Tuesday, 8 November 2011

Effective Enforcement in the Wild Wild Web

1 Introduction

Some time ago Hilary E Pearson (1996) noted that, “in many cases, liability will depend upon how a court faced with a case of first impression analogizes a particular Internet service provider to more conventional categories of information providers. For example, should the service provider be viewed as the equivalent of the telephone company, purely a conduit for information? This might be the right analogy for the telecommunications link provider, but clearly does not fit the publisher. On the other hand, if the provider is viewed as analogous to a publisher of a printed publication, there is a much greater exposure to liability[1].

Further, it was noted that the provider of a host computer for third party web pages could be compared to a printer or perhaps a distributor of printed publications. It could also be argued that a Usenet group or bulletin board is analogous to a library, so that the provider should be treated as the librarian.

The foremost dilemma with the study of electronic law is the complexity and difficulty in confining its study within simple parameters. Internet and e-commerce do not define a distinct area of law as with contract[2] and tort law. Electronic law crosses many legal disciplines, each of which can be studied individually. Examples of a range of areas of law that electronic, e-commerce, and Internet law touch upon can be seen in the following pages.

2 Remedy in Tort and Civil Suits

The availability of the Internet Intermediary as co-targets for actions makes them susceptible to the actions of both their clients and also uninterested third parties for passing off and misleading and deceptive conduct. An action for intentional interference with business by unlawful means may also be possible. The tort of intentional interference with business by unlawful means may be available where the use of the trade mark is unlawful.

The courts generally seem willing to apply conventional fault-based tort principles to weigh up the behaviour of intermediaries. The instances in which comparatively egregious conduct has ended in the liability of the intermediary are few,[3] and the majority of cases conclude with the absolution of the intermediaries from blame.[4] Those circumstances that have resulted in a decision by the court that in effect declare that the intermediaries hold considerable accountability for the behaviour of any primary malfeasors have mutually in the EU and the US Congress resulted in the respective parliaments acting to overrule the decision through the legislative conceding of expansive exemptions from liability to the intermediaries.[5]The paths share not only the reflexive and unreflective fear that recognition of liability for intermediaries might be catastrophic to internet commerce; they also share a myopic focus on the idea that the inherent passivity of internet intermediaries makes it normatively inappropriate to impose responsibility on them for conduct of primary malfeasors. That idea is flawed both in its generalization about the passivity of intermediaries and in its failure to consider the possibility that the intermediaries might be the most effective sources of regulatory enforcement, without regard to their blameworthiness[6].

In the US, Congress has endorsed legislative protections for intermediaries from liability through defamation with the introduction of the Communications Decency Act[7]. In 47 U.S.C. §230, it is unambiguously positioned as regarding internet regulation[8] that the act introduced a series of “Good Samaritan provisions” as a part of the Telecommunications Act of 1996. This was tested in DiMeo v Max (2007),[9] in which the court found the defendant not liable for comments left by third parties on a blog. The plaintiff alleged that the defendant was a publisher of the comments hosted on the website but did not allege that the defendant authored the comments on the website or that the defendant was an information content provider. Under 47 U.S.C. § 230 (f)(3), the court determined “the website posts alleged in the complaint must constitute information furnished by third party information content providers" and as a consequence immunity applied to the forum board operator. The Court upheld the dismissal of the suit.

The act, first passed in 1996[10] and subsequently amended in 1998,[11] has the apparent rationale of minimising Internet regulations in order to promote the development of the Internet and safeguard the market for Internet service. The internet has consequently become so essential to daily life that it is improbable that the addition of extra legislation would intimidate service providers away from the provision of services at a competitive rate.[12]

In the US, 47 U.S.C. § 230(c)(1) provides a defence for ISPs stating that, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This statute would seem[13] to afford absolute immunity from any responsibility. Contrasting the DMCA, the ISP or ICP could chose not to do away with material in the event that the ISP or ICP has tangible awareness of the defamatory nature of material it is in fact hosting.[14] Notwithstanding the focal point of this legislation having been towards liability for defamation, it has pertained to seemingly unrelated auction intermediaries, including eBay.[15]

Inside the European Union, judgments obtained in the courts of one state are enforceable in any other state included within the Brussels Convention. If not, a judgment in one state will be enforceable in another only where there is a bilateral treaty creating the provision for such reciprocal enforcement between them. Frequently, these treaties add formalities surrounding the enforcement process that offer the courts of the jurisdiction in which the defendant is situated prudence both as to a decision to enforce, or to what degree. It is consequently vital when deciding on a jurisdiction to bring suit to decide if any judgment obtained is enforceable against a defendant who may in effect be judgement proof.

2. Cyber Negligence

Not acting to correct a vulnerability in a computer system may give rise to an action in negligence if another party suffers loss or damage as the result of a cyber-attack or employee fraud. Given proximity[16], a conception first established in Caparo Industries Plc. v. Dickman, [1990][17] and reasonable foreseeability as established in Anns v. Merton London Borough Council, [1978][18] A.C. 728, the question of whether there exists a positive duty on a party to act so as to prevent criminals causing harm or economic loss to others will be likely found to exist in the cyber world. The test of reasonable foreseeability has however been rendered to a preliminary factual enquiry not to be incorporated into the legal test.

The Australian High Court regarded a parallel scenario, whether a party has a duty to take reasonable steps to prevent criminals causing injury to others in Triangle Shopping Centre Pty Ltd v Anzil[19]. The judgment restated the principle established by Brennan CJ in Sutherland Shire Council v Heyman[20]. The capacity of a plaintiff to recover hinges on the plaintiff’s ability to demonstrate a satisfactory nexus (e.g. a dependence or assumption of responsibility) between the plaintiff and the defendant such that it gives rise to a duty on the defendant to take reasonable steps to prevent third parties causing loss to the plaintiff[21]. Consequently, if a plaintiff in a case involving a breach of computer security could both demonstrate that the defendant did not in fact take reasonable measures to ensure the security of their computer systems (as against both internal and external assault), and they show the act of the third person (e.g. an attacker/hacker or even a fraudulent employee) occurred as a direct consequence of the defendant's own fault or breach of duty, then an action in negligence is likely to succeed[22].

Many organisations state that current standards of corporate governance for IT systems pose a problem due to the large number of competing standards. However, it needs to be taken into account that all of these standards maintain a minimum set of analogous requirements that few companies presently meet. Most of these standards, such as the PCI-DSS[23] and COBIT[24], set a requirement to monitor systems. COBIT control ME2 (Monitor and Evaluate Internal Controls) is measured through recording the “number of major internal control breaches”. PCI-DSS at 10.5.5 states a minimum requirement to “use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)”. As a general minimum, it may be seen that an organisation needs to maintain a sufficiently rigorous monitoring regime to meet these standards.

Installation guidelines provided by the Centre for Internet Security (CIS)[25] openly provide system benchmarks and scoring tools that contain the “consensus minimum due care security configuration recommendations” for the most widely deployed operating systems and applications in use. The baseline templates will not themselves stop a determined attacker, but could be used to demonstrate minimum due care and diligence.

It is interesting to contrast this general proposition with a peculiar case where the plaintiff went to great lengths in an attempt to recover loss caused by its own negligence, namely loss suffered due to computer fraud perpetrated by its own employee in its own system.

In Mercedes Benz (NSW) v ANZ and National Mutual Royal Savings Bank Ltd[26] (unreported), the Supreme Court of New South Wales considered if a duty to avert fraud would occur in cases where there is an anticipated prospect of loss. The Mercedes Benz employee responsible for the payroll system fraudulently misappropriated nearly $1.5 million by circumventing controls in the payroll software. Mercedes Benz alleged that the defendants, ANZ and NMRB, were negligent in paying on cheques that where fraudulently procured by the employee and in following her direction. The plaintiff's claim was dismissed by the court. It was held that employers who are careless in their controls to prevent fraud using only very simple systems for the analysis of employee activities will be responsible for the losses that result as a consequence of deceitful acts committed by the organisations’ employees. It takes little deliberation to extend this finding to payment intermediaries.

The decision was founded on the judgment of Holt CJ in Hern v Nichols (1701)[27] that stated in "seeing somebody must be a loser by this deceit, it is more reason that he that employs and puts a trust and confidence in the deceiver should be a loser than a stranger"[28]. The question remains open as to the position that may result from unsound practices operated not by the plaintiff but by an organisation in supplying services under an outsourcing agreement. In either event, the requirement for an organisation to provide controls to ensure a minimum level of system security is clear.

The situation is further compounded in instances of cyber-attack that lead to a loss. An innocent third party that suffers an attack that originates from an inadequately secured system would be able to easily demonstrate a lack of reasonable care if the minimum consensus standards mentioned above are not achieved. Coupled with facts demonstrating that the attack originated from the defendant’s insecure system, the evidence would provide the requisite substantiation of both proximity and reasonable foreseeability.

3. Prevention is the key

The vast majority of illicit activity and fraud committed across the Internet could be averted at least curtailed if destination ISP and payment intermediaries implemented effective processes for monitoring and controlling access to, and use of, their networks. Denning (1999) expresses that, "even if an offensive operation is not prevented, monitoring might detect it while it is in progress, allowing the possibility of aborting it before any serious damage is done and enabling a timely response[29].

As is being noted above, there are a wide variety of commonly accepted practices, standards and means of ensuring that systems are secured. Many of the current economic arguments used by Internet intermediaries are short-sighted to say the best. The growing awareness of remedies that may be attained through litigation coupled with greater calls for corporate responsibility[30] have placed an ever growing burden on organisations that fail to implement a culture of strong corporate governance. In the short term the economic effects of implementing sound monitoring and security controls may seem high, but when compared to the increasing volume of litigation that is starting to incorporate Internet intermediaries, the option of not securing a system and implement in monitoring begins to pale.

The Internet remains the wild, wild, web not because of a lack of laws, but rather the difficulty surrounding enforcement. The Internet’s role is growing on a daily basis and has reached a point where it has become ubiquitous and an essential feature of daily life both from a personal perspective and due to its role in the international economy. If an ISP is to be held liable for authorisation as an intermediary, it must have knowledge, or otherwise deduce that infringements are proceeding.[31] Although, intermediaries commonly monitor their systems and have the means to suspect when infringements are occurring, Internet intermediaries also require the authority to prevent infringement if they are to be held liable for authorisation, a condition that entails an aspect of control.[32]

References

1. Barker, J. Cam, (2004) “Grossly Excessive Penalties in the Battle Against Illegal File-Sharing: The Troubling Effects of Aggregating Minimum Statutory Damages for Copyright Infringement”, 83 Texas L. Rev. 525

2. Bick, Jonathan D., (1998) “Why Should the Internet Be Any Different?” 19 Pace L. Rev. 41, 63

3. Bowne, A (1997) “Trade Marks and Copyright on the Internet” 2 Media and Arts Law Review 135

4. Collins M, (2000) “Liability of internet intermediaries in Australian defamation law” Media & Arts Law Review 209

5. Cooney, K (1997) “Liability for On-line Images: How an Ancient Right Protects the Latest in Net Functions” 16 Communications Law Bulletin 5

6. Demott, Deborah A. (2003) "When is a Principal Charged with an Agent's Knowledge?" 13 Duke Journal of Comparative & International Law. 291

7. Denning, Dorothy E. “Information Warfare and Security”, ACM Press, New York, 1999

8. Eisenberg J, (2000) “Safely out of site: the impact of the new online content legislation on defamation law” UNSW Law Journal

9. Gilchrist, Simon (1998) “Telstra v Apra –Implications for the Internet” [1998] CTLR 16.

10. Hare, Christopher (2004) “Identity Mistakes: A Missed Opportunity?” The Modern Law Review, Volume 67 Page 993 - November 2004 Volume 67 Issue 6

11. Harmon, Amy (2003) “Subpoenas Sent to File Sharers Prompt Anger and Remorse”, N.Y. Times, July 28, 2003, at C1.

12. Hazen, Thomas L. (1977) “Transfers of Corporate Control and Duties of Controlling Shareholders. Common Law, Tender Offers, Investment Companies. And a Proposal for Reform” University of Pennsylvania Law Review, Vol. 125, No. 5 (May, 1977), pp. 1023-1067

13. Kao, A. (2005) “RIAA v. Verizon: Applying the Subpoena Provision of the DMCA”, 19 Berkeley Tech. L.J. 405, 408.

14. Kraakman, Reinier H. (1984) “857 CORPORATE LIABILITY STRATEGIES AND THE COSTS OF LEGAL CONTROLS”, Yale Law Journal April, 1984 (93 Yale L.J. 857)

15. Landes, William & Lichtman, Douglas, (2003) “Indirect Liability for Copyright Infringement: An Economic Perspective”, 16 HARV. J.L. & TECH. 395.

16. Lemley Mark A. & Reese, R. A., (2004) “Reducing Digital Copyright Infringement without Restricting Innovation”, 56 STAN. L. REV. 1345.

17. Leroux, Olivier (2004) “Legal admissibility of electronic evidence 1”, International Review of Law, Computers & Technology; Volume 18, Number 2 / July 2004; Pp 193-220

18. Lichtman, Douglas Gary & Posner, Eric A., (July 2004). "Holding Internet Service Providers Accountable". U Chicago Law & Economics, Olin Working Paper No. 217. Available at SSRN: http://ssrn.com/abstract=573502 or DOI: 10.2139/ssrn.573502 (viewed 15 Jan 2008)

19. Lim, YF, (1997) “Internet Service Providers and Liability for Copyright Infringement through Authorisation” 8 Australian Intellectual Property Law Journal 192.

20. Loughnan, S., (1997) “Service Provider Liability for User Copyright Infringement on the Internet” 8 Australian Intellectual Property Law Journal 18

21. MacMillian, Blakeney “The Internet and Communications Carriers’ Copyright Liability” [1998] EIPR 52

22. Mann, Ronald J., (2004) “Regulating Internet Payment Intermediaries”, 82 Texas L. Rev. 681, 681

23. Mann, R. & Belzley, S (2005) “The Promise of the Internet Intermediary Liability” 47 William and Mary Law Review 1 <http://ssrn.com/abstract=696601> at 27 July 2007]

24. Olovsson, Tomas, (1992) “A Structured Approach to Computer Security”, Department of Computer Engineering Chalmers University of Technology, Gothenburg SWEDEN, Technical Report No 122, 1992

25. Paynter, H & Foreman, R (1998) “Liability of Internet Service Providers for Copyright Infringement”, University of NSW Law Journal, [1998] UNSWLJ 61

26. Quimbo, Rodolfo Noel S (2003) “Legal Regulatory Issues in the Information Economy”, e-ASEAN Task Force, UNDP-APDIP (MAY 2003)

27. Reidenberg, J (2004) “States and Internet Enforcement”, 1 UNIV. OTTAWA L. & TECH. J. 1

28. Scandariato, R.; Knight, J.C. (2004) “The design and evaluation of a defense system for Internet worms” Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004. Volume, Issue, 18-20 Oct. 2004 Pp 164 - 173

29. 28Shapiro, Andrew L., (1998) “Digital Middlemen and the Architecture of Electronic Commerce”, 24 OHIO N.U. L. REV. 795

30. Slawotsky, Joel (2005) “Doing Business around the World: Corporate Liability under the Alien Tort Claims Act” 2005 MICH. ST. L. REV. 1065

31. 30Smith, Russell. (2000) “Confronting fraud in the digital age”, Presented at Fraud prevention and control conference, Gold Coast Australia 24-25 August 2000

32. Tickle, K. (1995) “The Vicarious Liability of Electronic Bulletin Board Operators for the Copyright Infringement Occurring on Their Bulletin Boards”, 80 Iowa Law Review 391 at 397

33. Williams, K. S. (2003) “Child Pornography and Regulation on the Internet in the United Kingdom: The Impact on Fundamental Rights and International Relations”, Child Abuse Review, Volume 14, Issue 6 , Pages 415 – 429 (Special Issue: New Technologies . Issue Edited by Bernard Gallagher). Published Online: 20 Dec 2005, John Wiley & Sons, Ltd.

34. Wu, Tim, (2003) “When Code Isn’t Law”, 89 Va. L. Rev. 679

35. Zittrain, Jonathan (2003) “Internet Points of Control”, 44 B.C. L. REV. 65


[1] The distributed nature of the Internet means that a publisher can reach far more people. A company with a web site in the UK for instance has direct access to the US, Canada, Australia and many other countries with the primary limitations being language.

[2] It has been argued that the digital contract may appear on the computer screen to consist of words in a written form but merely consist of a virtual representation . The Electronic Communications Act 2000 [ECA] has removed the uncertainty and doubt surrounding the question as to the nature of electronic form used in the construction of a contract. In this, the ECA specifies that the electronic form of a contract is to be accepted as equivalent to a contract in writing

[3].See A & M Records, Inc. v. Napster, Inc., 114 F. Supp. 2d 896 (N.D. Cal. 2000).

[4].For criticism of this perspective, see Landes & Lichtman.

[5].The most obvious example of this action can be found in the history of the Communications Decency Act. Congress directly responded to the ISP liability found in Stratton Oakmont, Inc. v. Prodigy Services, 23 Media L. Rep. (BNA) 1794 (N.Y. Sup. Ct. 1995), 1995 WL 323710, by including immunity for ISPs in the CDA, 47 U.S.C. § 230(c)(1) (2004) (exempting ISPs for liability as the “publisher or speaker of any information provided by another information content provider”), which was pending at the time of the case. Similarly, Title II of the Digital Millennium Copyright Act, codified at 17 U.S.C. § 512, settled tension over ISP liability for copyright infringement committed by their subscribers that had been created by the opposite approaches to the issue by courts. Compare Playboy Enters., Inc. v. Frena, 839 F. Supp. 1552, 1556 (M.D. Fla. 1993) (finding liability), with Religious Tech. Ctr. v. Netcom, Inc., 907 F. Supp. 1361, 1372 (N.D. Cal. 1995) (refusing to find liability).

[6] Mann, R. & Belzley, S (2005) “The Promise of the Internet Intermediary Liability” 47 William and Mary Law Review 1 <http://ssrn.com/abstract=696601> at 27 July 2007]

[7] The Communications Decency Act of 1996 (CDA)

[8].47 U.S.C. § 230(b) (2004) (emphasis added)

It is the policy of the United States—

(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;

(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;

(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;

(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children’s access to objectionable or inappropriate online material; and

(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer”.

[9] WL 2717865 (3rd Cir. Sept. 19, 2007); See also Fair Housing Council of San Fernando Valley v. Roommates.com, LLC , CV-03-09386-PA (9th Cir. May 15, 2007); and Universal Communication Systems, Inc. v. Lycos, Inc. , 2007 WL 549111 (1st Cir. Feb. 23, 2007)

[10].1996, Pub. L. 104-104, Title I, § 509.

[11].1998, Pub. L. 105-277, Div. C, Title XIV, § 1404(a).

[12].There remains, however, the fear that additional regulation will stifle innovation in the industry. Would, for instance, eBay enter the market as a new company today if it were liable for trademark infringement it facilitated? Such liability adds new start-up and ongoing costs that may make some new ventures unprofitable (or even more unprofitable). For an article addressing regulation in this way, see Lemley & Reese.

[13].There is at least the possibility that the statute would permit a State to require intermediaries to act. See Doe v. GTE Corp. 347 F.3d 655 (7th Cir. 2003) (per Easterbrook, J.) (suggesting that Section 230(e)(3) “would not pre-empt state laws or common-law doctrines that induce or require ISPs to protect the interests of third parties”).

[14].Thus minimising the likelihood of a decision such as Godfrey in the United States. See supra note 102.

[15].Gentry v. eBay, Inc., 121 Cal. Rptr. 2d 703 (Ct. App. 2002)

[16] Proximity, a notion first established in Caparo Industries Plc. v. Dickman, [1990] 2 A.C. 605, is the initial phase of the assessment. The subsequent phase enquires as to whether there are policy considerations which would reduce or counteract the duty created under the initial stage. Mutually, the phases are to be met with reference to the facts of cases previously determined. The dearth of such cases would not however avert the courts from finding a duty of care.

[17] [1990] 2 A.C. 605

[18] [1978] A.C. 728

[19] Modbury Triangle Shopping Centre Pty Ltd v Anzil [2000] HCA 61.

[20] (1985) 157 CLR 424.

[21] Dixon J elucidated how a “special relationship” of this variety may occur in Smith v Leurs (1945) 70 CLR 256. This case was derived from an indication of occurrences that entail a special danger and the control or of actions or conduct of the third person; See also [2000] HCA 61, para 140.

[22] See: Clerk and Lindsell on Torts, 19th Edition (2006), Chapter 28, paragraph 28-05

[23] PCI-DSS (version 1.1) is the Payment Card Industry Data Security Standard and is contractually required to be adhered to by all merchants that process VISA, Mastercard and other payment card products. This requirement and standard is maintained by the PCI Standards Council at https://www.pcisecuritystandards.org/

[24] COBIT v 4.1 is the computer control objectives and standard maintained by ISACA at http://www.cobitonline.info

[25] CIS benchmark and scoring tools are available from http://www.cisecurity.org/

[26] No. 50549 of 1990.

[27] (1701) 1 Salk 289

[28] Id., at 358.

[29] Dorothy E. Denning, Information Warfare and Security, ACM Press, New York, 1999

[30] See for instance Hazen (1977); Gagnon, Macklin & Simons (2003) and Slawotsky (2005)

[31] Ibid, Gibbs J at 12-13; cf Jacobs J at 21-2. See also Microsoft Corporation v Marks (1995) 33 IPR 15.

[32] Ibid, University of New South Wales v Moorhouse, supra, per Gibbs J at 12; WEA International Inc v Hanimex Corp Limited (1987) 10 IPR 349 at 362; Australasian Performing Right Association v Jain (1990) 18 IPR 663. See also Lim YF, 199-201; S Loughnan, See also BF Fitzgerald, “Internet Service Provider Liability” in Fitzgerald, A., Fitzgerald, B., Cook, P. & Cifuentes, C. (Eds.), Going Digital: Legal Issues for Electronic Commerce, Multimedia and the Internet, Prospect (1998) 153.

2 comments:

Tim Smith said...

Hi Craig,
Thanks for the article.

FYI your anchor links are broken, they all go to file:///D:/Data/Publishing/2010 PhD/2011 PhD 11 - SECAU 1/... etc.

Cheers,
Tim

Dr Craig S Wright GSE said...

Grrrr and damn!

I HATE it when the links do not automatically update. I use citation software and sometimes it just craps out when there are a good deal of links.