You are here: Parliament home page > Parliamentary business > Publications and Records > Committee Publications > All Select Committee Publications > Lords Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 999 - 1019)

WEDNESDAY 18 APRIL 2007

MR TIM SUTER, MR BEN WILLIS AND MR JEREMY OLIVIER

  Q999  Chairman: We are sorry to have kept you, but you have been listening to the conversation, no doubt, so you see our interest. Thank you very much for coming along, Mr Suter, and for bringing your colleagues. Perhaps, as with the previous witnesses, you would introduce yourself, please, and have your colleagues introduce themselves.

  Mr Suter: Thank you very much, my Lord Chairman. My name is Tim Suter. I am the Ofcom partner responsible for content regulation and in that capacity I am also responsible for our programme of work in relation to media literacy, which is a subject I suspect we will want to cover a bit. On my right is Ben Willis, who I will ask to introduce himself.

  Mr Willis: I am the head of technology intelligence in Ofcom, so in that role I take an overview across some of the technical issues which are going to confront us in our regulation and in particular I do some of our liaison with the Government on security related matters.

  Mr Suter: And on my left is Jeremy Olivier.

  Mr Olivier: I work, like Tim, in the content division of Ofcom, but specifically focused on the evolution of content regulation, where it is going and how the Regulator may respond to some of the developments we have been talking about today, for example in relation to the Internet.

  Q1000  Chairman: Thank you. Let me open with the first rather general question. Who regulates the Internet and Internet services in the United Kingdom?

  Mr Suter: I think our opening response to that is that the Internet as an issue in itself needs to be separated out from the services which are regulated, and to the extent that services are regulated the Internet is one means of carriage of those services, and where they are services which fall to be regulated they are therefore regulated by the appropriate regulator. For instance, if you take the example of IPTV, the fact that it is carried using Internet protocols does not prevent it being regulated by us in the same way that we regulate other traditionally broadcast methods of TV, whereas other forms of content which are delivered online using the Internet, because they do not share the characteristics of television in the sense of their simultaneity and their availability to the general public (as set out in the Communications Act), are not regulated. They are both carried by the same means but it is the nature of the service to which the regulation attaches itself rather than necessarily to the Internet itself.

  Q1001  Chairman: That is interesting. The supplementary question I would ask is that Ofcom was excused from regulating content on the Internet, but you are saying it is not really, are you not, but it does regulate electronic communication networks? How does Ofcom regulate this area in practice? I guess you have just given us part of the explanation of this.

  Mr Suter: I hope so. Perhaps I could elaborate and in the process perhaps pick up some of what Lord Harris was getting at, I think, in his questions about the future, and certainly Professor Zittrain's response. The key issue which drives content regulation, if you deal primarily with content regulation, is audience expectation. That which gives us the purchase to regulate content is the expectation on the part of the audience that there is a safe environment, an environment where an external body takes a view and operates in a backstop capacity. Those services will have certain characteristics. They will be part of a linear schedule, they will be delivered simultaneously to everybody and the mere fact of choosing whether or not to avail yourself of the service will not prevent that piece of content being delivered at that time, because as a content regulator that is what I need in order to take a view on a given piece of content. A piece of content on its own has virtually no meaning until it is viewed or consumed by somebody in a particular context. Without the context, the content alone means very little to me. A piece of adult content on its own, without knowing who consumed it, when they consumed it, how they consumed it, with what protection preventing them from consuming it means nothing to me. If I know that it was broadcast on a channel which was heavily protected by a couple of PINs available only late at night on a subscription service, that is one thing. If I know that it was broadcast free-to-air at four o'clock in the afternoon, that is different, but it is the same content. So the context is the element which is key and therefore the audience expectation and the context is what gives us our legitimacy to regulate content.

  Q1002  Lord Young of Graffham: So what you are telling us really is that IPTV comes under your controls, the content of IPTV?

  Mr Suter: Where IPTV is essentially transmitting the same broadcast stream which is being transmitted elsewhere using other means, via cable or satellite.

  Q1003  Lord Young of Graffham: If I take one of those programmes and put it on as a video podcast, that is out of your control?

  Mr Suter: That is out of our control.

  Q1004  Lord Young of Graffham: But it is the same programme?

  Mr Suter: It is entirely the same programme, and indeed at the moment you will be able to watch on your screen, the same screen, the same piece of content which will be regulated by a variety of different means. A piece of video on demand -

  Q1005  Lord Young of Graffham: What is the point of trying to regulate IPTV if it is the same programme in some way, looking at the content of IPTV? If exactly the same programme is deregulated or is outside regulation, if it comes down not on a constant stream but by way of a video podcast?

  Mr Suter: If I could start, and then I will ask Jeremy to pick it up. The key issue is the nature of the service to which the regulation is attached. The service has a certain contract, if you like, with the viewer which says, "Within this service we will abide by certain rules. Up to a certain point you need take less responsibility in regard to what your children are going to watch, but after a certain point you need to take more." There is, if you like, a regulated contract which can apply to the nature of the complete service. Within that, we can take individual judgments on pieces of content. A piece of content that is entirely dependent upon my individual choice, when to go and get it, where to consume it, how long to store it for has a different set of issues attached to it, and therefore the kind of broadcast regulations which we attach to linear IPTV services would not be appropriate. Jeremy?

  Mr Olivier: I think you have made the point I was going to make.

  Q1006  Chairman: Could I just test that one? If you are a school teacher, a nasty, bad school teacher, and you have a subscription service which you only have access to at night and you were to record a nasty movie and then play it to your class of ten-year-old children the next morning, is that against the law?

  Mr Suter: I think it would depend upon the nature of the content. It certainly would not be against the Broadcasting Code.

  Q1007  Lord Young of Graffham: Some of these video podcasts, for example, get pushed out on a regular basis at ten o'clock every Thursday morning, a specific time, or something like that, down to a PC and it becomes really indistinguishable from broadcast television, does it not?

  Mr Suter: I think that is why you have to separate out the nature of the service which is delivering it from the nature of the consumption. If you take a piece of content, you can watch it at exactly the same time on exactly the same screen as a regulated piece of content. The same film may appear being broadcast at eight o'clock and you may watch at eight o'clock the same piece of content you got from a podcast. That does not in itself undermine, to my mind, the notion that in one environment you have a regulatory environment which says, "This is a linear schedule. Certain rules will apply," and in the other you have chosen to go and get that specific piece of content which you happen to watch at that time. No editor took responsibility for putting it out at that time. The editor of the podcast did not decide this was an appropriate environment within which to consume it. That consumption decision was yours.

  Q1008  Lord Young of Graffham: This distinction might be in law or in the Act. Do you think it will last?

  Mr Suter: I think it will be reinforced. I think it is there now and I think it will become more important. I think we will see broadcast regulation, if you like, the kind of broadcast regulation which we currently apply to a whole range of channels. I think that will still be there because I think there is audience expectation and I think there is a very considerable degree of consumption of programmes delivered in that way where people want the confidence of that environment, but we will see increasingly content being consumed in other ways.

  Q1009  Lord Young of Graffham: Are we not moving away from broadcast television to an era in which people choose what they want to see when they want to see it?

  Mr Suter: And as that happens the industry will need to develop its own self-regulatory approaches, its own self-regulatory mechanisms for providing that reassurance.

  Q1010  Lord Young of Graffham: But as we go from one which is controlled, we go to the other which is not controlled?

  Mr Suter: It is self-controlled.

  Lord Young of Graffham: Yes, that is right.

  Chairman: We will come back to that in a minute. Lord Mitchell, let us have your question. We are going to come back to some of these topics.

  Q1011  Lord Mitchell: What risks to personal Internet security can arise within the networks themselves?

  Mr Willis: I guess the first point I would make there is that it is slightly difficult to distinguish, to draw a hard line between the network and the people who use the network around the edge. So the network of itself is not capable of doing bad things. What the network can do is have weaknesses in it which create the holes which bad people can come and take advantage of. I guess the way I understand the question is, if we are assuming that the end users have done everything in their power to ensure that their computers are patched, that they have all the right virus protection and that they are not doing anything silly themselves, what risks can they be put to by the actions of the network and the network operator? As I say, I think that is merely opening the way for a third party with criminal intent to come and take advantage of those weaknesses, if you like, to actually exploit security. There is a whole number of ways in which that could happen. Just to give an example of some of the weaknesses that we might see, one is vulnerabilities in the network which have not been patched by the operator. They, for example, might be bugs in the software that run on the pieces of equipment that make up the network which the operator has not done anything about but which somebody comes along and exploits. So they write this code which attaches itself to the network devices and then can interfere with the security by stealing their details, for example. There is a number of reasons why that situation can occur. Firstly, because it is a bug which the hackers became aware of, either in advance or at the same time as the vendors of the equipment, and at the moment the vendors of the equipment have not yet come up with a solution for that bug so there is nothing the operator could have done about it, i.e. there is no fix for this problem which is being exploited by somebody else. The alternative is that the vendor has created a solution to this bug and the operator simply has not installed it yet. That case is particularly unlikely. It is a matter of course for operators generally to be in very close communication with their vendors, much more so than the average computer user, to keep their network patched and up to date. There is a couple of other examples. We could find, for example, that communication which the user sends across the network gets intercepted at some point on the network. Again, there could be a couple of reasons for that. It could be because the security on the network, either the physical security or the electronic security, has been breached by somebody, so somebody has broken into an office of the operator and attached their computer to the network and sees the traffic going across and can intercept credit card details, or it could be because that network was not secure in the first place, it did not try and stop people from stealing stuff. The other kind of source of these things, which is probably far more likely in practice, is basic human error or problems with the processes and procedures operated by a network operator. So it could simply be that somebody loses a laptop which has customer details on, or that the processes within the network operator lead to them inadvertently exposing lots of personal information to other people. I guess the final example I was going to give is the criminal activity by an employee of a network operator, where somebody working within the network actually steals personal information. So there is a number of ways in which even if the end point has been properly secured—and as we said earlier, that is far from a given—the network itself could still present risks.

  Q1012  Lord Mitchell: Have you been made aware of any risks to personal Internet security arising from within the networks themselves?

  Mr Willis: It is an area which we do track and take notice of. I guess in general it is not something which falls directly under our control.

  Q1013  Lord Mitchell: But have there been specifics?

  Mr Willis: There are specific examples.

  Q1014  Lord Mitchell: What sort of actions do you take?

  Mr Willis: I am not aware of any examples which have fallen to us to take any action on. A fairly recent example, for instance, is that there was an attack on the Internet infrastructure, quite widespread, a global issue, which came through a security weakness in a piece of software which was run on some of the main Internet routers and this was taken advantage of and they were attacked. The operator community was aware of this as it was happening and worked to fix the problem as soon as possible. It was not something where any regulator intervened to fix it, it was fixed by the industry before it became a compromising problem.

  Lord Mitchell: Thank you.

  Chairman: Lord Young, we talked about this topic, but I think it is worth asking your supplementary question.

  Q1015  Lord Young of Graffham: Yes, because I would like to actually test it, if I could. You argue in your memorandum that the distinction in the Communications Act between "content services" and "electronic communication networks" is "quite clearly defined". Do you think this distinction is going to survive in the long term?

  Mr Suter: I am going to ask Jeremy to lead off on that.

  Mr Olivier: I think, in the light of the discussion we have had to date, I will answer the question slightly different than I had originally anticipated doing so. In the Act there are two distinct things defined, as we said in our evidence. One is an electronic communications network, which is a means of delivery of an enormously broad range of services, and another is a content service, and the definition of content service focuses very explicitly on the provisions, on agency and the provision of content of one kind or another by a service provider, by a content service provider, to a consumer or a set of consumers. The reason why that is important in the Act is because, as Tim was explaining, there are some types of content services described in the Act as "television licensed content services", which has certain characteristics. They are made simultaneously available to very large numbers of users, they are potentially impractical, potentially harmful in some instances, particularly to minors (that is a key area of concern), and which therefore we have a special regulatory architecture to oversee. If your question is—and I think perhaps it is—"Do you think there is a future for the regulation of some types of content service in order specifically" (as we do currently) "to protect vulnerable individuals against exposure to harmful and offensive content," I think the answer is that absolutely there will continue to be such a role. It is very unclear, to me at least, that there is much appetite among audiences for a move away from the provision of some degree of security of the kind you have described. Indeed, in the questions you were asking Professor Zittrain there seemed to be in some sense that you were exploring options for creating such a regulated domain in relation to other security issues by taking responsibility away from where it sits presently with consumers—they are responsible for putting the firewalls, and so on in place—onto ISPs. My analogy would be that we currently have a content regulatory architecture. We believe the audiences value it and that therefore there is strong evidence to suggest that there will continue to be a role for such an architecture.

  Q1016  Lord Young of Graffham: Let me just test it. The technology is moving so that PCs and televisions are merging into media centres, and indeed your PC and your television will be connected by wireless. So we have programmes which at the moment have to go out after the watershed, after nine o'clock in the evening, which the following day can be accessed at any time of the day as a podcast. So one gets regulated. What is the point of having a watershed at nine o'clock if the same programme can be accessed at any time?

  Mr Suter: That has been the case, I think, since the invention of the video recorder. Time shifting material has always been the case. So the fundamental principle is not, do we prevent material being accessed by people? The answer is no, and anyway we are an after the event regulator. The fundamental issue of content regulation is to provide tools and information to consumers which say, "If this material is broadcast at a certain time or on a certain channel, or with a certain degree of additional warning or preparation, then you should take note of that." We do not assume that the nation's children are in bed by nine o'clock. We know that they are not. The notion of the watershed is not because we believe children are in bed, it is because we know that consumers need a signal which says the level of responsibility shifts at a certain point in the linear schedule, and actually the point is different according to different kinds of channels. So it is not that there is an absolute prohibition or the intention to prevent that material ever being seen. We would rather that it was not. What there is is an intention to give people the tools they need to manage their own consumption. In a regulated linear environment it is relatively straightforward to do. In a non-linear environment it is much more difficult to do in the old way, so you need content information, you need consumers to know, "What is it that I'm getting? With what degree of caution should I approach it? With what degree of care should I manage who's watching it?"

  Q1017  Lord Young of Graffham: So you could see Ofcom changing the regulation in order, perhaps, to put up a warning signal for these post-watershed periods being broadcast at any time? If the whole idea of regulation is to help to guard young children from seeing unsuitable material, then what happens with time shifting where, whichever technology it is, it is available at any time? The big difference with time shifting with a VCR of some sort is that it is a positive act to do it, but with the other one people can roam around the Internet and come across them in different ways, I think that is the real thing, or subscribe to them?

  Mr Olivier: I think there are a number of points to make in response to that. Perhaps the first and most simple is that, as we have been discussing, Ofcom does not, I think, anticipate that we would be able to impose global standards either for labelling or for any other form of content regulation to the global medium, that is the Internet, but that does not at all mean that it would not be desirable (as in fact we are already doing) to seek to work with those service providers who are legitimately available to us as partners in delivering content regulatory outcomes and that they should work to provide audiences with appropriate tools to enable them to manage their and their children's access to content. So not necessarily regulating in the way that we do with broadcasters but certainly working with service providers, as we do currently, to help them make these kinds of tools available to audiences and thereby to delivery the goal that we share, I think, which is the protection of vulnerable individuals in this particular instance.

  Q1018  Earl of Erroll: You state in your written memorandum that "Although security products are valuable tools for consumers they are not a part of the regulated Internet access service". Can you explain this distinction in more detail?

  Mr Suter: I shall ask Ben first to explain that.

  Mr Willis: I guess the first point is that in the sense that those security tools generally are pieces of software which would run on a consumer's PC they are not part of the service which is offered by the operator per se, they are something in the customer's domain and therefore outside of what we would think of as the regulated Internet access service itself.

  Q1019  Earl of Erroll: They could be actually part of the service, and I think that is the point, because the business of ISPs is to provide the customers with access to the Internet and some of it is the information it holds. There is also the other side, which is email, and there is no technical bar to them making those services safer. For instance, in the Lords we use MessageLabs to filter our incoming email before it hits our mailboxes in the Lords, so it would be quite easy for ISPs to do this sort of thing. Why are they, unlike companies in all sorts of other walks of life, not required to provide their services with due regard to the security and safety of the users?

  Mr Willis: I think the answer to that is that there is a number of aspects of the service which we do regulate and then a whole bunch of other things which the ISP can choose to add or not, which we do not regulate. The parts which we do regulate are set out in what are called the General Conditions of Entitlement, so they are the instruments of regulation for services and networks. They cover things like customer contracts and how a customer would be billed, how disputes would be resolved between customers and operators and how customers would be migrating between providers. Those features are the things which come under our regulatory remit to control. Other things which an ISP may choose to add to the service, for example, "We will filter your email for you," or, "We will offer you a whole bunch of other services," are outside the things which we regulate under that framework.

 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007