Saturday, 16 February 2008

The farm again.

Another Sunday. Another week come and gone.

At least half my time has been sitting on a chair adding the finishing touches to my LLM dissertation on the "Impact of Intermediary Liability".

Even so, it is necessary to both feed the animials and get out and maintain my sanity.

A weekend in photos.

Electronic Espionage

The UK differs from the United States with its efforts at codification through the Restatement and Uniform Trade Secrets Act[1] to introduce a legislative set of controls preventing electronic espionage. The English law as it relates to a breach of confidential information is solely derived from the common law as it has evolved through the cases. A duty of confidence arises when confidential information comes to the knowledge of a person in circumstances where it would be unfair were that information to be disclosed to others (e.g. because the recipient of the information was on notice, or had agreed, that the information was to be so treated). A breach of confidence is the breach of a duty which can give rise to a civil action[2]. Breach of confidence will usually arise in connection with the disclosure of information which has a commercial value, but can also include personal information about individuals.

Breach of confidence is complex and carries on to expanding to “reflect changes in society, technology and business practice”[3]. Additionally, Art. 8 of the European Convention on Human Rights (concerning the right to privacy) has expanded the available actions connected with a breach of confidence to include safeguarding against the misuse of private information[4]. It is required under English law that the plaintiff prove three things must be proved to succeed in an action for a breach of confidence:

  1. the information must be confidential, but does not apply to information which is trivial[5];
  2. the information was provided in circumstances importing an obligation of confidence;
  3. there must be an unauthorised use or disclosure of the information, and, at least, the risk of damage[6].
The jurisdictional basis in English law of the action for breach of confidence is unclear. The foundation most regularly relied upon is contract. Frequently the parties will have incorporated express terms relating to confidentiality, but the courts have also commonly acted on the basis of an implied confidentiality provision in an existing contractual relationship. The courts have also created an equitable obligation of confidentiality autonomous of any contractual relationship. This obligation applies to the initial beneficiary of the information, and to third parties who receive unauthorized disclosures of confidential information. This has also been used in addition to a contractual obligation, and at times in substitution for a contractual obligation.
The duty that confidence should be preserved may be outweighed by various other public interest causes which call for use or disclosure in the public interest> this could be either the world at large or the proper authorities. At times, a court will be required to balance the public interest in maintaining confidentiality against the public interest favouring use or disclosure[7]. Disclosure of confidential information will not be restrained where there is a ‘just cause or excuse for disclosing it’[8].

An ISP or ICP needs to consider both the need to protect data against the needs of protection the public interest. A failure to safeguard the interests of their clients places the intermediary in damage of civil actions. This issue is a particular concern for ICPs (who have some obligation unless explicitly excluded in contract) and particularly service providers specialising in the provision of security services. These providers are contracted to ensure that the security of their clients is maintained and are open to actions in both contract and negligence if they fail in their duties.

Data Protection
In December 2000, the Privacy Amendment (Private Sector) Act 2000[9] modified the Privacy Act[10] in Australia making it apply to various private sector organisations. The Australian legislation was updated to reflect the EU[11] and is based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The National Privacy Principles[12] (the NPPs) in the Privacy Act detail the methods that the private sector should use to “collect, use, keep secure and disclose personal information”.[13]

These principles provide individuals with a statutory right to discern the extent of information held concerning them by an organisation. It further introduces a right to correct information that is incorrect. An ISP or ICH in Australia would be covered by the amended Privacy Act. The State and Territory privacy legislation also needs to be considered.[14] Likewise, an ISP or ICP in the UK would be covered under the principles laid out in European Union Directive 95/46/EC.

An ISP or ICH that hosts sites for other parties could be held liable if they fail to maintain a reasonable level of system security and a breach of this leads to a compromise of an individuals private data.

Criminally, the UK has no legislation specifically focussed to dishonest acquisition of pure information[15]. The law holds that information is not property capable of being stolen such as was decided in Oxford v Moss[16], where a university student broke into the Examination Committee’s premises, studied and made a copy of the exam paper and departed, leaving the original exam paper behind. The student’s actions were held not to be theft[17].

In the event that improperly obtained credit card numbers are published on a website facilitating the enacting of fraudulent purchases using those card numbers, if the intermediary operator knows or ought to known of this action, liability may exist. It is possible that the ISP or ICP could also be a secondary participant in the crime[18]. There is also the possibility of a charge of conspiracy, if the necessary agreement between the intermediary and subscriber could be demonstrated (such as through a contract to not conduct standard checks).

Criminal liability may occur in instances where the subscriber of an ICP publishes passwords allowing unauthorised entry into a computer system. The intermediary may be liable for an offence under the Computer Misuse Act[19] that is committed using those passwords. The precise nature of any liability will be dependant on the facts of the case. In the event that the intermediary had advertised to a category of persons who are expected to execute an attack against a computer system using those passwords made available on the web server, this could amount to incitement to commit an offence under the Computer Misuse Act[20]. To establish incitement, it must be demonstrated that the defendant knew or believed that the individual so incited had the required mens rea to commit the offence. As the mens rea for an offence under Section 1 of the Computer Misuse Act is simply that the defendant intends to gain access to a computer system and knows that such access is not authorized it would be a simple fact to establish.

Alternatively the intermediary could be charged with aiding, abetting, counselling or procuring commission of an offence. In all cases, the defendant must have the intention to do the acts which he knows to be capable of assisting or encouraging the commission of a crime, but does not actually need to have the intent that such crime be committed. There must be a causal link for procurement, aiding requires support but not consensus nor causation, while abetting and counselling necessitate consensus but not causation.

[1] The Restatement and Uniform Trade Secrets Act (1985) USA. “In view of the substantial number of patents that are invalidated by the courts, many businesses now elect to protect commercially valuable information through reliance upon the state law of trade secret protection. Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 (1974), which establishes that neither the Patent Clause of the United States Constitution nor the federal patent laws pre-empt state trade secret protection for patentable or unpatentable information, may well have increased the extent of this reliance”.
[2] Lord Nicholls in Campbell v MGN Ltd [2004] A.C.457 at 464-5 summarised the law of confidence as “[the imposition] of a duty of confidence whenever a person receives information he knows or ought to know is fairly and reasonably to be regarded as confidential”
[3] Douglas v Hello! Ltd [2001] QB 967, per Keene LJ.
[4] Campbell v MGN Ltd [2004] A.C.457
[5] Faccenda Chicken Ltd v Fowler [1987] Ch. 117
[6] Coco –v- AN Clark (Engineers) Ltd. [1969] RPC 41; Murray –v- Yorkshire Fund Managers Ltd [1968] 1 WLR 951. See generally Clerk & Lindsell on Torts, 19th edition (2006), Chapter 28, paragraphs 28-01 and 28-02
[7] Attorney General –v- Observer Ltd. and Others (on appeal from Attorney General –v- Guardian Newspapers (No.2)) [1990] 1 AC 109, see especially pages 281 B-H and 282 A-F, per Lord Goff of Chieveley. See: Clerk and Lindsell on Torts, 19th Edition (2006), Chapter 28, paragraph 28-05
[8] Malone –v- Metropolitan Police Commissioner [1979] 2 WLR 700 at 716, per Sir Robert Megarry V-C and see also W –v- Edgell [1990] Ch. 389; and R –v- Crozier [1991] Crim LR 138, CA.
[9] This Act came into effect from 21 December 2001.
[10] Australia has an informational privacy regime at the federal level based on the Privacy Act 1988 which initially applied mainly to Commonwealth and ACT Government public sector agencies.
[11] European Union Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[12] The National Privacy Principles are extracted from the compilation of Act No. 155 of 2000 Act No. 119 of 1988 that was prepared on 10 January 2001
[13] The Australian Office of the Privacy Commissioner has released “INFORMATION SHEET 2 -2001 Preparing for 21 December 2001” which is available from
[14] See further, The Office of the Federal Privacy Commissioner, Privacy in Australia
[15] There have been a number of cases in the United States, which involve the publication of stolen proprietary information. For example, United State v Riggs and Neidorf, 741 F.Supp.556 (N.D II 1990), the defendants had between them hacked into a Bell Telephone Company computer, obtained highly confidential information about that computer company’s emergency telephone number system, and had published it in a magazine. They were prosecuted under the 1986 Computer Fraud and Abuse Act, and also under federal statutes dealing with wire fraud and interstate transfer of stolen property.
[16] (1978) 68 Cr. App. R. 183
[17] In the UK, placing stolen Government confidential information on a bulletin board is likely to fall foul of the Official Secrets Act. However, catching the culprit is the main problem; the UK Government has been unable to prevent Sinn Fein putting information about police and army facilities and security on its Web page based in Texas.
[18] US Cases involve Defense Department information (United States-v-Morrison, 859 F.2d.151 (4th Circuit 1988)), law enforcement record (United States-v-Girard, (2nd Circuit 1979)), banking information (United States-v-Cherif, 943 F.2d.692 (7th Circuit 1991)) and stock market information (Carpenter-v-United States, 484 U.S. 19(1987). Besides these federal statutes, which only apply where there has been a transfer across State lines, a number of States have laws, which make criminal the theft of confidential information.
[19] Computer Misuse Act (1990) UK
[20] In a case involving police radar detectors, it was held that advertising an article for sale, representing its virtue to be that it may be used to do an act which is an offence, is an incitement to commit that offence-even if the advertisement is accompanied by a warning that the act is an offence.

Friday, 15 February 2008

Actors who define the Internet

Internet Intermediaries
It was originally argued that widespread disintermediation[1] would occur over the Internet. It was originally believed that the Internet would provide a means to allow transacting parties to deal directly with each other. In reality the opposite has occurred with additional layers being formed rather than removed. There are two primary reasons for this growth of intermediaries, the first is related to the need to connect to the Internet and the second derives from both trust and the availability of payment. In either case any transaction conducted over the Internet will not be in person. The consequence being that cash exchanges cannot occur in the third-party will need to provide the trusted source of funds. The simple need to connect also derives from the distance that may be involved. When communicating across vast distances in small amounts of time and intermediary is always needed. In the past telecommunications carriers provided fax and phone services to satisfy this transaction. In effect what the Internet has done is to supplant fax, telephony, telex and electronic data interchange (EDI) with new and more universally accepted protocols. It would be rare to find any two parties with sufficient resources to construct and connect a global internetwork themselves.

The issue of trust surrounds payments creating opportunities for both payment and auction intermediaries. In a contemporary transaction for the sale of a product any one individual would not be able to assemble the essential resources necessary to reach a global market. The growth of auction intermediaries such as eBay[2] has created the ability to offer products and services internationally creating global markets. The consequence is that intermediaries have created market segments that were not thought possible and did not previously exist curtailing the expected disintermediation of the Internet.

Internet service providers
An Internet service provider or ISP provides the communication backbone supporting the Internet.[3] To end-users, the ISP is the entity responsible for opening access to the content on the Internet. Generally speaking, an end-user is unlikely to care about the true path traversed in receiving their data. Most users will not care about the nature of Internet protocols, how routing systems function, what type of physical infrastructure is in place as long as they receive their transmission. In becoming acquainted with the significance of a suitable regulatory design of sensitivity to context, it is imperative to differentiate distinct roles that an ISP can play in the provision of standard Internet services.

There are in effect three primary classifications and ways of distinguishing ISPs. It is likely that any Internet-based transaction will follow through a path of Source ISP, Backbone Providers, and arrive at a Destination ISP where both the source and destination ISPs are effectively endpoints. Backbone providers include the class of telecommunication carriers who deal solely with the transmission and routing of packets across provider networks. For purposes of liability, backbone providers offer little more than a conduit for contractual loss from other providers but they deal with. Backbone providers are unlikely to have the capabilities or capacity that will allow them to distinguish between data, traffic or protocol content making the ability to filter illicit activity next to impossible at this level.[4] Source and destination ISPs are in effect similar in many ways. In particular, any endpoint ISP will at some stage act as either and both source or destination ISP.

Any end-user request over the Internet is served by a destination ISP. A Source ISP is the organisation that supplies access to the servers and systems where the unlawful content (both lawful and illicit) is presented or hosted.[5] There are two significant differences involving the Source ISP and the Destination ISP when viewed under a regulatory framework. Firstly the Destination ISP serving ordinary end-users is most unlikely to have any direct association with or precise information concerning the primary malfeasor. Any logs or materials that may be maintained are unlikely to hold the level of detail necessary to prove malfeasance. A Source ISP conversely is likely to maintain logs and track access to the content that it maintains. Any process of assessing how “fair” it would be to “hold responsible” the Source ISP for the misconduct of its clients or other parties and also in determining how successfully the Source ISP could serve as a regulator in controlling misconduct needs to be weighed against a variety of factors. In many cases, the Source ISP may be located in a jurisdiction without reciprocal regulations thus preventing prosecution. Next, the Source ISP may itself be a victim of illicit activity.

In the instance that a Source ISP supplies both the host that contains content and also the access to that material, it is likely to be able to more effectively monitor and control the activity than would an ISP that provides only access to the material. A Destination ISP can not readily remove itself from the authority of the regulatory regime in whose jurisdiction the users are situated. To do so would result it in also removing its ability to server those end-users. A Source ISP and the content it hosts, if desiring to make possible prohibited conduct, can move itself to an alternate jurisdiction that does not disallow the illicit conduct. For instance, a Source ISP that is wishes to implement access to Internet gambling can locate itself in a jurisdiction where these activities[6] are eagal and thus legitimised. This in effect places these organisations beyond the jurisdiction and capability of the majority international legal edicts and the related enforcement capabilities.[7] The Destination ISP however is not beyond this reach. An ISP in London with local clients that allows its clients to connect to a child pornography site in Nigeria needs a local presence in London. At this least this would include a local sales office, local servers, cabling, power and equipment such as switches and routers.

A Destination ISP supplies an end-user with the data that they have requested from Internet. Many ISPs are merely resellers of Internet connectivity maintaining only simple connection, billing and routing systems. As such, Destination ISPs may be further subdivided into the additional subcategories of Retail ISPs and Link ISPs. A Retail ISP is the one that maintains and operates an end-user billing system. A Link ISP provides not just access but also hosts systems needed to access internet applications including SMTP, POP3 and World Wide Web systems (for e-mail and web access respectively). These organisations also act as the gateways allowing end-users to access the various internet protocols. As the administrators of systems that link disparate networks and the Internet backbone, as well as encapsulating application data into an arrangement that may be broadcast along the backbone, Destination ISPs are capable of averting selected attacks through the blocking of access to certain sites, hosts or even selected data available on the Internet. They may also aide in mitigating or at least slowing the transfer of certain other malicious classes of data such as worms or other malware.

Link ISPs and Retail ISPs need to integrate to present the end-user with access to the Internet and the related services. It is possible to consider their functions to be either integrated or disintegrated based on the circumstances.

Where legislation is focussed on stopping selected Internet access it is fitting to concentrate on those Retail ISPs dealing directly with those affected by the legislation. Legislation mandating IP address filtering (such as to block access to pornographic sites) is better directed to Link ISPs as they can process Internet traffic more effectively than Retail ISPs[8]. Ideally, it is beneficial to consider a single entity Destination ISP formulated from a collaborating Retail ISP and Link ISP group.

Payment intermediaries
The difficulties in transferring cash payments over large distances and between people who may have never met and may never meet created the need for payment intermediaries in Internet transactions. Payment intermediaries provide both trust and some realistic means for a purchaser to transfer consideration to the seller reliably. For instance, if a buyer on an online auction site comes up with the highest bid incurring a debt, a payment intermediary would be involved in order to arrange a transfer of funds either from the purchases banking account or via some payment card system cons making the transaction.

As an example, if party A located in Singapore was to sign up for an account with a licensed online casino such as Lasseter’s online in Australia, party A would require some means of transferring funds from their banking account to a trust account managed and maintained by Lasseter’s. When party A has subsequently been successful at their gambling pursuit playing online poker, the party would require some means of ensuring the return of their winnings. If on the other hand party A had accumulated gambling debts, Lasseter's would require some means of ensuring that funds in the trust account we used to pay those debts.

In the case of smaller amounts, this may be as simple as holding party A’s credit card details in a database. In situations where the transactions a large, lasses may wish to use party A’s bank to transfer money in advance or otherwise to secure some assurance that A’s potential gambling losses will be covered. The payment card company or bank in practice is an essential actor for the conduct in which party A desires to enact.

It was originally believed[9] that digital cash or electronic money would be created or minted allowing for some type of universal credit and would facilitate Internet transactions. Although a number of schemes did emerge, the vast majority of transactions that occur across the Internet are made by means of traditional means such as credit cards.[10] Rather than digital cash being minted, a new type of payment intermediary developed. Peer to peer (P2P) payment systems,[11] such as PayPal, emerged allowing individuals to receive transactions directly[12], bypassing merchants and also act as a means of consolidating payment methods by providing a mechanism to interact with various banks and payment card institutions directly.

Peer-to-peer processing networks have aided the growth of auction intermediaries such as eBay.[13] Payment card providers, P2P systems, and other entities that act as a mechanism to facilitate commercial transactions[14] also have the capability to stop illicit transactions and act as revelatory enforcement points. A commercial site distributing child pornography from Nigeria cannot be run profitably without an economical method of receiving consideration. If the site operators cannot reliably receive payment, they will quickly shut down. As the financial gatekeepers, payment intermediaries can be used to prevent illicit activity over the Internet. Either through proactive actions or upon the receipt of court orders and Internet payment intermediary could be used as an aid to curtail undesirable activities occurring across the Internet.

Auction intermediaries
The auction intermediary has become the predominant means of matching buyers and sellers. These range from the classic option structure as defined by the industry leader, eBay, through to a more dynamic market structure more reminiscent of a stock exchange futures exchange trading floor. At the simplest, these parties provide client to client matching services allowing individuals and small corporations across the globe to deal (seemingly) directly.
These organisations are the target of most complaints concerning breaches of contract, illicit or illegal goods and even failure to act. One of the difficulties is the direct result of legislative differences between jurisdictions. In many cases, goods or services that may be legal in one jurisdiction could be controlled or proscribed in another. Liability for internet auction intermediaries mirrors those principles that have been created and applied in disputes concerning traditional or real-world auction intermediaries as may be seen in Fonavisa.[15]

[1].See, Shapiro, Andrew L., Digital Middlemen and the Architecture of Electronic Commerce, 24 Ohio N.U. L. Rev. 795 (1998).
[3]. Jonathan D. Bick, Why Should the Internet Be Any Different?, 19 Pace L. Rev. 41, 63 (1998) states that “Even the simplest internet transaction usually involves a user’s computer, an internet service provider’s access computer, a regional router, a governmental backbone computer, another regional router, another internet service provider’s computer, and a content provider’s computer. So, even in the simplest transactions, there are many more intermediaries than users or content providers”.
[4].This seems to be the view of earlier writers, who argue that the difficulty of understanding the data that travels over ISP networks is an artifact of the internet’s basic transmission protocol, under which the data that travels over those networks is in the forms of dis-integrated packets of any particular file. See Lessig; Solum & Chung. It seems plain that backbone providers readily can discern the IP address to which packets are being routed. More generally, more than one reader of a draft of this essay has found it easy to imagine technology that would allow backbone providers to recognize certain types of content passing through its network.
[5].This point is best made by Jonathan Zittrain, Internet Points of Control, 44 B.C. L. Rev. 653 (2003).
[6].In such a structure, there is and has been an international race to the bottom to attract business to certain countries by decreasing the legal obstacles to their establishment. In the context of internet gambling, the winner of this race has arguably been the small island of Antigua in the British West Indies. See Don Yaeger, Bucking the Odds, Sports Illustrated, Jan. 8, 2001, at 26 (“Some 850 Web gambling sites are based [in Antigua] and an estimated 80% of all gaming URLs on the Web can be traced back to servers on the 108-square-mile island.”); United States General Accounting Office, Report GAO-03-89, Internet Gambling: An Overview of the Issues 52 (2002), available at [hereinafter GAO Report] (listing 35 of 88 internet gambling websites as registered in either Antigua or Barbuda, but failing to report the percent of internet gambling taking place at these sites).
[7].Indeed the United States even brought a case against the country of Antigua and Barbuda before the WTO in an effort to curtail the proliferation of internet gambling operations on that tiny island nation. The United States lost that suit. See Naomi Rovnick, Herbies Helps Antigua in WTO Outsourcing Victory, Lawyer, April 5, 2004, at 10.
[8] Many Retail ISPs maintain little or no technological capability to filter internet traffic.
[9] XXXX
[10].In 2002, roughly ninety percent of internet transactions used credit cards. Ronald J. Mann, Regulating Internet Payment Intermediaries, 82 Texas L. Rev. 681, 681 (2004).
[11].In this context, P2P stands for “person-to-person.” The term is to be distinguished from the more common use of the same acronym to describe the peer-to-peer filesharing discussed in the context of piracy.
[12].See Mann, supra note 9, at 683.
[14].Because of the fluidity of payment mechanisms on the internet, there are a wide variety of service providers of various kinds (companies like Checkfree, Cybernet, and, for example) that might or might not be regarded as intermediaries, depending on the circumstances. For purposes of this Essay, however, we focus on the dominant intermediaries like Visa, MasterCard, and PayPal.
[15].Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259, 264 (9th Cir. 1996).

Thursday, 14 February 2008

Document destruction in Victoria.

The impact of destroying documents
The Victorian Crimes (Document Destruction) Act 2006 (the Document Destruction Act) was passed into law in Victoria in 2006. Together with the Evidence (Document Unavailability) Act 2006 (the Document Unavailability Act), these pieces of legislation amend the Victorian Crimes Act 1958 and Evidence Act 1958, correspondingly. They where issued in response to concerns raised by the Report on Document Destruction and Civil Litigation in Victoria, by Professor Peter Sallmann. It is imperative that all companies comprehend their responsibility in respect of how they store or destroy any documents. This incorporates email and other electronic files.

The Document Destruction Act establishes additional criminal penalties and the Document Unavailability Act sets up new civil consequences. The Document Destruction Act affects acts carried out in Victoria such as those by companies resident (or engaging in business) within Victoria. The Document Unavailability Act pertains to civil proceedings initiated within Victoria.

The Document Destruction Act introduced s254 into the Crimes Act 1958 (Vic) creating a new offence of destruction of evidence by an individual or a body corporate. The result is that an individual shall be guilty of an indictable offence if they:

  • know that a document or other thing of any kind is, or is likely to be, required in evidence in a legal proceeding; and
  • destroy it, or expressly or impliedly authorise or permit another person to destroy it, and that person does so; and
  • do so with the intention of preventing it from being used in evidence.
The maximum penalty under the Document Destruction Act for an individual is five years' imprisonment and a fine of over $62,000. A body corporate may be fined over $300,000.

Criminal penalties
The Document Destruction Act creates a criminal offences associated with the destruction of documents. If is possible and plausible for a document to be called by any ongoing or possible future legal proceedings, the destruction or concealment of the document will leave the person and one who has authorised or permitted them open to being prosecuted for the purpose of preventing the documents from being used in a legal proceeding. This is the offence of document destruction. When a document shall be "reasonably likely to be required" is not defined. As such, all documents that could be requested in any existing or possible future disagreement must be preserved. This includes emails. To prove authorisation or permission from a company, s254 requires that proof is supplied demonstrating that the board of directors, an officer, or a director supplied that authorisation or permission. Otherwise, a corporate culture that directed, encouraged, tolerated or led to the destruction taking place may be used as evidence.

Both individuals and companies can be prosecuted. In the case of a company, the conduct, knowledge and intention of officers or directors of the company are routinely ascribed to the company. The Document Destruction Act has established a "corporate culture" test for gauging an individual’s intention to prevent a document from being admitted into evidence. A limited defence of "due diligence" is available if the company can demonstrate good corporate governance and document handling practices.

Civil consequences
The Document Unavailability Act covers the case of documents being "unavailable" in civil proceedings and permits the court to "reverse" the consequence of the unavailability of the documents.

"Unavailability" is defined widely to denote a document that was formerly in the control of a company or individual which consequently has been destroyed or otherwise rendered unavailable. The Document Unavailability Act does not “mind” with how the document was destroyed, but is simply concerned with whether the document is available.

Under the new legislation, if a document is not available in a proceeding, and the court is of the view that the unavailability is likely to cause unfairness to a party, then the court will have the power to make any rulings or orders to ensure fairness to all parties, having regard to the circumstances in which the document became unavailable and its impact on the proceeding. The types of orders include:
  • drawing an adverse inference from a document not being unavailable,
  • presuming the fact that would have been proven by the document is true (without evidence to the contrary) even though the document is not available,
  • rejecting the admission of documents where their trustworthiness has been tainted by another document not being available, and
  • reversing the burden of proof in relation to the issue that the missing document concerns.
Legal proceedings that “may be” commenced
The Acts apply to legal proceedings that are in progress or are to be, or may be, commenced in the future. It is uncertain how remote a time this would cover. It would be necessary to extend document retention to cover all periods of limitation, including discretionary extensions.

Corporate culture
The Act has introduced the definition of “corporate culture”. The features detailed in the Act relating to the establishment and a determination of whether an acceptable corporate culture subsisted includes:
  • whether authority to commit the new offence or an offence of a similar character had been given by the officer of a body corporate; and
  • whether the associate has a reasonable belief or expectation that an officer of the body corporate would have authorised or permitted the relevant conduct being carried out with the relevant intention.
The Act states that the corporate culture encompassed by it shall “include situations where corporate policies and processes provide implied authorisation or permission”.

Wednesday, 13 February 2008

Issues with electronic contracting

The Internet is fundamentally a means of communication. Issues with law that have arisen because of the Internet are thus a result of the differences between communication in the physical world and communication using the Internet. Contractual negotiations are the result of a series of communications that create a legally binding agreement. For this reason, there is little difference between contracts made online than those formed through face-to-face communication. The facts surrounding the form of the communication are the primary difficulty.
At the most fundamental level, the existence of an offer and an acceptance is one of the primary requirements for the creation of a contract. The set of laws used to determine whether there has been a valid offer and an acceptance created across the Internet or a mere invitation to treat have their lineage in the case law concerning postal and telex communications.

It is important to remember is that the Internet is not a single communications channel. The Internet is a collection of separate protocols used to communicate over the same physical connection. The result of this collection of protocols is that different legal issues will apply to the individual communication protocols. Protocols such as e-mail correspond to the process of sending a letter by post. A result of this is that we can match the physical world laws to the corresponding situations created by each of the individual Internet protocols. In this manner, we may see that the World Wide Web could be analogous to a mail order catalogue based purchasing system. The same principles govern the process of contractual creation whether or not the process is faster.

As an offeror may stipulate the method of acceptance[1], it would be wise for parties to agree to the form of acceptance prior to the conclusion of the contractual negotiations.
A further important issue that surrounds Internet contracting is the general rule of law that, for an acceptance of an offer, it must be “communicated” to the offeror[2]. Under normal circumstances, the offeror must actually receive the acceptance before a contract will come into existence.

[1] Eliason v Henshaw (1819) & Manchester Diocesan Council for Education v Commercial and General Investments (1970).
[2] McKendrick [1], 2005; p43 - 44

The changing nature of IT.

One of the issues is a drive to add layers of compliance. It is a simple way for a government to “do something” without doing much. In the early days of the Wild, Wild Web, there were many things that would no longer be considered acceptable. This is in just 10 years or so that this has all changed.

Likewise, there is a move to “clean up” the professions. So just as you have managed to get away with something, it does not mean that you shall continue to do so. In the past, not many people who worked in IT had a degree. It was not a requirement. This is changing and the requirement has moved and the bar has raised.

It is an economic principle of supply and demand. People can demand a degree these days and will pay a premium for staff with professional qualifications. As this occurs, the number of professional qualified people increases and thus the power and influence of the professional groups that they are members of also increases.

The consequence is that they make political moves to raise the bar further and hence the requirements increase leading to legislative enforcement.

40 years ago, most accountants and lawyers did not have a degree. Now it is required. IT is just following the same path.

Tuesday, 12 February 2008

Internet Piracy, Contraband and Counterfeit Products

It may often occur that works offered over on the Internet, either by a service provider or its subscribers, is included within the copyright owned by a third party who has not sanctioned the works distribution. In some instances, a service provider may be liable for a copyright infringement using its service and systems.

In the UK, copyright law is governed through the "Copyright, Designs and Patents Act 1988 (the “1998 Act”) and the ensuing decisions of courts. The Australian position[i] mirrors that of the UK where protection of a work is free and automatic upon its creation and differs from the position in the US, where work has to be registered to be actionable. While some divergences may be found, Australian copyright law largely replicates the frameworks in place within the US and UK. The copyright term is shorter than these jurisdictions in Australia being the creator’s life plus 50 years whereas the UK has a term of 70 years from the end of the calendar year in which the last remaining author of the work dies for literary works. As co-signatories to the Berne Convention, most foreign copyright holders are also sheltered in both the UK and Australia.

The 1988 Act catalogues the copyright holder’s exclusive rights as the rights to copy, issue copies of the work to the public, perform, show or play in public and to make adaptations. An ephemeral reproduction that is created within a host or router is a reproduction for the intention of copyright law. Though, there appears to be no special right to broadcast a work over a network, a right is granted in Section 16(1)(d) to broadcast the work or include it in a cable program service. The notion of “broadcast” is restricted to wireless telegraphy receivable by the general public. Interactive services are explicitly excluded from the designation of “cable program service” (S.7 (2)(a)). A proviso making an individual an infringer of the act in the event of remote copying has been defined to encompass occasions where a person who transmits the work over a telecommunications system[ii] knowing or reasonably believing that reception of the transmission will result in infringing copies to be created.

The law contains provisions imposing criminal penalties and civil remedies for making importing or commercially trading in items or services designed to thwart technological copyright protection instruments, and sanctions against tampering with electronic rights management information and against distributing or commercially dealing with material whose rights management information has been tampered with.[iii]

There are several legislative limitations on the scope of exclusive rights under UK law. Liability is also possible for secondary infringement including importing and distributing infringing copy prepared by a third party. The scope of the exclusive rights of the copyright owner is extensive enough to include an ISP or ICH that utilises or consciously allows another to its system in order to store and disseminate unauthorized copies of copyright works. This situation would create the risk of civil action. A contravention could constitute a criminal offence if a commercial motivation for copyright infringement could be demonstrated.

The Australian High Court decision in Telstra Corporation Ltd v Australasian Performing Rights Association Limited[iv] imposed primary liability for copyright infringement on Telstra in respect of music broadcast over a telephone “hold” system. A large part of the decision concentrated on the definition of the diffusion right in Australia.[v] It follows from this decision that if an ISP broadcasts copyright works to in the general course of disseminating other materials through the Internet, that diffusion is a “transmission to subscribers to a diffusion service” as defined by the Australian Copyright Act. It consequently emerges that an ISP may be directly liable for an infringement of copyright caused by that transmission under Australian common law for the infringements of its customers.[vi]

A determination as to whether a message using telecommunications is “to the public”[vii] will likely hinge on whether the message is made “openly, without concealment”[viii] to a sufficiently large number of recipients. No case has attempted to quantify a specific cut-off point.

In Moorhouse v. University of New South Wales,[ix] a writer initiated a “test case” asserting copyright infringement against the University of New South Wales. The University had provided a photocopier for the function of allowing photocopying works held by the university’s library. A chapter of the plaintiff’s manuscript was copied by means of the photocopier. The library had taken rudimentary provisions to control the unauthorised copying. No monitoring of the use of the photocopier was made. Further, he sign located on the photocopier was unclear and was determined by the Court to not be “adequate”[x]. The Australian High Court held that, whilst the University had not directly infringed the plaintiff’s copyright, the University had sanctioned infringements of copyright in that the library had provided a boundless incitement for its patrons to duplicate material in the library.[xi]

In July 1997, the Attorney-General published a discussion paper[xii] that proposed a new broad-based technology-neutral diffusion right as well as a right of making available to the public[xiii]. This provides the position where direct infringement by users of a peer-to-peer (P2P) file-sharing network would be covered in Australian law in a manner comparable to the US position in both Napster and Grokster[xiv].

Mann and Belzley’s[xv] position holds the least cost intermediary liable is likely to be upheld under existing UK, US and Australian law. The positions held by the court in Telstra v Apra[xvi] and Moorhouse v UNSW[xvii] Define the necessary conditions to detail public dissemination and infringement through a sanctioned arrangement. The public dissemination of music clips on a website could be seen as being analogous to the copying of a manuscript with the ISP's disclaimer being held as an inadequate control. It is clear that the provision of technical controls, monitoring and issuing of take down notices by the ISP would be far more effective at controlling copyright infringement than enforcing infringements against individuals.

Several cases have occurred in the US involving ISPs or other service providers that hosted copyright material made available to those accessing the site. A significant decision was made in Religious Technology Center v. Netcom On–line Communication Services, Inc[xviii]. The case involved the posting of information online which was disseminated across the Internet. The postings were cached by the hosting provider for several days, and robotically stored by Netcom’s system for 11 days. The court held that Netcom was not a direct infringer in summary judgment[xix]. It was held that the mere fact that Netcom’s system automatically made transitory copies of the works did not constitute copying by Netcom. The court furthermore discarded arguments that Netcom was vicariously liable.

In the UK, “fair dealing” exceptions are a great deal more restricted than the US “fair use” exceptions. Netcom[xx] if tried in the UK would have to deal with the explicit requirements of Section 17 of the 1988 Act that entails copying to include storage by electronic means and also covers the creation of transient or incidental copies. These provisions make it probable that the result in the UK would have varies from that in the US at least in the first instance. The inclusion of storage differentiates ISPs and ICPs from telephone providers aligning them closer to publishers.

AN ISP or ICP could attempt to argue a similarity to a librarian over that of a publisher. The statutory provisions providing certain exemptions from liability for libraries under the 1988 Act and accompanying regulations are unlikely to apply to an ISP as the ability for a librarian to make copies is controlled under strict conditions. It is doubtful that these conditions could be met by either an ISP or ICP.

Modern peer-to-peer networks have eliminated separated the network from software with a decentralised indexing process[xxi] in an attempt to defend themselves from an exposure to vicarious liability as in Napster.[xxii] The methods suggested by Kraakman’s analysis of asset insufficiency,[xxiii] have led ICPs and ISPs to become judgment proof, thus restraining the effectiveness of sanctions even against the intermediaries. It seems natural to expect as the technology develops that it in practice will be so decentralized as to obviate the existence of any intermediary gatekeeper that could be used to shut down the networks.[xxiv]

The success of modern peer to peer networks has resulted in the content industry targeting those individual copyright infringers who use peer-to-peer networks to disseminate or download copyrighted material.[xxv] Existing peer-to-peer networks and software permits the capture of sufficient information concerning individuals who attach to the network to identify the degree of infringement and possibly who is responsible[xxvi]. Recent advances to the P2P networking protocols have allowed users to screen their identity removing the ability for copyright holders to bring their claims to court[xxvii]. As copyright infringement evolves, it will become more improbable to expect a solution through prosecuting individual users[xxviii].

[i] Australian Act is modeled on the 1956 UK Act.
[ii] This does not include broadcasting or cable
[iii] See also, UK Intellectual Property Office (, Australian Copyright Council Online Information Centre ( and the US Copyright Office (
[iv] Telstra Corporation Limited v Australasian Performing Rights Association Limited (1997) 38 IPR 294. The Majority of the High Court (with Justices Toohey and McHugh dissenting) upheld the Full Court that music on hold transmitted to users of wired telephones represents a transmission to subscribers over a diffusion service. The Court further unanimously held that music on hold transmitted to users of mobile telephones involves a broadcast of the music.
[v] Section 26 of the Australian Copyright Act 1968.
[vi] This decision has created apprehension amongst authors. E.g. Simon Gilchrist “Telstra v Apra –Implications for the Internet” [1998] CTLR 16 & MacMillian, Blakeney “The Internet and Communications Carriers’ Copyright Liability” [1998] EIPR 52.
[vii] Ibid; See also Goldman v The Queen (1979), 108 D.L.R. (3d) 17 (S.C.C.), at p. 30. It would therefore appear that it 70 is the intention of the sender of the message which is determinative of the private or public nature of the message
[viii] Supra note 3
[ix] [1976] R.P.C. 151.
[x] This is similar to the findings in RCA Corp. v. John Fairfax & Sons Ltd [1982] R.P.C. 91 at 100 in which the court stated that “[A] person may be said to authorize another to commit an infringement if he or she has some form of control over the other at the time of infringement or, if there is no such control, if a person is responsible for placing in the hands of another materials which by their nature are almost inevitably to be used for the purpose of infringement.”
[xi] [1976] R.P.C. 151 “[A] person who has under his control the means by which an infringement of copyright may be committed - such as a photocopying machine - and who makes it available to other persons knowing, or having reason to suspect, that it is likely to be used for the purpose of committing an infringement, and omitting to take reasonable steps to limit use to legitimate purposes, would authorize any infringement that resulted from its use”.
[xii] See Attorney-General’s Discussion Paper, “Copyright and the Digital Agenda”, July 1997 at 71. The goal of this paper was to indicate the method by which Australia could implement the international copyright standards agreed at the December 1996 WIPO meeting.
[xiii] See Attorney-General’s Discussion Paper, note 11.
[xiv] A&M Records Inc v Napster, Inc 114 F Supp 2d 896 (ND Cal 2000) & A&M Records Inc v Napster, Inc 239 F 3d 1004 (9th Cir 2001); Metro-Goldwyn-Mayer Studios Inc v Grokster Ltd No.s CV-01-08541-SVW, CV-01-09923-SVW (CD Cal, 25 April 2003) ('Grokster') (available at & Grokster Nos CV-01-08541-SVW, CV-01-09923-SVW (CD Cal, 25 April 2003), 21-2.
[xv] Mann, R. & Belzley, S (2005) “The Promise of the Internet Intermediary Liability” 47 William and Mary Law Review 1 at 27 July 2007]
[xvi] See Supra note 3
[xvii] See Supra note 8
[xviii] 907 F. Supp. 1361 (N.D. Cal. 1995)
[xix] See also, System Corp. v Peak Computer Co., F.2d 511 (9th Cir. 1993), in which it was held that the creation of ephemeral copies in RAM by a third party service provider which did not have a license to use the plaintiff’s software was copyright infringement.
[xx] 907 F. Supp. 1361 (N.D. Cal. 1995)
[xxi].Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 380 F.3d 1154 (9th Cir.) (Refusing to find liability for Grokster even though it aided end-users in copyright infringement because the service. This case is fundamentally different than Napster), cert. granted, 125 S. Ct. 686 (2004).
[xxiii].Kraakman, Corporate Liability Strategies, supra note 88, at 869.
[xxiv].See generally Tim Wu, When Code Isn’t Law, 89 Va. L. Rev. 679 (2003) (explaining that peer to peer networks have removed the intermediary on which copyright enforcement requires).
[xxv].See Amy Harmon, Subpoenas Sent to File Sharers Prompt Anger and Remorse, N.Y. Times, July 28, 2003, at C1. See also Brian Hindo & Ira Sager, Music Pirates: Still on Board, Bus. Wk., Jan. 26, 2004, at 13. See J. Cam Barker, Grossly Excessive Penalties in the Battle Against Illegal File-Sharing: The Troubling Effects of Aggregating Minimum Statutory Damages for Copyright Infringement, 83 Texas L. Rev. 525 (2004).
[xxvi].See Alice Kao, Note, RIAA v. Verizon: Applying the Subpoena Provision of the DMCA, 19 Berkeley Tech. L.J. 405, 408.
[xxvii].Scott Banerjee, P2P Users Get More Elusive, Billboard, July 31, 2004, at 5.
[xxviii].Perversely, what probably has in fact reduced the frequency of copyright infringement is more crime: using P2P systems subjects a computer to the threat of viruses that are spread inside the files obtained. Wendy M. Grossman, Speed Traps, Inquirer (U.K.), Jan. 14, 2005, at ___ , available at (last visited Jan. 15, 2005). Another dissuasion has been the systematic effort by the recording industry to saturate P2P systems with dummy files that make getting the music a user actually wants quite difficult. See Malaika Costello-Dougherty, Tech Wars: P-to-P Friends, Foes Struggle, PC World, Mar. 13, 2003, at __ , available at,aid,109816,00.asp (last visited Jan. 15, 2005) (documenting the practice and attributing it to a company called Overpeer, which is apparently an industry anti-piracy company).

Monday, 11 February 2008

Liability for Distributing a Virus or other Malware

The Internet allows an individual to either inadvertently or purposely disseminate malware (such as a virus) to other systems globally. The potential impact could encompass the “infection” or compromise of millions of hosts. This has occurred. A “harmless experiment” by Cornell University student Robert Morris involved the release onto the Internet of a type of malware called a “worm” that compromised over 6,000 computers and required millions of dollars worth of time to eradicate. As several “nonpublic computers” run by the US Government were damaged[i] , Morris was prosecuted under the US Computer Fraud and Abuse Act (CFAA). He was convicted notwithstanding his declaration that he had no malicious objective to cause damage.

It is probable that a service provider or content hosting entity will face a degree of liability dependant on intention. If malware is intentionally posted such as in the Morris’ case, no uncertainty as to whether the conception and insertion of the malware was deliberate exists. Morris stated that he did not intend harm, but the fact remained that he intentionally created and released the worm. In the United States both Federal and State legislation has been introduced to deal with the intentional formation and release of malware.

In the UK, the introduction of malware is covered by section 3 of the Computer Misuse Act[ii]. The Act states that a crime is committed if a person “does any act which causes an unauthorised modification of the contents of any computer” and the perpetrator intends to “cause a modification of the contents of any computer” which may “impair the operation of any computer”, “prevent or hinder access to any program or data held in any computer” or “impair the operation of any such program or the reliability of any such data”. The deliberate introduction of any malware will meet any of these requirements by taking memory and processing from the system and feasibly damaging the system. It is also necessary for a successful prosecution to demonstrate a “requisite knowledge”. This “is knowledge that any modification he intends to cause is unauthorised”. With the volume of press coverage concerning the damage that can be caused by malware and the requirements for authorisation, it is highly unlikely that an accused party would be able to successfully argue ignorance as to authorisation.

Malware is generally distributed unintentionally subsequent to its initial creation. Thus an ICHP[iii] or an ISP would not be found criminally liable under either the Computer Fraud and Abuse Act or the Computer Misuse Act for most cases of dissemination. For the majority of content providers on the Internet, there exists no contractual agreement with users browsing the majority of sites without any prospect of consideration. The consequence being that the only civil action that could succeed for the majority of Internet users would be a claim brought on negligence. Such a claim would have to overcome a number of difficulties even against the primary party who posted the malware let alone going after the ISP.

It would be necessary to demonstrate that the ISP is under a duty of care. The level of care that the provider would be expected to adhere to would be dependant on a number of factors and a matter for the courts to decide and could vary on the commerciality of the provider and the services provided. The standard of due care could lie between a superficial inspection through to a requirement that all software is validated using up-to-date anti-virus software on regular intervals with the court deciding dependant on the facts of the initial case that comes before the courts. The duty of care is likely to be most stringently held in cases where there is a requirement for the site to maintain a minimum standard of care, such as in the case of a payment provider that processes credit cards. Such a provider is contractually required to adhere to the PCI-DSS as maintained by the major credit card companies[iv] and would consequently have a greater hurdle in demonstrating that they where not negligent in not maintaining an active anti-virus programme.

Loss of an entirely economic nature cannot be recovered through an action for negligence under UK law. There is a requirement that some kind of “physical” damage has occurred. The CIH or Chernobyl virus was known to overwrite hard-drive sectors or BIOS. This could in some cases render the motherboard of the host corrupt and unusable. In this instance the resultant damage is clearly physical; however, as in the majority of internet worms[v], most impact is economic in effect. Further, it remains undecided as to whether damage to software or records and even the subsequent recovery would be deemed as a purely economic loss by the courts. Although criminal action may ensue against the perpetrator, there is uncertainty as to the level of recovery that could be sought.

It may be possible to initiate a claim using the Consumer Protection Act[vi] in the UK and the directives that are enforced within the EU[vii]. The advantage to this approach is that the act does not base liability on fault. It relies on causation instead of negligence in determining the principal measure of liability. The act rather imposes liability on the “producer” of a “product”. A “producer” under the act includes the classification of importer, but this definition would only be likely to extend to the person responsible for the contaminated software such as the producer or programmer. It also remains arguable as to whether software transmitted electronically forms a “product” as defined under the act.

[i] Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030; There is an obligation for prosecution under the CFAA that a nonpublic computer is damaged where the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information.
[ii] Computer Misuse Act 1990 (c. 18), 1990 CHAPTER 18
[iii] Internet Content Hosting Provider
[iv] The PCI-DSS at section 5 requires that “Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.”
[v] Scandariato, R.; Knight, J.C. (2004) “The design and evaluation of a defense system for Internet worms” Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004. Volume, Issue, 18-20 Oct. 2004 Page(s): 164 - 173
[vi] The Consumer Protection Act 1987 (Product Liability) (Modification) Order 2000 (Statutory Instrument 2000 No. 2771)
[vii] See also, Electronic Commerce (EC Directive) Regulations 2002, SI 2000/2013 and the provisions of the Product Liability Directive (85/374/EEC)

Sunday, 10 February 2008

Wet, Wet, Wet ...

A wet weekend. But the garden likes it.
The last of the summer flowers are in bloom.
Including pumpkin flowers from the vine that is taking over.And as you can see, taking over is what the vegetables are doing...But they are growing.And growing...

And are adding colour.
And not only add context, but also sooth the mind.
They also keep the "pests" happy. The secret is to grow more then you need. This way all have enough. That is the insects and ourselves. A small backyard garden on 20 square meters is more then enough for a family.

By supporting the ecosystem in balance, the results are there for all. Rather then going to extremes, a combination of methods works best.
This is using our minds to produce the maximum Benifits. By mixing limited pesticide use with low toxicity at selected times, all benifit. In this way, the local wildlife such as birds and blue toungue lizards take away the excess and create an equilibrium.
Well I have to fly. I have a parish council meeting in 90 minutes or so to get ready for.