the ISP clearly sets out in
its agreement how much bandwidth will be available for that
customer and reserves the right to charge for any additional
bandwidth which is used over and above that provided for in the
agreement.
Dealing with customers
Most ISP s will have two distinct categories of customers,
namely consumer and business customers. In many respects, the
issues which arise in relation to each category are the same,
although it should be borne in mind that consumers have additional
layers of protection under English law, Scots law and European
legislation. See our guide on Dealing
with Consumers.
The basis of the relationship for doing business with a customer
is contractual. It is important that the customer is made aware of
the provisions of the relevant terms and conditions before the ISP
begins providing its services. If no terms are agreed with a
customer, then it may be possible to imply certain terms into the
agreement. However, it is much better for all concerned for there
to be certainty as to the terms upon which the services are to be
provided.
A typical ISP will need to ensure that it has clear terms and
conditions for one or more of the following services:
- Dial-up accounts for consumers (this will often be a free
service including the provision of e-mail services and free web
hosting);
- Dial-up accounts for businesses;
- Leased line services for businesses; and/or
- Web hosting services for businesses.
An ISP's terms and conditions need to be clear, need to deal
with all the necessary issues and be properly incorporated into any
agreement that it enters into with its customers. For further
information with regard to incorporation of contractual terms see
our guide, Online Contract
Formation.
In addition to provisions dealing with bandwidth and
availability, you will also need to ensure that you have clear
terms limiting your liability and also incorporating an authorised
use policy. The purpose of the authorised use policy is to ensure
that, so far as possible, all of the obligations to ensure that a
site is lawful and complies with all necessary regulations are
placed on the owner of the site. The authorised use policy will set
out the basis upon which an ISP is willing to provide a service and
will be used to protect the ISP against liability for third party
material and for any loss of data. The authorised use policy will
impose certain obligations on users, for example, to ensure that
they have obtained all necessary third party consents and licences
for the material which they include on their web site (see our
guide on Branding and Intellectual
Property) and to ensure that all the material on their site is
lawful. With regard to the difficulties which an ISP may face with
regard to unlawful material, see our guides on Defamation.
An ISP may wish to include terms relating to the e-mail accounts
and, in particular, what those accounts can be used for and whether
the ISP may remove emails stored on a server from time to time in
order to free up space on that server.
As the world of the internet is moving so quickly, it is
sensible for an ISP to include a provision in its terms and
conditions allowing the ISP to amend its terms and conditions from
time to time. However, a mechanism will need to be included so that
any such amendments are clearly bought to the attention of the
customer and are properly incorporated into the agreement with the
ISP before taking effect.
Liability for third party content
ISPs need to ensure that they do not incur liability for
any of the material which they host on their servers. There have
been a number of cases over the years both in the UK and in the US
where third parties have sought to make an ISP liable for material
which has been hosted on its server. The case of Bunt and Tilley
confirmed that, broadly speaking, an ISP will not be liable if it
does not perform any editorial function. If an ISP monitors and
removes unlawful material from its sites on its own initiative,
then it will run the risk of being seen as a publisher of any
material which remains on its servers.
For further information with regard to unlawful material,
see our Guide on
ISPs' Liability for
Third Party Content and also our guide on Defamation.
Spam
Spam is unsolicited commercial e-mail and has become an
increasing problem over the years. ISPs claim that it accounts for
between 50 and 80 percent of all internet traffic. E-crime using
spam has also developed significantly. Attacks have become more
sophisticated. The traditional phishing attacks and invitations to
visit fake shopping sights which tempt you to enter your bank
details have given way to more refined assaults using trojans to
install key logger programs or malware on to your computer.
In the UK, our first spamming legislation was introduced in
December 2003. The UK Privacy and Electronic Communications
Regulations 2003 (PECR) prohibits spam being sent to individual
subscribers without the prior consent of the recipient unless an
exception applies. Regulation 22 (2) provides that "a person shall
neither transmit, nor instigate the transmission of, unsolicited
communications for the purposes of direct marketing by means of
electronic mail unless the recipient of the electronic mail has
previously notified the sender that he consents for the time being
to such communications being sent by, or at the instigation of, the
sender. The exceptions under Regulation 22(2) dispense with the
need for prior consent where:-
- the spammer has obtained the contact details of the recipient
in the course of the sale or negotiation for the sale of a product
to that recipient;
- the direct marketing is in respect of that person's similar
products and services only; and
- the recipient has been given a simple means of refusing the use
of his contact details for the purposes of such direct marketing
when he was initially contacted, and for each subsequent
communication.
In practice, this means that a customer does not have to
complete a purchase to be lawfully contacted. It is sufficient that
he has actively expressed an interest in a product or service and
has not opted out of marketing when communications have been
received. The safeguards are that the contact details are collected
fairly and the individuals are clearly informed of the option to
opt-out.
If a recipient suffers any damage as a result of contravention
of the Regulations, they may bring an action for damages to recover
loss under Regulation 30 of the PECR. In practice this provision
favours ISPs as it is likely to be easier for ISPs to show that
they have suffered loss as the result of spam. Where the
Regulations have been contravened, the Information Commissioner's
Office (ICO) under the Data Protection Act 1998 (DPA), may issue a
fine. The limit for fines is currently set at £5,000 however this
is likely to increase as part of the data handling review being
undertaken at Westminster.
Increasing regulation
Governments are increasingly looking to ISPs in their efforts to
eliminate harmful and unlawful content on the internet and so it is
likely that we will see more regulation in the following areas in
the near future:
Unlawful websites
The Ministry of Justice has made it clear that they will
continue to look at ways to keep people safe online. In
September 2008 they announced plans to amend the 1961 Suicide Act
which makes it illegal to promote suicide, to make it clear that it
also applies to websites. It will be the responsibility of ISPs to
remove these sites.
Child pornography
The Internet Watch Foundation (IWF), the online watchdog set up
to combat child pornography, is responsible for maintaining a list
of websites displaying these kinds of images. BT introduced a
filtering system in June of this year which prevents access to
sites containing child pornography. The BT system identifies and
blocks access to sites identified by the IWF. Other ISPs are likely
to monitor the success of this initiative to see whether or not
they will employ a similar approach.
Peer 2 peer sharing
This issue has received a attention over recent years. The
Government has reached agreement on the creation of a code of
conduct with some of the major players in the music and film
industry. It has admitted in its consultation however that it is
unlikely that a voluntary agreement will be adopted industry wide.
As a result they have proposed legislation which would enforce the
adoption of this code across the ISP sector or force ISPs to
introduce sufficient anti-piracy policies.
New technology
The advent of new software such as Phorm 's Webwise and OIX
products is pushing the boundaries of online marketing. The user
profiling program will pick up addresses and certain content of
websites visited by the user by attaching to the ISP network and
allow advertising to be matched to them for targeted marketing. The
technology behind Phorm means that there is no need to keep a
record of actual sites visited and there will be no way of knowing
the identity of the user. Although trials have not yet been carried
out (BT controversially carried out a trial in September/October
2006 but without users' knowledge) the ICO has stated that it
believes it is possible for this software to be operated in such a
way that it will not contravene the DPA. They have assured that
their decision will be heavily influenced by the experience of
users and so they will not take a view until the product has been
trialed. In addition to the DPA, Phorm must also comply with the
law contained in the Regulation of Investigatory Powers Act (RIPA)
and the Privacy and the PECR. For a more in depth consideration of
Phorm, you should see our editorial The Law of Phorm.
Data Protection
Data Protection legislation is a particularly important issue
for an ISP. As an ISP will inevitably be dealing with personal
data, it is essential that it has properly notified the ICO under
the DPA, and that it trains its staff to ensure that personal
information is kept confidential at all times. For further
information, you should refer to our Data
Protection guide.
Contacts
