Examination of Witnesses (Questions 999
WEDNESDAY 18 APRIL 2007
We are sorry to have kept you, but you have been listening to
the conversation, no doubt, so you see our interest. Thank you
very much for coming along, Mr Suter, and for bringing your colleagues.
Perhaps, as with the previous witnesses, you would introduce yourself,
please, and have your colleagues introduce themselves.
Mr Suter: Thank you very much, my Lord Chairman.
My name is Tim Suter. I am the Ofcom partner responsible for content
regulation and in that capacity I am also responsible for our
programme of work in relation to media literacy, which is a subject
I suspect we will want to cover a bit. On my right is Ben Willis,
who I will ask to introduce himself.
Mr Willis: I am the head of technology intelligence
in Ofcom, so in that role I take an overview across some of the
technical issues which are going to confront us in our regulation
and in particular I do some of our liaison with the Government
on security related matters.
Mr Suter: And on my left is Jeremy Olivier.
Mr Olivier: I work, like Tim, in the content
division of Ofcom, but specifically focused on the evolution of
content regulation, where it is going and how the Regulator may
respond to some of the developments we have been talking about
today, for example in relation to the Internet.
Thank you. Let me open with the first rather general question.
Who regulates the Internet and Internet services in the United
Mr Suter: I think our opening response to that
is that the Internet as an issue in itself needs to be separated
out from the services which are regulated, and to the extent that
services are regulated the Internet is one means of carriage of
those services, and where they are services which fall to be regulated
they are therefore regulated by the appropriate regulator. For
instance, if you take the example of IPTV, the fact that it is
carried using Internet protocols does not prevent it being regulated
by us in the same way that we regulate other traditionally broadcast
methods of TV, whereas other forms of content which are delivered
online using the Internet, because they do not share the characteristics
of television in the sense of their simultaneity and their availability
to the general public (as set out in the Communications Act),
are not regulated. They are both carried by the same means but
it is the nature of the service to which the regulation attaches
itself rather than necessarily to the Internet itself.
That is interesting. The supplementary question I would ask is
that Ofcom was excused from regulating content on the Internet,
but you are saying it is not really, are you not, but it does
regulate electronic communication networks? How does Ofcom regulate
this area in practice? I guess you have just given us part of
the explanation of this.
Mr Suter: I hope so. Perhaps I could elaborate
and in the process perhaps pick up some of what Lord Harris was
getting at, I think, in his questions about the future, and certainly
Professor Zittrain's response. The key issue which drives content
regulation, if you deal primarily with content regulation, is
audience expectation. That which gives us the purchase to regulate
content is the expectation on the part of the audience that there
is a safe environment, an environment where an external body takes
a view and operates in a backstop capacity. Those services will
have certain characteristics. They will be part of a linear schedule,
they will be delivered simultaneously to everybody and the mere
fact of choosing whether or not to avail yourself of the service
will not prevent that piece of content being delivered at that
time, because as a content regulator that is what I need in order
to take a view on a given piece of content. A piece of content
on its own has virtually no meaning until it is viewed or consumed
by somebody in a particular context. Without the context, the
content alone means very little to me. A piece of adult content
on its own, without knowing who consumed it, when they consumed
it, how they consumed it, with what protection preventing them
from consuming it means nothing to me. If I know that it was broadcast
on a channel which was heavily protected by a couple of PINs available
only late at night on a subscription service, that is one thing.
If I know that it was broadcast free-to-air at four o'clock in
the afternoon, that is different, but it is the same content.
So the context is the element which is key and therefore the audience
expectation and the context is what gives us our legitimacy to
Q1002 Lord Young of Graffham:
So what you are telling us really is that IPTV comes under your
controls, the content of IPTV?
Mr Suter: Where IPTV is essentially transmitting
the same broadcast stream which is being transmitted elsewhere
using other means, via cable or satellite.
Q1003 Lord Young of Graffham:
If I take one of those programmes and put it on as a video podcast,
that is out of your control?
Mr Suter: That is out of our control.
Q1004 Lord Young of Graffham:
But it is the same programme?
Mr Suter: It is entirely the same programme,
and indeed at the moment you will be able to watch on your screen,
the same screen, the same piece of content which will be regulated
by a variety of different means. A piece of video on demand -
Q1005 Lord Young of Graffham:
What is the point of trying to regulate IPTV if it is the same
programme in some way, looking at the content of IPTV? If exactly
the same programme is deregulated or is outside regulation, if
it comes down not on a constant stream but by way of a video podcast?
Mr Suter: If I could start, and then I will
ask Jeremy to pick it up. The key issue is the nature of the service
to which the regulation is attached. The service has a certain
contract, if you like, with the viewer which says, "Within
this service we will abide by certain rules. Up to a certain point
you need take less responsibility in regard to what your children
are going to watch, but after a certain point you need to take
more." There is, if you like, a regulated contract which
can apply to the nature of the complete service. Within that,
we can take individual judgments on pieces of content. A piece
of content that is entirely dependent upon my individual choice,
when to go and get it, where to consume it, how long to store
it for has a different set of issues attached to it, and therefore
the kind of broadcast regulations which we attach to linear IPTV
services would not be appropriate. Jeremy?
Mr Olivier: I think you have made the point
I was going to make.
Could I just test that one? If you are a school teacher, a nasty,
bad school teacher, and you have a subscription service which
you only have access to at night and you were to record a nasty
movie and then play it to your class of ten-year-old children
the next morning, is that against the law?
Mr Suter: I think it would depend upon the nature
of the content. It certainly would not be against the Broadcasting
Q1007 Lord Young of Graffham:
Some of these video podcasts, for example, get pushed out on a
regular basis at ten o'clock every Thursday morning, a specific
time, or something like that, down to a PC and it becomes really
indistinguishable from broadcast television, does it not?
Mr Suter: I think that is why you have to separate
out the nature of the service which is delivering it from the
nature of the consumption. If you take a piece of content, you
can watch it at exactly the same time on exactly the same screen
as a regulated piece of content. The same film may appear being
broadcast at eight o'clock and you may watch at eight o'clock
the same piece of content you got from a podcast. That does not
in itself undermine, to my mind, the notion that in one environment
you have a regulatory environment which says, "This is a
linear schedule. Certain rules will apply," and in the other
you have chosen to go and get that specific piece of content which
you happen to watch at that time. No editor took responsibility
for putting it out at that time. The editor of the podcast did
not decide this was an appropriate environment within which to
consume it. That consumption decision was yours.
Q1008 Lord Young of Graffham:
This distinction might be in law or in the Act. Do you think it
Mr Suter: I think it will be reinforced. I think
it is there now and I think it will become more important. I think
we will see broadcast regulation, if you like, the kind of broadcast
regulation which we currently apply to a whole range of channels.
I think that will still be there because I think there is audience
expectation and I think there is a very considerable degree of
consumption of programmes delivered in that way where people want
the confidence of that environment, but we will see increasingly
content being consumed in other ways.
Q1009 Lord Young of Graffham:
Are we not moving away from broadcast television to an era in
which people choose what they want to see when they want to see
Mr Suter: And as that happens the industry will
need to develop its own self-regulatory approaches, its own self-regulatory
mechanisms for providing that reassurance.
Q1010 Lord Young of Graffham:
But as we go from one which is controlled, we go to the other
which is not controlled?
Mr Suter: It is self-controlled.
Lord Young of Graffham: Yes, that is
Chairman: We will come back to that in
a minute. Lord Mitchell, let us have your question. We are going
to come back to some of these topics.
Q1011 Lord Mitchell:
What risks to personal Internet security can arise within the
Mr Willis: I guess the first point I would make
there is that it is slightly difficult to distinguish, to draw
a hard line between the network and the people who use the network
around the edge. So the network of itself is not capable of doing
bad things. What the network can do is have weaknesses in it which
create the holes which bad people can come and take advantage
of. I guess the way I understand the question is, if we are assuming
that the end users have done everything in their power to ensure
that their computers are patched, that they have all the right
virus protection and that they are not doing anything silly themselves,
what risks can they be put to by the actions of the network and
the network operator? As I say, I think that is merely opening
the way for a third party with criminal intent to come and take
advantage of those weaknesses, if you like, to actually exploit
security. There is a whole number of ways in which that could
happen. Just to give an example of some of the weaknesses that
we might see, one is vulnerabilities in the network which have
not been patched by the operator. They, for example, might be
bugs in the software that run on the pieces of equipment that
make up the network which the operator has not done anything about
but which somebody comes along and exploits. So they write this
code which attaches itself to the network devices and then can
interfere with the security by stealing their details, for example.
There is a number of reasons why that situation can occur. Firstly,
because it is a bug which the hackers became aware of, either
in advance or at the same time as the vendors of the equipment,
and at the moment the vendors of the equipment have not yet come
up with a solution for that bug so there is nothing the operator
could have done about it, i.e. there is no fix for this problem
which is being exploited by somebody else. The alternative is
that the vendor has created a solution to this bug and the operator
simply has not installed it yet. That case is particularly unlikely.
It is a matter of course for operators generally to be in very
close communication with their vendors, much more so than the
average computer user, to keep their network patched and up to
date. There is a couple of other examples. We could find, for
example, that communication which the user sends across the network
gets intercepted at some point on the network. Again, there could
be a couple of reasons for that. It could be because the security
on the network, either the physical security or the electronic
security, has been breached by somebody, so somebody has broken
into an office of the operator and attached their computer to
the network and sees the traffic going across and can intercept
credit card details, or it could be because that network was not
secure in the first place, it did not try and stop people from
stealing stuff. The other kind of source of these things, which
is probably far more likely in practice, is basic human error
or problems with the processes and procedures operated by a network
operator. So it could simply be that somebody loses a laptop which
has customer details on, or that the processes within the network
operator lead to them inadvertently exposing lots of personal
information to other people. I guess the final example I was going
to give is the criminal activity by an employee of a network operator,
where somebody working within the network actually steals personal
information. So there is a number of ways in which even if the
end point has been properly securedand as we said earlier,
that is far from a giventhe network itself could still
Q1012 Lord Mitchell:
Have you been made aware of any risks to personal Internet security
arising from within the networks themselves?
Mr Willis: It is an area which we do track and
take notice of. I guess in general it is not something which falls
directly under our control.
Q1013 Lord Mitchell:
But have there been specifics?
Mr Willis: There are specific examples.
Q1014 Lord Mitchell:
What sort of actions do you take?
Mr Willis: I am not aware of any examples which
have fallen to us to take any action on. A fairly recent example,
for instance, is that there was an attack on the Internet infrastructure,
quite widespread, a global issue, which came through a security
weakness in a piece of software which was run on some of the main
Internet routers and this was taken advantage of and they were
attacked. The operator community was aware of this as it was happening
and worked to fix the problem as soon as possible. It was not
something where any regulator intervened to fix it, it was fixed
by the industry before it became a compromising problem.
Lord Mitchell: Thank you.
Chairman: Lord Young, we talked about
this topic, but I think it is worth asking your supplementary
Q1015 Lord Young of Graffham:
Yes, because I would like to actually test it, if I could. You
argue in your memorandum that the distinction in the Communications
Act between "content services" and "electronic
communication networks" is "quite clearly defined".
Do you think this distinction is going to survive in the long
Mr Suter: I am going to ask Jeremy to lead off
Mr Olivier: I think, in the light of the discussion
we have had to date, I will answer the question slightly different
than I had originally anticipated doing so. In the Act there are
two distinct things defined, as we said in our evidence. One is
an electronic communications network, which is a means of delivery
of an enormously broad range of services, and another is a content
service, and the definition of content service focuses very explicitly
on the provisions, on agency and the provision of content of one
kind or another by a service provider, by a content service provider,
to a consumer or a set of consumers. The reason why that is important
in the Act is because, as Tim was explaining, there are some types
of content services described in the Act as "television licensed
content services", which has certain characteristics. They
are made simultaneously available to very large numbers of users,
they are potentially impractical, potentially harmful in some
instances, particularly to minors (that is a key area of concern),
and which therefore we have a special regulatory architecture
to oversee. If your question isand I think perhaps it is"Do
you think there is a future for the regulation of some types of
content service in order specifically" (as we do currently)
"to protect vulnerable individuals against exposure to harmful
and offensive content," I think the answer is that absolutely
there will continue to be such a role. It is very unclear, to
me at least, that there is much appetite among audiences for a
move away from the provision of some degree of security of the
kind you have described. Indeed, in the questions you were asking
Professor Zittrain there seemed to be in some sense that you were
exploring options for creating such a regulated domain in relation
to other security issues by taking responsibility away from where
it sits presently with consumersthey are responsible for
putting the firewalls, and so on in placeonto ISPs. My
analogy would be that we currently have a content regulatory architecture.
We believe the audiences value it and that therefore there is
strong evidence to suggest that there will continue to be a role
for such an architecture.
Q1016 Lord Young of Graffham:
Let me just test it. The technology is moving so that PCs and
televisions are merging into media centres, and indeed your PC
and your television will be connected by wireless. So we have
programmes which at the moment have to go out after the watershed,
after nine o'clock in the evening, which the following day can
be accessed at any time of the day as a podcast. So one gets regulated.
What is the point of having a watershed at nine o'clock if the
same programme can be accessed at any time?
Mr Suter: That has been the case, I think, since
the invention of the video recorder. Time shifting material has
always been the case. So the fundamental principle is not, do
we prevent material being accessed by people? The answer is no,
and anyway we are an after the event regulator. The fundamental
issue of content regulation is to provide tools and information
to consumers which say, "If this material is broadcast at
a certain time or on a certain channel, or with a certain degree
of additional warning or preparation, then you should take note
of that." We do not assume that the nation's children are
in bed by nine o'clock. We know that they are not. The notion
of the watershed is not because we believe children are in bed,
it is because we know that consumers need a signal which says
the level of responsibility shifts at a certain point in the linear
schedule, and actually the point is different according to different
kinds of channels. So it is not that there is an absolute prohibition
or the intention to prevent that material ever being seen. We
would rather that it was not. What there is is an intention to
give people the tools they need to manage their own consumption.
In a regulated linear environment it is relatively straightforward
to do. In a non-linear environment it is much more difficult to
do in the old way, so you need content information, you need consumers
to know, "What is it that I'm getting? With what degree of
caution should I approach it? With what degree of care should
I manage who's watching it?"
Q1017 Lord Young of Graffham:
So you could see Ofcom changing the regulation in order, perhaps,
to put up a warning signal for these post-watershed periods being
broadcast at any time? If the whole idea of regulation is to help
to guard young children from seeing unsuitable material, then
what happens with time shifting where, whichever technology it
is, it is available at any time? The big difference with time
shifting with a VCR of some sort is that it is a positive act
to do it, but with the other one people can roam around the Internet
and come across them in different ways, I think that is the real
thing, or subscribe to them?
Mr Olivier: I think there are a number of points
to make in response to that. Perhaps the first and most simple
is that, as we have been discussing, Ofcom does not, I think,
anticipate that we would be able to impose global standards either
for labelling or for any other form of content regulation to the
global medium, that is the Internet, but that does not at all
mean that it would not be desirable (as in fact we are already
doing) to seek to work with those service providers who are legitimately
available to us as partners in delivering content regulatory outcomes
and that they should work to provide audiences with appropriate
tools to enable them to manage their and their children's access
to content. So not necessarily regulating in the way that we do
with broadcasters but certainly working with service providers,
as we do currently, to help them make these kinds of tools available
to audiences and thereby to delivery the goal that we share, I
think, which is the protection of vulnerable individuals in this
Q1018 Earl of Erroll:
You state in your written memorandum that "Although security
products are valuable tools for consumers they are not a part
of the regulated Internet access service". Can you explain
this distinction in more detail?
Mr Suter: I shall ask Ben first to explain that.
Mr Willis: I guess the first point is that in
the sense that those security tools generally are pieces of software
which would run on a consumer's PC they are not part of the service
which is offered by the operator per se, they are something in
the customer's domain and therefore outside of what we would think
of as the regulated Internet access service itself.
Q1019 Earl of Erroll:
They could be actually part of the service, and I think that is
the point, because the business of ISPs is to provide the customers
with access to the Internet and some of it is the information
it holds. There is also the other side, which is email, and there
is no technical bar to them making those services safer. For instance,
in the Lords we use MessageLabs to filter our incoming email before
it hits our mailboxes in the Lords, so it would be quite easy
for ISPs to do this sort of thing. Why are they, unlike companies
in all sorts of other walks of life, not required to provide their
services with due regard to the security and safety of the users?
Mr Willis: I think the answer to that is that
there is a number of aspects of the service which we do regulate
and then a whole bunch of other things which the ISP can choose
to add or not, which we do not regulate. The parts which we do
regulate are set out in what are called the General Conditions
of Entitlement, so they are the instruments of regulation for
services and networks. They cover things like customer contracts
and how a customer would be billed, how disputes would be resolved
between customers and operators and how customers would be migrating
between providers. Those features are the things which come under
our regulatory remit to control. Other things which an ISP may
choose to add to the service, for example, "We will filter
your email for you," or, "We will offer you a whole
bunch of other services," are outside the things which we
regulate under that framework.