Sunday, 29 November 2015

Never mind Internet Connection Records, what about Relevant Communications Data?

It was always a good bet that the draft Investigatory Powers Bill would broaden data retention obligations to cover more categories of communications data. That was at the core of the Communications Data Bill, blocked in 2012 during the Coalition government and vowed after the May 2015 election to be resurrected.

The draft Bill has duly delivered, accompanied by a blizzard of commentary about the propriety of forcing communications service providers to retain users’ browsing histories.

But what exactly are the categories of data that communications providers could be made to keep? The Home Office has coined the label ‘internet connection records’ to describe the new datatypes that it plans should be retained for up to 12 months. These records, it stresses, could include websites and services visited but not individual pages or other content. This is in line with what the Home Office had previously said to the Anderson Review about ‘weblog data’ (the then current jargon for browsing histories).

Internet connection records and the proposed restrictions on accessing them (clause 47 of the draft Bill) have become a lightning rod for the ensuing discussion: not just the rights and wrongs of requiring browsing data to be retained, but whether internet connection records as defined in the draft Bill can be matched to real categories of data processed by service providers.

The focus on internet connection records is understandable. The Home Office’s Guide to the powers in the draft Bill focuses on internet connection records.  The estimated cost increase in the Data Retention Impact Assessment mentions only internet connection records as a new category of retained data.

However the draft Bill casts the retention net wider than just internet connection records. Clause 71 of the Bill would empower the Home Office to issue retention notices covering six categories of what the draft Bill calls ‘relevant communications data’.  

According to the draft Bill’s Explanatory Notes, one of those six categories (71(9)(f)) corresponds to internet connection records. That leaves five categories which, on the face of them, seem to go wider than the existing data retention categories under the Data Retention and Investigatory Powers Act 2014 (DRIPA) as amended by the Counter Terrorism and Security Act 2015 (CTSA).

For internet communications the current DRIPA data retention categories cover internet access services, internet e-mail and internet telephony. Those categories replicate the 2009 Data Retention Regulations, which implemented the now invalidated EU Data Retention Directive.  The CTSA extended DRIPA to include so-called IP address resolution data. 

We can get an idea of the scope of ‘relevant communications data’ by appreciating that it covers any type of communication on a network, expressly including communications where the sender or recipient is not a human being. This sweeps up not only background interactions that smartphone apps make automatically with their supplier servers, but probably the entire internet of things. 

The type of data about these communications that could be required to be retained goes beyond the relatively familiar sender, recipient, time and location information to data such as the ‘type, method or pattern’ of communication (clause 71(9)(c)). ‘Data’ is defined to include ‘any information which is not data’ (clause 195(1)).

In another departure from existing retention laws, providers could be required to generate data specifically for retention (71(8)(b)(i)). At present they can only be required to keep data that they already generate or process in the course of providing their service.

Another change from existing law is that retention notices could be given to any kind of telecommunications operator, not just those providing services to the public as under the existing legislation. Finally, providers could be given a notice requiring them to install specific technical capabilities to support communication data access and retention requirements.

Although the current Home Office Guide and the Impact Assessment talk only about retention of internet connection records by public telecommunication service providers, that would not prevent future changes of policy whereby broader retention notices could be served on a wider variety of communications service providers.  There is no obvious mechanism to bring a change of policy to the attention of the public, since service providers would be obliged not to disclose to anyone else the existence and contents of a retention notice.

All this suggests that it is fairly important to understand what ‘relevant communications data’ might consist of.  That requires an informed conversation between legislators, lawyers and technical experts. As a discussion aid, here is my map of the 14 interlinked definitions that go to make it up. 
















And here are the 14 definitions. Where a definition uses another defined term I have italicised it for ease of reference.  

relevant communications data” means communications data which may be used to identify, or assist in identifying, any of the following—
(a) the sender or recipient of a communication (whether or not a person),
(b) the time or duration of a communication,
(c) the type, method or pattern, or fact, of communication,
(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted,
(e) the location of any such system, or
(f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.

In this subsection “identifier” means an identifier used to facilitate the transmission of a communication.

Telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.

person” (other than in Part 2) includes an organisation and any association or combination of persons,

Communications data”, in relation to a telecommunications operator, telecommunications service or telecommunication system, means entity data or events data
(a) which is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator and—
(i) is about an entity to which a telecommunications service is provided and relates to the provision of the service,
(ii) is comprised in, included as part of, attached to or logically associated with a communication (whether by the sender or otherwise) for the purposes of a telecommunication system by means of which the communication is being or may be transmitted, or
(iii) does not fall within sub-paragraph (i) or (ii) but does relate to the use of a telecommunications service or a telecommunication system,
(b) which is available directly from a telecommunication system and falls within sub-paragraph (i), (ii) or (iii) of paragraph (a), or
(c) which—
(i) is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator,
(ii) is about the architecture of a telecommunication system, and
(iii) is not about a specific person,
but does not include the content of a communication.

Communication”, in relation to a telecommunications operator, telecommunications service or telecommunication system, includes—
(a) anything comprising speech, music, sounds, visual images or data of any description, and
(b) signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus.

apparatus” includes any equipment, machinery or device (whether physical or logical) and any wire or cable,

Telecommunications operator” means a person who—
(a) offers or provides a telecommunications service to persons in the United Kingdom, or
(b) controls or provides a telecommunication system which is (wholly or partly)—
(i) in the United Kingdom, or
(ii) controlled from the United Kingdom.

Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).

Entity data” means any data which—
(a) is about—
(i) an entity,
(ii) an association between a telecommunications service and an entity, or
(iii) an association between any part of a telecommunication system and an entity,
(b) consists of, or includes, data which identifies or describes the entity (whether or not by reference to the entity’s location), and
(c) is not events data.


Events data” means any data which identifies or describes an event (whether or not by reference to its location) on, in or by means of a telecommunication system where the event consists of one or more entities engaging in a specific activity at a specific time.

Entity” means a person or thing.

The content of a communication is the elements of the communication, and any data attached to or logically associated with the communication, which reveal anything of what might reasonably be expected to be the meaning of the communication but—
(a) anything in the context of web browsing which identifies the telecommunications service concerned is not content, and
(b) any meaning arising from the fact of the communication or from any data relating to the transmission of the communication is to be disregarded.

data” includes any information which is not data.



Monday, 9 November 2015

From Oversight to Insight - Hidden Surveillance Law Interpretations

The focus of my posts on RIPA, DRIPA and now the Investigatory Powers Bill has been on the scope and extent of the powers – what exactly they enable law enforcement and the agencies to do – rather than on oversight and safeguards, important though those are.

One aspect of oversight, however, bears directly on the scope of the surveillance powers granted by legislation. It relates to an issue that has perhaps not received as much attention in the UK as it has in the USA: secret interpretations of the law.

The problem arose in the USA partly as a result of the secret FISA court system. C
ontroversial previously secret interpretations of the law came to light following the Snowden disclosures. This led to, for instance, the Electronic Frontier Foundation's Secret Law is Not Law campaign.

We have a similar problem on this side of the Atlantic. Here, though, it is about interpretations conceived and acted upon by government without any court involvement.

The clearest example to date is the government’s interpretation of ‘external communications’ under RIPA. This was revealed by senior Home Office official Charles Farr in a witness statement filed in the Investigatory Powers Tribunal case brought by Liberty and others. The background is that GCHQ can intercept in bulk if its objective is to intercept external communications. So the meaning of 'external communications' is significant. The Home Office interpretation was controversial. It also had implications for who (or what) could be regarded as a sender or intended recipient of a communication, a foundational building block of RIPA. (See further paragraphs 6.52 and 12.25 of the Anderson Report ‘A Question of Trust’ and paragraphs 31 to 54 of my submission to Anderson.)

The Home Office’s interpretation, which underpinned the agencies’ operations under RIPA S.8(4) warrants, would not have seen the light of day had the NGOs not brought the IPT legal challenge. That occurred because of the Snowden disclosures. The interpretation was a significant, but previously hidden, aspect of the law under which the agencies were operating.

Another example was The Data Retention and Investigatory Powers Act (DRIPA), rushed through Parliament in four days in July 2014. The Home Office argued that amendments to RIPA’s territoriality provisions and to the definition of telecommunications services did no more than reflect what the legislation had always meant. The claim was untestable, since the public had no way of knowing how the Home Office might have interpreted the provisions either in the minds of its officials or in its previous dealings with communications service providers.

A similar issue is boiling up over the effect on end to end encryption of the Investigatory Powers Bill. The Home Office says, with some justification (although a debate is taking place around possible knock-on effects of other changes), that the draft Bill mirrors existing law. Clause 189(4)(c) of the draft Bill is very similar to paragraph 10 of the Schedule to the 2002 Maintenance of Interception Capability Order. On the face of it neither affects end to end encryption where the protection is applied not by the service provider but by the user. However the public is in no position to know whether the Home Office has adopted some other interpretation or, if so, whether it might be as open to debate as its view of external communications.

The Investigatory Powers Bill provides an opportunity to ensure that the proposed new oversight body proactively seeks out and brings to public attention material legal interpretations on the basis of which powers are exercised or asserted. Service providers might also be able to bring a legal interpretation asserted against them to the attention of the oversight body. This may be all the more necessary in the light of the new disclosure offences built into the draft Bill.

Such mechanisms would enable material legal interpretations to be publicly debated and if appropriate challenged. None of this would require to be made public any legal advice that the government had received, nor any factual matters that should properly remain secret, but only the substance of the legal interpretations themselves.

This could be an important protection against the possibility of groupthink, the tendency for members of a closed group to convince themselves of the rightness of a consensus position and to resist contrary views. It would contribute to the new standards for openness, transparency and oversight that the government has promised in the new legislation. Most fundamentally, by providing not only oversight but insight it would help to satisfy the basic rule of law tenet that the law should be foreseeable and accessible.


[Amended 7 pm 9 November 2015 to include reference to possible knock-on effects of other changes on end to end encryption]

Wednesday, 4 November 2015

Prediction and Verdict - the draft Investigatory Powers Bill

Two months ago I took a shot at predicting what might be in the draft Investigatory Powers Bill. It will replace a confusing patchwork of surveillance and interception legislation centred on RIPA, the Regulation of Investigatory Powers Act 2000. 

I was particularly intrigued by how much of the old draft Communications Data Bill (CDB, or the Snoopers' Charter, blocked by the Liberal Democrats in 2012) might make it through into the new legislation. Today, following a blizzard of leaks and unofficial briefings over the past couple of weeks, the draft Bill has been published along with a mountain of explanatory papers and impact assessments, only some of which I have been able to read at this stage.


Here's an initial impression of how the draft Bill pans out against my predictions. More to come in time as the detail sinks in. As relatively instant comment, some of this may have to be refined or corrected as the light slowly dawns.  And there are many important points that I haven't touched on. The Home Office Guide to Powers and Safeguards is a reasonable place to start to get an overview.  

The 'What is it?' and 'Prediction' sections are as in my original piece. The rest is new.

GCHQ’s bulk interception warrant

What is it? The bulk interception warrant under Section 8(4)of RIPA. These warrants authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, one of the most significant Snowden disclosures.  

Prediction: Bulk warrantry powers to stay, perhaps significantly modified.

Verdict: Still here, but with some changes. There is a new power to extract and examine communications data derived from bulk intercepted content (S.106(8) and see Explanatory Notes 271 to 275). 

The overall objective of a bulk interception warrant must be to intercept communications 'sent by individuals' or 'received by individuals' outside the British Islands. This is a new approach in place of the much criticised RIPA distinction between internal and external communications.

Devil in the detail:



Is it clearer than RIPA? Yes, but some similar nuanced pathways through the legislation remain.

Specific objectives for bulk interception warrants? (This was an Anderson recommendation.) Yes, sort of. S.111(3) says: "A bulk interception warrant must specify the operational purposes for which any intercepted material or related communications data obtained under the warrant may be selected for examination."  S111(4) tells us how specific (or not) those purposes have to be: "it is not sufficient simply to use the descriptions contained in section 107(1)(b) or (2) [e.g. 'national security'] , but the purposes may still be general purposes.".

Tighter constraints on searching for communications of persons within British Islands? Looks very similar to RIPA.

Is there a tighter framework for searching captured related communications data? Under RIPA most of the limitations on searching the content of bulk intercepted communications do not apply to related communications data. Related communications data can currently be scooped up alongside both external (at least one end outside British Islands) and collaterally acquired internal (British Isles to British Isles) communications.

In substance this is all retained in the draft Bill. Additionally, related communications data can now include content-derived communications data. The new Bill provides that selection must be necessary and proportionate and examination must be only so far as necessary for the operational purposes.

Prior judicial or quasi-judicial authorisation? See below.

Tighter limits in who can apply for a bulk warrant? Limited to the security and intelligence agencies, for specified purposes that must always include national security.

Background on RIPA bulk interception warrants here.

Broad Ministerial powers

What is it? A wide statutory power in Clause 1 of the draft CDB allowing Secretary of State to make regulations under which she could give notices to CSPs to generate, obtain and disclose communications data and to install designated equipment for that purpose.

Prediction: Increased specificity, but government will still want a method of future-proofing.

Verdict: Nothing like as vague as CDB, though the power to give retention notices to CSPs appears to have a significant element of future-proofing built in. The draft Bill also includes a major expansion of the powers to require service providers (extended to include non-public service providers) to install specified technical capabilities, allied to most of the new warrants and communications data acquisition powers (see S.189). At present RIPA only provides this power for interception warrants and for large public service providers.

Background on future-proofing here.

Browsing histories

What is it? Extension of current data retention powers so as to require storage of browsing histories (alias weblog data). This was one of the most contentious aspects of the draft Communications Data Bill. It is like keeping a list, which the authorities could demand to inspect, of all the books, newspapers and magazines that you have read in the last year.  Weblog data probably excludes web addresses (URLs) ‘after the first slash’. That is like listing a book, but not every page within it.

Prediction: Bank on this one coming back in some form.

Verdict: It's back, rebadged as 'internet connection records'. For which read everywhere you go at site or service level on the internet, but not individual pages. Part of a significant extension of DRIPA's data retention provisions.

Is this like a universal CCTV system recording when you go outside your front door and visit the bank and the shops? Or is it like a spybot in your home noting which books you read? Or is it something else? One thing is certain: we can't simply analogise this to keeping a log of which telephone number you called, where and when. This is a record of how we live our digital lives.

It is important to separate the scope of retention from the power to access. Access to this category of data will be more tightly restricted than for other communications data. Local authorities will have no access. The draft Bill sets out specific purposes for which public authorities can demand access to this category of communications data or make a demand that requires it to be processed (s.47(4)). 

The Home Secretary has (very) broadly paraphrased this restriction as 'determining whether someone had accessed a communications website, an illegal website or to resolve an IP address'. Regrettably there is no substitute for quoting the section:

"to identify—
(a) which person or apparatus is using an internet service where—
(i) the service and time of use are already known, but
(ii) the identity of the person or apparatus using the service is not known,
(b) which internet communications service is being used, and when and
how it is being used, by a person or apparatus whose identity is already known, or
(c) where or when a person or apparatus whose identity is already known is obtaining access to, or running, a computer file or computer program which wholly or mainly involves making available, or acquiring, material whose possession is a crime."
  
Like most requests for standard communications data under RIPA, requests for 'ICR' will not require judicial approval. They are authorised through Designated Persons within the public authorities, who are internally independent from the investigation in question.

The existing, narrower, data retention provisions of DRIPA have been challenged in court by MPs David Davis and Tom Watson and questions are being referred to the European Court of Justice. 

Devil in the detail:


David Anderson said that no detailed proposal should be put forward until a sufficiently compelling operational case had been made out and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring weblog data to be retained. The Home Office has now published an 'Operational Case for the Retention of Internet Connection Records'. This will repay careful scrutiny.

Background on weblog data retention here.

Digital footprints

What is it? Retention of the geolocation data that, thanks to our smartphones and tablets, we leave like a breadcrumb trail behind us.  The Annex to the CDB Explanatory Note explained that Communications data “includes information identifying the location of equipment when a communication is or has been made or received (such as the location of a mobile phone)”. A phone call, text, software update, e-mail check, news feed update, an app checking in to its provider are all communications and they happen all the time. Each could have precise GPS or Wi-Fi location data associated with it. 

Prediction: Probable.

Verdict: Yes, falls within relevant communications data that may be required to be retained. S.71(9) is explicit that the sender or recipient does not need to be a person, and that relevant communications data includes data identifying the location of any telecommunication system by means of which a communication is transmitted. Location of that system is one of the categories of data that the Secretary of State can order to be retained.


Data generation by decree

What is it? The Home Office would be able to order CSPs to generate communications data for the benefit of the authorities.  At the moment CSPs can only be made to retain data that they already generate or process in the UK. Think about that list of books, newspapers and magazines in the weblog data section (above). You don’t ordinarily keep a list? This is like compelling you to make one.

Prediction: Data generation to reappear.

Verdict: Yes, as predicted (S.71(8)). A significant change.


Background on compelled data generation here.

Boundary between communications data and content

What is it? On the one side we have email addresses, user IDs, IP addresses, domains, and the like.  On the other side content (including URLs beyond the first slash). Public authorities have far readier access to communications data than to content.  There are also sub-divisions of communications data (traffic data, service use data, subscriber data) that under RIPA affect the conduct that is classified as interception. The powers of public authorities to demand access to communications data vary depending on the type of communications data.

Privacy advocates question the historic assumption that content is necessarily more sensitive than communications data. Changes to the dividing line would have an impact on the data that the authorities could request and a knock-on effect on the scope of communications data retention.  

Prediction: Government will continue to maintain that communications data is less sensitive than content. Possible clarification of the boundary in areas of uncertainty such as social media and revision of communications data categories.


Verdict: The definition of communications data has been revised to cover 'entity' and 'events' data. There is also now a definition of the content of a communication, where RIPA had none.

Devil in the detail:

Requires application of a wet towel before commenting on whether anything has changed significantly.

Background on the existing RIPA content/communications data boundary here.

Third party data collection

What is it? A scheme that would enable the Home Office to require CSPs to collect and retain communications data from foreign services transiting their pipes.  This was part of the CDB.

Prediction:  Anyone's guess.

Verdict: Out.


More on third party data collection here.

Request filter

What is it? A plan for a system enabling authorities to search across communications  data collections retained by multiple CSPs.  Another part of the CDB.

Prediction:  Anyone’s guess.

Verdict: In.


Background on request filter here.

Judicial authorisation

What is it? Interception warrants in the UK are authorised by a Minister, not by an independent judicial or quasi-judicial body.  This has always been a bone of contention for civil liberties advocates.  Most demands to access communications data are authorised internally by the requesting authorities themselves.

Prediction: In the balance. The government may prefer to retain Ministerial control over warrants. But if it wants the new interception warrants regime to be legally bullet proof, the prudent course would be to go with a scheme for judicial or quasi-judicial approval of interception warrants.  Separately it has to decide how to deal with the regime for communications data demands following the Davis/Watson decision.

Verdict:  Generally the government is proposing a two tier system of Ministerial sign-off of warrants followed by an approval process undertaken by new judicial commissioners before the warrant can take effect (but retrospective in urgent cases).  They would review a decision to issue a warrant to the 'judicial review' standard rather than a de novo reevaluation of the merits.

Some other significant highlights that I didn't cover in my original predictions:


Section 94 Telecommunications Act 1984

What is it? The most mysterious existing power of all, enabling Secretaries of State to give national security directions to telecommunications companies.  Now there will be a 'national security notice' power spelled out in greater detail (S.188).

Extraterritoriality

What is it? RIPA always applied in general terms to telecommunications services provided to the UK from abroad. What wasn't so clear was whether interception warrants, interception capability notices and communications data acquisition notices could require conduct outside the UK, could apply to non-UK providers or how (if at all) they could validly be served on a non-UK provider. DRIPA fixed that. It didn't do the same for communications data retention notices, but which in any case could only require retention of data generated or processed within the UK.

Verdict: Extraterritoriality will apply to targeted interception warrants and mutual assistance warrants (S.29(4)); communications data acquisition notices (S.69(3)); targeted equipment interference warrants (S.99(3)); bulk interception warrants (S.116(3)); bulk acquisition warrants (S.130(3)); bulk equipment interference warrants (S.145(3)); technical capability notices (S.189(8)).


Non-UK operators can rely on a conflict of non-UK law defence in some of these cases: (S.31(5), S.69(4)). A technical capability notice is enforceable against someone outside the UK only if it relates to a targeted interception or mutual assistance warrant, a bulk interception warrant or a communications data acquisition notice or authorisation (S.190(10)).

Communications data retention notices can also be extra-territorial (S.79(1)). However while operators generally have a duty to comply with a notice, if a notice relates to "conduct or persons outside the United Kingdom" the duty is only to "have regard to the requirement or restriction".  (S.79(2))

Computer Network Exploitation (CNE) 

What is it? Official hacking.

Verdict: Warrantry powers formalised in the draft Bill. No surprise at all. Existing general powers were on shaky legal ground and had to be made more transparent. Both targeted and bulk equipment interference warrants are provided.


[Updated 5 November 2015 to add technical capability notices to Extraterritoriality section; section on Broad Ministerial Powers updated 6 November 2015 to add future proofing of retention notices and extension of technical capability notices to non-public service providers (h/t to @neil_neilzone for spotting the latter).]

Sunday, 1 November 2015

Time to free the internet from TV-like regulation?

The CJEU has recently been applying itself to the question of what constitutes a TV-like audiovisual service on the internet. The New Media Online case was about a newspaper website with video content. It held that short local news bulletin, sports and entertainment video clips on a subdomain of the site could be a ‘programme’; and that assessment of the principal purpose of the service must focus on whether it had content and form independent of that of the journalistic activity of the site operator.

The CJEU was set this task by the Audiovisual Media Services (AVMS) Directive. This piece of EU legislation started life in 1989 as the TV without Frontiers Directive, intended in part to facilitate cross-border satellite broadcasting within the EU. In 2007 it morphed into the AVMS Directive. Over the initial objections of the UK government it became the vehicle, in the name of convergence and technical neutrality, for extending TV-like regulation to video on the internet.

Recently the European Commission has been consulting on a revision of the AVMS Directive, asking questions such as whether UGC hosting services such as YouTube and Vimeo should be regulated by the Directive and how to ensure a level playing field for audiovisual media services. 
  • Codeword Alert: level playing field. A level playing field tends to mean raising barriers to entry by imposing the incumbents’ own regulatory burdens on newcomers. The option to level the pitch by rolling back existing regulation rarely features. 
For whatever mysterious reason, when pictures flicker into motion the regulatory alarm bells go off. Suddenly the general law (obscenity, defamation and the rest, enforced through independent courts) is not enough. We must consider regulatory bodies armed with discretionary powers to make more and stricter rules. 

The argument, beguilingly, is that it is illogical to restrict TV regulation to traditional broadcast if the same content is available through the internet. That ignores the fact that TV regulation, far from being the norm, is itself an anomalous restriction on freedom to communicate – one rooted in antiquated notions of spectrum scarcity that the internet has blown to smithereens. As the European Commission itself said in its 1997 Convergence Green Paper: “…in a fully digital environment, scarcity may over time become a less significant issue, calling for current regulatory approaches to be reassessed.”

It is TV-like regulation, not lack of TV-like regulation, that should continually have to justify its existence - let alone extension to the internet. As Judge Dalzell said back in 1996 in ACLU v Reno, “The Internet is a far more speech-enhancing medium than print, the village green, or the mails … As the most participatory form of mass speech yet developed, the Internet deserves the highest protection from governmental intrusion”.

The current AVMS Directive applies a specific set of rules to TV-like video on demand services. In the UK we have seen exhaustive attempts to discern just what makes television TV-like, reminiscent of the 1987 case about the Henry Moore altar in the church of St Stephen Walbrook, which had the Court of Ecclesiastical Causes Reserved solemnly considering whether a table possessed a Platonic quality of tableness.

The UK implementation of the Directive set up ATVOD as the video on demand regulator, now to be superseded by OFCOM. Various cases resulting from ATVOD scope determinations have produced a stream of enquiries into whether some website misguided enough to carry video had exhibited sufficient TVness to be caught in the AVMS regulatory net.

Sites have been subjected to fine analysis of factors such as balance of moving images, still images and text, production values, use of opening and closing credits, layout and interface, narrative structure, long-form versus short-form video and debating what the exclusion of online versions of newspapers might mean.

Most head-scratchingly of all, TVness has to take into account whether “the nature and the means of access to the service would lead the user reasonably to expect regulatory protection within the scope of this Directive”. This led to cases such as Playboy TV in which it was argued (unsuccessfully) that the Demand Adult channel was not TV-like because it contained material that would not be allowed on television.

Finding the essence of TVness was the subject of an 80 page OFCOM research report in 2009, followed by another in 2012 that identified ten indicators of TVness.

TVness is a moving target. The Directive specifies that the concept of ‘programme’ has to be interpreted “in a dynamic way taking into account developments in television broadcasting”. So, paradoxically, the less TV-like television becomes the stronger the pressure to widen the net of TV-like regulation: a built in tilting of the playing field in one direction.

Last year Ms Itziar Bilbao Urrutia, creator of The Urban Chick Supremacy Cell, succeeded in convincing an OFCOM appeal that her fetish-themed website (with a total of 58 paying customers) was not TV-like. The site now proudly announces: “We are the only fetish studio in UK that falls outside the AVMS Legislation & ATVOD's remit, and are exempt from complying with these draconian regulations of online video.”

OFCOM’s 29 page dissection of Ms Urrutia’s "art project designed, produced and created by real life dominant women," in which "all violence and speech are part of a fictionalized dystopian Femdom fantasy" is a model of dispassion.

Here is a sample of OFCOM’s comparison with ‘Lara’s World of Uniforms’, a television programme that ATVOD thought was comparable:
“We noted that it featured a mixture of scenes, some of which featured ‘Lara’ on location, dressed in uniform, either talking to camera or conducting an interview. Other scenes featured adult performers, typically dressed in uniform, engaging in sexual acts.”
Ofcom, however, thought this material was clearly distinguishable from the material available on the UCSC Service, in terms of both degree and type:
“The programme began with the host addressing the viewer in what appeared to be a scripted monologue. The programme then cut to a sequence involving Lara and another actress performing a scripted scene which culminated in them engaging in various sexual acts. Ofcom noted that contrastingly, the videos available on the UCSC Service featured very little use of scripted material. For example, Ofcom noted that the dialogue between the participants in the videos featuring sexual activity on the UCSC Service did not appear to have been rehearsed and was not obviously scripted.”
OFCOM’s dedication to the task of placing Ms Urrutia’s website in the correct pigeonhole is impressive. But is that a task that anyone should be called upon to perform? The significant question is not whether a particular service on the internet is TV-like, but whether TV-like regulation is appropriate for anything that happens on the internet. Rather than considering whether the Directive should be extended, the debate should surely be about rolling it back.

Could that mean that the movie received via broadcast on the television set in the living room is regulated differently from the same movie on the internet? Yes. Should we care about that? Not really. Some bumps on the playing field are perhaps a small price for securing the internet as a place governed by the law applicable to speech generally and not by TV-like discretionary regulation.