Frontier Systems Ltd (t/a Voiceflex) v Frip Finishing Ltd

The claimant carries on business providing telephony services over the Internet. It trades as ‘Voiceflex’, and I will refer to it as “Voiceflex” in this judgement. The defendant carries on business as decorative print finishers (B/105); I will refer to it as "Frip". Voiceflex is thus the service provider, and Frip is thus the customer or end user.

This case concerns the consequences of a fraud carried out by unknown third-party hackers ("the hackers") between about 21.40 p.m. on Saturday, 29 October 2011 and about 10:22 a.m. the following Monday, 31 October 2011, when they hacked into Frip’s router and/or PBX, with the consequence that some 10,366 telephone calls were made by persons unknown: see paragraph 4.16 of the report of Mr Sykes at page B/132. The majority of the telephone calls were made to a premium rate telephone number based in Poland: see paragraph 25 of the witness statement of Nathan Ronchetti (page B/74).

As a result, the claimant rendered its invoice number VF/180169 dated 31 October 2011 in respect of call charges amounting to £29,631.50, which together with a nominal administration fee of £2 and the addition of VAT came to a total of £35,560.20. The issue in the case is whether Frip is liable to pay that invoice.

Voiceflex’s claim is brought on two alternative bases:

The first is a claim for the price of a service supplied to Frip. The issue here is whether Frip used that service.

The second is a claim for damages for breach of contract. The issues here are whether Frip was in breach of contract in a manner alleged; and if so, what if any loss and damage Voiceflex sustained as a result.

At all material times Frip retained Secaura Limited ("Secaura") as its IT consultant. Until Secaura was dissolved on 20 January 2012 (shortly after the events in question), Richard Gibson was its managing director. Since then he has continued to act as an IT consultant, now trading as Secaura Solutions: see his witness statement at page B/96. He has continued to provide IT consultancy services to Frip. He is the elder brother of Leslie Gibson, who is the managing director of Frip.

The key dates in this case are as follows:

The way Voice Over Internet Protocol ("VOIP”) telephony systems work is as follows:

The customer or end user, here Frip, has its own telephone and computer systems.

The subject matter of a telephone call is configured within IP packets: see the diagram of the content of an IP packet at paragraph 6.3 of Mr Spencer's report (page B/109). One of the constituents of an IP packet is its destination address.

Frip’s internal telephone and computer system was configured generally in the manner shown in the diagram at paragraph 7.2 of Mr Spencer's report. Calls could be made from up to 70 extensions, including 62 SIP/IP telephones, up to 40 TDM telephones, and also from remote extensions. The speech comprised in those telephone calls was configured into IP packets by the PBX. Here Frip’s PBX was an Epygi Quadro 4xi. A PBX is a telephone switch, referred to as a ‘Private Branch Exchange’, which is normally used by businesses to enable telephone communication between telephone lines and business extensions: see the definitions and glossary of terms in section 11 of Mr Spencer's report (page B/118).

Sitting immediately above the PBX was a router. In fact, in this case the router was physically included within the same box as that which housed the PBX, but its function was materially different. The router is the "last stage" of the customer's computer system. It is the router which transmits the IP packets over the internet via an asymmetrical digital subscriber line ("ADSL)", which is one of the types of broadband link which connects users to the Internet: see again the definitions and glossary of terms in section 11 of Mr Spencer's report (page B/118).

The IP packet is then received at its destination, here the Voiceflex call-server (described as the ‘Service Providers Switch' in the diagram at paragraph 6.5 of Mr Spencer's report).

The Voiceflex call-server then transmits the call on to the public switched telephone network ("PSTN") to the final destination, namely the recipient of the telephone call: see generally the two diagrams at paragraphs 6.5 and 7.2 of Mr Spencer's report.

There is a difference between voice signalling and voice data. Voice signalling is the first message, which initiates a call. In contrast, voice data contains the actual content of the conversation itself.

The service which Voiceflex agreed to supply was described by Voiceflex (see for example the text of its invoice number VF/125594 dated 30 June 2007 referred to above) as the use of a SIP trunk. But both Mr Spencer and Mr Sykes were agreed that reference to the term ‘SIP trunk’ was and remains a common misnomer in the IP/IT industry. There is in fact no such thing as a ‘SIP trunk’: see Mr Spencer's evidence at trial (DG/55), with which Mr Sykes concurred. Instead, in practical terms, the service which Voiceflex agreed to provide was a service whereby its customer was permitted to use Voiceflex’s systems to transmit IP packets from the customer's router to Voiceflex’s call-server via the internet. The term ‘SIP trunk’ is often used in this industry as a metaphorical equivalent of that process.

The charges for the service comprised (1) a monthly charge of £6 for the use of the service (perhaps the metaphorical equivalent of a fixed line rental in old-fashioned terms); and (2) a unit charge for each call made.

At the conclusion of their oral evidence at trial, the experts stated:

The two most probable means of hacking into Frip’s router were either (a) through an open port 5060; or (b) via the web portal.

Whichever of those two means was in fact used by the hackers, the next stage in the process was common, namely the need for the hackers to break the 8-digit password protecting the router.

Once the hackers had broken the 8-digit password, they would be able to reconfigure the PBX so that it would thereafter enable calls to be made by other remote extensions.

While some initial voice signalling IP packets were sent to the Frip router/PBX, either all or the very substantial majority of the voice content packets (which contained the much bulkier content of the telephone calls themselves) were sent directly from the remote extensions to the ultimate recipients of the calls via the Voiceflex call-server.

Mr Spencer's opinion was that because a hacker could use a particular type of software (here SIP Vicious) to break the router password if the port 5060 was open, it was thus more likely that the port 5060 was open before the hack commenced: see in this context the footnote to paragraph 8.1.1 of his report. Mr Sykes disagreed, being of the opinion that the hacker could gain access to the router password by either means. Both experts were agreed (DG/63) that there was no evidence in the case to indicate whether or not port 5060 was, as a matter of fact, open before the hack commenced.

I prefer Mr Sykes opinion on this issue. While it may have been easier for the hacker to access the router password if the port 5060 had been open, there is no evidence to indicate that in fact was the position here. Both experts are agreed that the hacker could access the router password by either of the means described. In so far as any burden of proof lies on the claimant to establish that, on balance of probabilities, port 5060 was in fact open before the hack commenced, the claimant has failed to discharge such a burden of proof. Therefore I do not find that, on balance of probabilities, port 5060 was open when the hack commenced.

It is common ground that in November 2006 the parties entered into a contract: see paragraph 4 (a) of the amended defence. However, a notable lacuna in the case is the absence of any document which sets out the terms of the parties’ agreement.

There is a dispute about the role performed by Richard Gibson in the making of the contract. In his oral evidence at trial Richard Gibson showed a clear and realistic understanding of the dual nature of his role: he accepted that on the one hand he was acting for Frip as its IT consultant; and on the other hand that he (or rather Secaura, on whose behalf he was acting) was also acting for Voiceflex as its "Channel Partner" i.e. as its agent for the purpose of introducing Voiceflex’s services to new customers. In my judgement, when Richard Gibson ticked the box on one of Frip’s computer screens beside the text "Check this box to confirm that you have read and agree with our terms and conditions and our code of practice", he was then acting on behalf of Frip. It was Frip which was applying for the service, and it could only have been Frip that could give the confirmation sought. Richard Gibson was authorised by Frip to act on its behalf in applying for and thereafter receiving this service. In this regard I accept Mr Mantle’s submissions in paragraph 47 of his written closing submissions on behalf of the claimant.

If I am wrong in coming to that conclusion, then I accept the oral evidence of Paul Taylor, sales director of Voiceflex, when he stated (DG/2) that Voiceflex’s practice was each month to send to its customers an invoice, a direct debit form, a payment option, and a copy of Voiceflex’s terms and conditions. The consequence of such practice was that Voiceflex’s terms and conditions were incorporated into the contract by a course of dealing between the parties which occurred each month.

I therefore find that the contact between the parties was subject to Voiceflex’s terms and conditions, in the version set out at pages C/6-8. In clause 3.6 the service is stated to include "Provide outbound SIP connectivity to the PSTN via a SIP proxy". Section 5 deals with payments, but it does not specify any rate for any part of such service. Section 6 deals with usage and acceptable use policy; clause 6.4 provides that the customer agrees "not (to) divulge their password to any third party and use all reasonable endeavours to keep the same confidential and inaccessible to third parties."

In paragraph 22 of its reply, Voiceflex contended for a series of implied terms to be incorporated within the contract. At the commencement of the trial, Mr Mantle applied to re-amend the particulars of claim, so as to include reference to both paragraph 22 of the reply as regards the incorporation of implied terms into the contract, and paragraph 23 of the reply as regards the alleged breach of such implied terms, within the body of the particulars of claim. Mr Warner did not oppose the application, subject to subsequent submissions on costs, and I allowed it.

The position as regards the implied terms contended for in paragraph 22 of the reply is as follows:

In his closing oral submissions Mr Mantle conceded that the implied terms alleged in paragraphs 22 (d) and (e) were the same as, or replicated, at the subject matter of the express term contained in clause 6.4. It would be superfluous to incorporate these as implied terms of the contract.

The implied term contended for in paragraph 22 (c) was a term "that the defendant would take all reasonable steps to ensure the engagement of a competent third-party engineer to carry out installation of the required hardware at the defendant's premises, and commissioning of the claimant's SIP trunk facility". However, Mr Mantle accepted that the breach of that term alleged in paragraph 23 related not to the engagement of the engineer, but to his performance. This implied term is thus irrelevant to the issues to be decided in the case.

The implied term contended for in paragraphs 22 (a) and (b) are implied terms that Frip would take all reasonable steps to ensure that "(a) its networks were adequately protected from being accessed by an authorised third parties, whether by the installation of an appropriate firewall or otherwise; and ... (b) any hardware installed by or on behalf of Frip was installed in such a manner that it was secure from accessed by unauthorised third parties". Mr Mantle submitted that the effect of these implied terms was that the customer should take reasonable steps to ensure that its systems were adequately protected, e.g. in the context of the present case by the use of an adequate password to protect the router. This was in contrast to the provisions of clause 6.4 Voiceflex’s terms and conditions, which imposed on the customer an obligation not to divulge and/or use reasonable endeavours to keep confidential and inaccessible, the password which Voiceflex gave its customer to enable the customer to access Voiceflex’s systems, which was quite a different matter. I accept Mr Mantle’s submission that these contended implied terms concern a different subject matter from that comprised in clause 6.4. In paragraph D (5) of his written opening submissions, Mr Mantle submitted that the criteria for incorporating a term into a contract can be summarised as being where it is either necessary to give business efficacy to the contract, or where the term represents the obvious but unexpressed intention of the parties, citing the decisions in Attorney General for Belize v Belize Telecom Ltd [2009] UKPC 10 and Mediterranean Salvage v Seamar Trading 2009 EWCA Civ 531 as authority for such propositions. I accept Mr Mantle’s submissions in this regard, and find that the implied terms contended for in paragraphs 22 (a) and (b) satisfy such criteria, and were thus incorporated as terms of the contract.

It is first to be noted, as Mr Mantle acknowledged in the course of his closing oral submissions, that in its particulars of claim Voiceflex does not allege any breach by Frip of clause 6.4, notwithstanding that express reference to clause 6.4 is made in paragraph 11 of the amended particulars of claim. Instead, in paragraph 23 of the reply, Voiceflex alleges the following breaches of implied terms.

In paragraph 23 (a) Voiceflex alleges a breach of the term at paragraph 22 (a), in that Frip "... failed to take all reasonable steps to secure its network, so as to prevent unauthorised access to the claimants SIP trunks system". In his closing oral submissions Mr Warner submitted that this allegation was unparticularised i.e. it did not state either what Frip did, but should not have done; or conversely what Frip did not do, but should have done. I accept that submission. This allegation of breach is little more than a restatement of the implied term in question.

In paragraph 23 (b) Voiceflex alleges that Frip was in breach of the term at paragraph 22 (b), in that "... port 5060 on Frip’s router, being part of the hardware installed at Frip’s premises, was left in the open position with the effect that instead of the same only being accessible by Voiceflex’s servers and Frip’s registered addresses, it was accessible to the Internet at large".

However:

at the conclusion of their oral evidence at trial, the experts stated (DG/63) that they had not seen any evidence in the case to show that, as a matter of fact, port 5060 had been left open before the hackers attacked 8-digit password to the router;

further, in paragraph 21 of his witness statement (B/101) Richard Gibson stated that "... when I set up the SIP trunk in Manchester, I ensured that port 5060 was closed, except to the claimants server and authorised users"; and

in his oral evidence at trial, Mr Sykes stated (DG/58) that "if (port 5060) had been left open, it would be hacked within a few hours today; maybe 7 or 8 years ago it would have been hacked within a day or so".

Voiceflex’s case is that, because it is easier for hackers to gain entry to a router via an open port 5060 then via the web portal, an inference should be drawn that, in this case, port 5060 was open before the hack commenced.

I accept the agreed evidence from the experts in this regard, and Mr Sykes’ evidence of what would have been the probable consequence had port 5060 have been left open. In the face of that evidence, together with Richard Gibson's evidence of fact which I also accept, I decline to draw the inference contended for by Voiceflex. Accordingly, Voiceflex fails to discharge the burden of proof on it to prove that Frip was in breach of contract in the manner alleged in paragraph 23 (b) of the reply.

Paragraph 23 (c) of the reply states that "... the unauthorised calls ... were made with Frip’s unique username and password. Accordingly Voiceflex avers that Frip was in breach of the implied terms at 22 (d) and (e) concerning maintaining the integrity and confidentiality of the same." The first and immediate point concerning this allegation is that it relates to the implied terms contended for in paragraphs 22 (d) and (e) of the reply, which I have found replicate the express term at clause 6.4, breach of which is not alleged.

However, even if this allegation is construed benignly as a breach of the express term in clause 6.4, it again fails for lack of particularity. It simply defines the end result (the fact of use by the hackers of the username and/or password which Voiceflex provided Frip, to enable Frip to access Voiceflex’s systems) without alleging what reasonable endeavours Frip should have used to prevent such an event occurring. Clause 6.4 imposed on Frip an express obligation to "... use all reasonable endeavours to keep the (password) confidential and inaccessible to third parties". To make good an allegation of breach of such an express term, Voiceflex should have stated precisely what reasonable endeavours Frip should have used to keep the password (and only the password, and not the username) "confidential and in accessible to third parties". Voiceflex did not do so. The allegation thus fails for lack of particularity.

Notwithstanding the lack of particularity of the allegation of breach in paragraph 23 (b) of the reply, the expert opinion evidence in the case did in fact address the issue of the nature of the password which Frip used to protect access to its router. In paragraph 4.7 of his report Mr Sykes stated as follows:

“The router password is fundamental to the overall system security. Any secondary security ... such as prevention of international dialling from certain extensions or at certain times of the day ... becomes powerless to contribute to the security if the router's password is breached."

At paragraph 4.28 of his report he further stated:

“At paragraph 20 of Richard Gibson's witness statement, he says he set up a password on the SIP router, which was an 8-digit numerical password. The Epygi router documentation … indicates that the administrator GUI (Graphical User Interface) password can comprise up to 20 numeric characters. An 8-digit numeric password has around 100 million combinations. The range increases very significantly to 1000 billion ... for 20 numeric characters. While the longer a password is, the more secure it is, 8-digit passwords are generally accepted to be strong."

In his oral evidence at trial Mr Spencer agreed (DG/51) that the password protecting access to Frip’s router could be any combination of digits between 2 and 20 in number. In his oral evidence at trial Mr Sykes stated (DG/59) that

None of that evidence establishes that at any time between November 2006 (when Frip first used Voiceflex’s systems) and October/November 2011) i.e. when the hack occurred) Frip had used an insufficiently robust password protect access to or through its router. I accept Mr Sykes opinion that, during this period use of an 8- digit password was generally accepted as being ‘strong’ i.e. sufficiently robust for these purposes.

To conclude: Voiceflex’s case that Frip was in breach of contract in the manner alleged in the reply and the re-amended particulars of claim fails for the reasons set out above.

The issue between the parties as regards Voiceflex’s alternative claim for the price can be stated shortly:

Voiceflex claims the price on the basis that it is supplied a service to Frip, which was "always on" to adopt Mr Mantle's phrase in his closing oral submissions;

Frip’s case is that it only becomes liable to pay the price of the service offered if it in fact uses the service. It is common ground between the parties that the service was used, but by unknown third parties as a result of the unknown hackers’ activities. It is not alleged by Voiceflex that any of Frip’s employees made any of the calls, the price which is set out in Voiceflex’s invoice number VF/180169 dated 31 October 2011 (page C/47).

It is thus necessary to construe the relevant terms of the contract between the parties. Clause 6.2 of Voiceflex’s terms and conditions provides:

“The customer hereby agrees to ... refrain from sending and from causing allowing or enabling to be sent, any menacing offensive abusive or annoying messages whilst using the service via the company or any other ISP."

The reference in that clause to the term "using" is to be noted.

Clause 6.3 of Voiceflex’s terms and conditions provides:

“The customer hereby agrees to ... refrain from sending and from causing allowing or enabling to be sent, any bulk or mass unsolicited commercial e-mail messages colloquially referred to as spam, or spam over Internet Telephony (SPIT) whilst using the service via the company or any other ISP."

Again, the reference in that clause to the term "using" is to be noted.

In my judgement the repeated reference in those clauses to the customer "using" the service indicates that, on its proper construction, the contract provides that the trigger for liability to pay the price was use of the service, rather than merely its supply or provision. The next question is whether such liability accrues upon use by an unknown third party rather than the customer itself.

Clause 6.4 of Voiceflex’s terms and conditions (to which I have already referred) provides:

“The customer hereby agrees to ... not divulge their password to any third party and use all reasonable endeavours to keep the same confidential and inaccessible to third parties."

The inference to be drawn from that express term is that if the customer, here Frip, does "use all reasonable endeavours to keep (its password) confidential and inaccessible to third parties", then it will not be liable to the service provider i.e. Voiceflex for the cost of calls made by unknown third parties, namely the person who actually used the service which Voiceflex supplied.

With effect from 2 April 2012 (i.e. some five months after the events in question) Voiceflex inserted a new clause 29 into its standard terms and conditions. Its text is informative. Under the heading "Fraud" it provides:

“For the avoidance of doubt fraudulent calls include but are not limited to:

(a)

calls made from the customer's PBX without their knowledge

(b)

calls made utilising customer's authentication details

(c)

calls made from an authenticated IP address

Voiceflex have incorporated a ‘fraud notification service’ on the customer portal to assist with the prevention of fraud. Customers set up and maintain their own security independently of Voiceflex, and therefore Voiceflex is unable to accept liability to any costs accrued as a result of a breach in their environments. Each customer has a unique service and therefore Voiceflex are unable to template of fraud alerting system all our customers. It is therefore the customer's responsibility to protect themselves by making use of the tools provided, including setting thresholds and alerts etc. Satellite-based telephony has also been blocked from the Voiceflex network."

That clause, of course, was not a term of the contract between the parties which obtained at the date of the hack. Its subsequent inclusion into Voiceflex’s standard terms and conditions suggests an appreciation on the part of Voiceflex between November 2011 and the beginning of April 2012 of the type of contractual provision it thought appropriate to have in place. However, I also infer from its subsequent inclusion an appreciation on the part of Voiceflex between November 2011 and the beginning of April 2012 that this contractual provision was not in place at the material time.

To conclude: on its proper construction, the agreement between the parties in force at the material time imposed an obligation on the customer, here Frip, to pay for the cost of calls which it actually made. Absent the customer being in breach of contract in a material respect, it was not enough for Voiceflex as service provider simply to prove that it had made a service available to its customer in order to recover from the customer the cost of calls made, not by the customer itself, but by unknown third parties as a result of fraudulent activity.

Mr Warner made a supplemental submission to the effect that there was a term of the contract that only one call could be made by Frip via Voiceflex’s systems at any one time: see paragraph 3 (a) (vii) - (viii) of his written closing submissions.

In support of his submission, Mr Warner referred to the oral evidence of Nathan Ronchetti at trial, where he stated (DG/19) that “ … the counter for concurrent calls at our end was not activated"; he confirmed that Voiceflex had investigated the matter, but was of the opinion that a similar event could recur in the future.

There is no documentary reference which records that there was a term of the agreement that only one call could be made by Frip via Voiceflex’s systems at any one time. Further, in their joint statement, the experts stated as follows (B/148):

“2.3

We agree that the Epygi Quadro 4 IPPBX can only support a maximum of 20 simultaneous VOIP calls, and that at the most efficient compression and utilising the optimum codec, this would require approximately 580 kbits of bandwidth.

2.4

We ... agree that the number of simultaneous calls taking place during the weekend ... was far in excess of the limits imposed by the Epygi Quadro 4 IPPBX ..."

That evidence thus makes a rather different point to the one here contended for by Frip, namely that the number of calls made by unknown third parties over that particular weekend considerably exceeded the capacity of the Epygi PBX.

Mr Leslie Gibson did not mention the point in his witness statement that the service he understood Frip to have contracted for was one whereby only one call could be made at any one time via Voiceflex’s systems. In paragraph 7 of his witness statement (page B/92), having acknowledged that he did "... not have the technical knowledge to understand the complexities of the system installed ...", he stated that he understood "... that it was known as a SIP trunk, and that the SIP trunk is a telephone line accessed over the Internet". But he did not go on to state how many calls he understood could be made any one time over that notional or hypothetical telephone line. It is to be recalled that there is no such thing as a SIP trunk. Instead, the limitation on use that he did refer to was that "... only calls made from recognised extension numbers could be made".

In paragraph 19 of his witness statement Richard Gibson stated (B/99):

“At the time, the single SIP trunk service provided by the claimant could in theory allow concurrent calls to be made over the single SIP trunk, depending on capacity of the customer’s ASDL lines. In 2008 the claimant's service changed such that the single SIP trunk would give access to one SIP line only. This did not affect Frip, because of the settings that I had already put in place on the SIP router i.e. to only allow one VOIP to be made at any one time over a single SIP trunk ..."

There is an inherent inconsistency between the first two sentences of that paragraph. Further, it is not clear from that evidence whether the limit which Richard Gibson installed of only "... one VOIP to be made it any one time over a single SIP trunk" was a limit imposed unilaterally by Frip, or was an agreed contractual term.

In those circumstances, I have come to the conclusion that the evidence in the case does not establish that there was a contractual limit on the number of telephone calls that could be made at any one time by Frip via Voiceflex’s systems.

The above conclusions determine the outcome of this case. However, Mr Warner has formulated alternative submissions on behalf of Frip on the meaning and effect of general condition 11, which he relies on as an alternative line of defence to the claim. Although it is obiter (i.e. not necessary for the decision in the case, and thus not of binding authority) I will express my conclusion on those alternative submissions.

Under the heading "metering and billing" general condition 11 provides as follows:

“The communications provider shall not render any bill to an end-user in respect of the provision of any public electronic communications services unless every amount stated in that bill represents and does not exceed the true extent of any such service actually provided to the end-user in question."

The essence of Mr Mantle’s submissions is that the purpose and function of section 11 of the general conditions is to ensure the accuracy of bills: see paragraph 13 of his written closing submissions. It is not disputed in this case that the bill itself accurately reflected the number and cost of the relevant telephone calls. In support of his submission, Mr Mantle referred to the General Conditions Guidelines published Ofcom. At page 3 of those guidelines the following text appears:

“Condition 11 (paragraphs 1 and 2) requires providers of public electronic communications services to ensure that bills are accurate and obliges providers to maintain records so that this can be checked. The later parts of this condition apply only to providers of publicly available telephone services."

Mr Mantle submitted that there is no reference in the guidelines, or in either of the Ofcom reviews published in November 2005 and February 2013, to fraudulent use, whether in the context of section 11 of the guidelines as a whole, or specifically to condition 11.1. He further submitted that the general conditions were addressed to a narrow or restrictive point, namely the point that the bills must be accurate.

The essence of Mr Warner's submissions is that, if contrary to its primary case there was a contractual liability on Frip to pay the price of calls made not by it, but by unknown third parties as a result of fraudulent activity, then Voiceflex was precluded by general condition 11 from rendering Frip with a bill in respect of the cost of such calls, because such a bill would "... exceed the true extent of any such service is actually provided to the end-user in question". Thus Mr Warner submitted that the effect of general condition 11 was to place the risk of incurring the cost of calls made by unknown third parties as a result of fraudulent activity upon the service provider, rather than upon the end-user.

I have come to the conclusion that, for general condition 11 to carry the meaning contended for by Mr Warner, it would have to contain clear words to such effect. The events which obtained in the present case indicate that such clear words would have to include a reference not only to the provision of the service to the end user, but also to the use of the service by the end user. I do not read general condition 11 as a provision which allocates risk for the cost of calls made by unknown third parties as a result of fraudulent activity, in the manner for which Mr Warner contends.

Accordingly, I reject Frip’s alternative case that, if contrary to its primary case it was in fact contractually liable to Voiceflex for the cost of these calls, it could pray an aid the provisions of general condition 11 to avoid such liability.

In the reply Mr Mantle took the point, in response to Frip’s assertion of a breach of general condition 11.1, that Frip was precluded from relying on the provisions of general condition 11.1 by the operation of section 104 of the 2003 Act.

Under the heading "Civil liability for breach of conditions ...", section 104 of the 2003 Act provides:

“(1)

The obligation of a person to comply with

(a)

the conditions set under section 45 which apply to him ...

…

shall be a duty owed to every person who may be affected by a contravention of the condition ...

(2)

Where a duty is owed by virtue of this section to a person

(a)

a breach of the duty that causes that person to sustain loss or damage and

(b)

an act which

(i)

by inducing a breach of the duty or interfering with its performance, causes that person to sustain loss or damage, and

(ii)

is done wholly or partly of achieving that result

shall be actionable at the suit or instance of that person

(3)

In proceedings brought against a person by virtue of subsection (2) (a) it shall be a defence of that person to show that he took all reasonable steps and exercised all due diligence to avoid contravening the condition or requirement in question.

(4)

The consent of Ofcom is required for the bringing of proceedings by virtue of subsection (1) (a).

(5)

……..”

Mr Mantle submitted that, because Frip had not obtained the consent of Ofcom, it was precluded from relying on any breach by Voiceflex of general condition 11.

In response, Mr Warner submitted that Frip was not "bringing proceedings by virtue of subsection (1) (a)" within the meaning of subsection (4); and further that Frip was entitled to plead in defence to the claim a breach of general condition 11, relying on the authority of LB Wandsworth v Winder [1985] AC 461 in support of that submission.

My conclusion on this further point will also be obiter. Nevertheless it is that section 104 is not in play in these proceedings. Frip is entitled to assert a breach of general condition 11 in defence to a claim without first obtaining the consent of Ofcom. Section 104 acts in effect as a sword, in the sense that it enables a party to bring proceedings. However, its terms do not preclude a defendant from relying on a breach of general condition 11 in defence to a claim; i.e. reliance on a breach of general condition 11 can be used as a shield.

For the reasons already stated, Voiceflex fails in both the alternative ways it puts its claim, and accordingly judgement is to be entered for the defendant Frip. I will hear further submissions from counsel on what, if any, further orders should be made when this judgement is handed down.