Transcript Running a Public Network

Running a Public Communications
Service
Andrew Cormack
Chief Regulatory Adviser, Janet
[email protected]
© JANET(UK) 2011
What is a public comms. service?
• “public electronic communications service” means any
electronic communications service that is provided so
as to be available for use by members of the public;
(Communications Act 2003, s.151)
• E.g. Open library terminal, open/commercial wifi
hotspot, hotel, cybercafe, housing estate, business
park, ...
• NB: Most BCE doesn’t involve public traffic
• NB: Janet is not a public network service
© JANET(UK) 2011
Which laws are different?
• The following have additional rules for public services
–
–
–
–
EC Telecomms Directives (security & privacy)
UK Interception Law
UK/EU Data Retention
UK Copyright Infringement – maybe
• Future developments likely at EC and UK level
© JANET(UK) 2011
Responsibilities for the service
• Must comply with Ofcom guidance on security
– Documented risk management process (e.g. ISO27001)
– Take appropriate measures to deliver security
• Must report “significant” security breaches to Ofcom, e.g.
– 100K users disconnected for 12 hours, or
– Failure reported to Government department or in the media
© JANET(UK) 2011
Responsibilities for privacy
• Must design service/systems to protect privacy
• Must report all privacy breaches to ICO
– Consequences and mitigation action taken
– And to user if PD or privacy “adversely affected”
• Traffic/flow data only used for prescribed purposes
– Transmission; Billing and traffic management; Customer
enquiries; Fraud prevention/detection; Other legal duties
• Not research
– Must delete/anonymise as soon as no longer needed
• Unlawful interception by operator is a criminal offence
© JANET(UK) 2011
Responsibilities for users
• Must (if notified by Home Office) retain data about use
– Time, duration, type, source, destination of communication
– Can agree by contract who does this
• Best if done by the organisation that authenticates users
• Various other responsibilities being discussed
– Dealing with copyright infringements (Digital Economy Act)
– Dealing with infected user equipment
– Network Neutrality (restrictions on traffic management)
© JANET(UK) 2011
How far do these extend?
• Which networks/equipment
– Probably anything that might carry public traffic
– Good idea to separate those
• Which organisations are responsible?
– Service: Organisation, Janet and ISP
– Privacy: Organisation, Janet and ISP
– Users: Organisation or ISP
© JANET(UK) 2011
Don’t Forget: State Aid law
• Using public funds to distort a commercial market
– Illegal: fine plus repayment with interest
• Public Internet access is a commercial market
– State Aid law likely to apply
• Possible approaches (see Janet guidance)
–
–
–
–
Library terminal: provide “supported Internet access”
Wifi Hotspot: open tender, including use of backhaul
Hotel/cybercafe: charge market rate to trading subsidiary
Broadband gaps: BIS authorisation for individual projects
© JANET(UK) 2011
Policies etc.
• Janet Policies protect Janet reputation/operation
– Need SecPol and AUP whenever Janet addresses used
• Access control, Manage security threats, Enforce AUP, etc.
– Otherwise use Policy of ISP whose addresses are used
– Always need disconnection right to protect service to others
• Other IP address issues
– RIPE/WHOIS contact data => body with User responsibilities
• Copyright enforcement responsibility likely to follow this
– Beware of IP address “authorisation”
• Internal services, licensed content, firewalls, etc.
© JANET(UK) 2011
To run a public network service...
• It/you must (+ bullets apply to Janet backhaul too)
+
+
+
+
–
–
–
+
Be designed according to Ofcom security principles
Report significant (availability) breaches to Ofcom
Report all privacy breaches to ICO
Only use traffic data for prescribed purposes
Only use interception (if at all) with great care
Be prepared to retain information about users
Be prepared to deal with copyright infringement reports
Deal with State Aid issues
• Probably want to separate this from your R&E service
© JANET(UK) 2011
Discussion Themes
•
•
•
•
•
•
How to segregate?
Authentication: when/where/how?
ISP access
Institutional Risk Assessment & Responsibilities
Pricing Models
Community Support
© JANET(UK) 2011
Questions?
© JANET(UK) 2011