A dozen years ago I wrote an article about regulating activity on the Internet (‘Solving Legal Issues in Electronic Government: Jurisdiction, Regulation, Governance‘, (2002), 1 Canadian Journal of Law and Technology No. 3 p. 1 ) in which I suggested that a number of successful regulatory strategies focused on intermediaries, as the principal targets of regulation might be hard to find or hard to persuade. Intermediaries often had the benefit (to the regulator) of being large, stable and solvent – and they often cared about their reputation for legality and good citizenship.
Since that time the interest of regulators in intermediaries has increased, both as to the types of activities sought to be regulated in this way and in the range of operations sought out as pressure points. Tamir Israel wrote a detailed study of this issue here a few years ago, focusing especially on defamation, linking and the Crookes v Newton case. This column updates and expands his excellent work.
In this first part, I will review several examples of the kinds of activities that have attracted focus on intermediaries, and note the intermediaries in question. In my next column, I will consider the policy and legislative issues raised by this indirect regulation.
1. Infringement of copyright: Internet service providers, web hosts
Some attention has been paid to intermediaries as a source of information about the people who infringe. The intermediaries in principal focus have been Internet Service Providers (ISPs) and web hosting services. Thus copyright owners bring actions against the intermediaries to get the names of the users of computers whose Internet addresses are known to infringe or suspected of infringing, in order to sue or prosecute the infringers directly.
In Canada, the Federal Court of Appeal in BMG Canada v Doe (2005) held that copyright owners had an equitable right to get subscriber information where they had a legitimate and bona fide claim, subject to balancing the claim against subscribers’ privacy considerations. More recently, the Court held in Voltage Pictures v John Doe and Jane Doe (the Teksavvy case) that the information could be disclosed but only under strict conditions about its use.
In addition, sometime the intermediary itself is liable for contributory infringement. This has been the case for operations that facilitate file-sharing, and for those that formed centrally available collections of infringing material. One thinks of services like Napster and Grokster in the early years of this century. The development of peer-to-peer file-sharing networks has been largely stimulated by a desire to avoid creating a legally responsible intermediary.
Some laws require web hosting services (who are often Internet Service Providers – ISPs) to police the conduct of their subscribers. The best known example is the Digital Millennium Copyright Act in the US (DMCA), which has a ‘notice and takedown‘ system. A copyright owner sends a notice of infringement by a subscriber to the intermediary, who must delete the designated content. The intermediary then informs the subscriber of its action. The subscriber has the right to object, and the dispute may be taken to a court. The intermediary would not be a party to any such action.
Canadian copyright law was amended in 2012 by the Copyright Modernization Act to include a ‘notice and notice‘ system, by which the host must pass on to its subscriber a notice of infringement received from a copyright owner – but no other action is required. (Records of the subscriber’s content must be kept, but not disclosed, for six months from the notice.) Unlike in the US, the host’s immunity from liability for infringement does not depend on taking down the offending content. The Canadian host may be liable if it does not pass on the notice. (The notice and notice system – the Copyright Act ss. 41.25, 41.26 and 41.27(3) – will come into force on January 1, 2015,)
More dramatically, some countries have enacted ‘graduated response‘ or ‘three-strikes’ regimes, by which the ISP must (at the request of a copyright owner) give notice of infringement to subscribers. After three notices, the subscribers’ Internet services must be cut off. These laws have been subject to considerable criticism, in part because of the difficulty of knowing for sure what uses are infringing, but mainly because people use the Internet for so many important activities that it seems disproportionately severe to prevent such activities just to protect someone’s copyright interests.
2. Defamation: bulletin boards, web hosts, posters of links
A great deal of what is online is not a copy of anybody’s material, it is original to the person who posts it. Some of it violates other laws or legal norms. Some of it is defamatory. The people considering themselves defamed have wanted intermediaries to disclose the names of the authors of the defamation, as copyright owners have done for infringers.
In addition, some have tried to hold the intermediaries themselves liable for the defamation. The intermediaries generally have little control over what is posted – they do not have time to review or censor content. They have raised the common-law defence of ‘innocent dissemination’, available offline to printers, booksellers and librarians, among others, who have no editorial input to the alleged defamation.
The immunity of a disseminator ends, however, when the dissemination is no longer ‘innocent’, i.e. when the person has knowledge that what is being made available to the public is defamatory. The common law of defamation is essentially a ‘notice and takedown’ rule.
The application of the principles to the Internet was established at the turn of the century in England in Godfrey v Demon Internet. The Court reviewed in some detail the technical working of the Internet and the defendant’s service. It held that the defendant could not be responsible for the content of the bulletin board it ran as content was posted. Once the plaintiff gave it notice of the defamation, however, it was both able and obliged to delete it. (The case was argued under the English Defamation Act, 1996, but it was agreed that the statute essentially had codified the common-law rule, which still operates in common-law Canada.) (The impact of the Godfrey case was limited in England by Bunt v Tilley & Ors in 2006. Similar reasoning would be available in Canada.)
The other intermediaries who have come into the line of legal fire in Canada are those who post links to sites considered defamatory. While the exposure to liability of the poster of the defamatory content itself is not challenged, is the person who merely links to that site, without adding any defamatory material, also liable? The answer to that is generally negative, thanks to the Supreme Court of Canada’s ruling in Crookes v Newton in 2011. As the case and its implications have been thoroughly reviewed in the article referred to earlier, I will not take up more space with it here.
3. Online gambling: financial institutions, executives of facilitating businesses
The United States in particular has been energetic in combatting online gambling, despite some doubts about whether all forms of it are illegal in that country. The US has run two lines of attack on intermediaries (and none on the actual gamblers). The first struck at financial institutions that were handling the proceeds of gambling, either to place the bets or to pay out the winnings. By the Unlawful Internet Gambling Enforcement Act of 2006 (see Title VIII of this much larger statute) and a 2008 Rule under it, financial institutions were prohibited from serving these roles.
As it turned out, the Rule took a great deal of fine tuning, and Congress has revisited the regulatory scheme since then. It is not easy to distinguish the legitimate from the targeted transactions.
The other line of attack was on the companies that facilitated online gambling: the software companies and the web sites that hosted them. Since those companies were located outside the United States, the US used criminal prosecutions of their executives, who were then arrested as they happened to set foot in the country, often in transit at US airports. British and Canadian business people were arrested in this way, and their freedom was sometimes bought at a cost of blocking US users from their services. A bit more history, with an estimate of the success of the strategy, is here.
4. Protection of privacy: search engines
Since we all go online through an ISP of some kind, that ISP necessarily holds a good deal of our personal information. Just how much depends on each company’s policy and applicable legislation. However, it holds the information directly, and has obligations as the holder of personal information to protect it under privacy laws. (How it may be persuaded or compelled to release it to others for their purposes is discussed in the following sections.)
It is less clear that search engines are holders of personal information for the purpose of privacy law. Search engines produce, from millions of locations and servers on the Internet, links to information that appears to be relevant to a search query. Some of the information behind the links will be personal information, much will not.
Nevertheless the Court of Justice of the European Union recently held that Google was a ‘data controller’ within the meaning of the EU Privacy Directive of 1995. Its use of calculated algorithms – the produce of human decision-making – led it to discover and disclose links in a determined order. Google was a data processor that fell into the definition of ‘controller’, being a body that determines the purposes and means of that activity, entirely independently of the publisher of the material to which the links will lead.
Google’s obligations as a data controller under the Directive (and its Spanish implementation) required that data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected. The personal data was not to be ‘inadequate, irrelevant or no longer relevant, or excessive in regard to the purpose for which it was collected.’ (paragraph 93) The facts in question, about the complainant’s former financial difficulties, were held no longer necessary for the public interest, so privacy interests prevailed.
In essence, the Court found that the Directive contained a ‘right to be forgotten’ in appropriate circumstances. Thus Google was required to remove links to online newspaper articles containing facts about the complainant in the case that the complainant found embarrassing, though true. Indeed the right to have links removed did not depend on any actual prejudice to the data subject. (paragraph 96) The newspaper sites were not required to delete the content, however. They had the benefit of a journalism exception to privacy obligations that Google did not share.
Google – and any other search engine subject to European law – were to balance the privacy interests in blocking the links against other potential interests in keeping the information public. The involvement of a public figure might make a difference. Links to information about certain kinds of actions – such as criminal convictions – of continuing relevance might remain.
The decision seems to require a very subtle understanding of the facts behind information that is the subject of a takedown request. Google has responded by setting up a request system, with a form, along with a high-profile panel of decision-makers with experience in Internet matters. In the first few days of its operation, this system received many thousands of requests to block links – a lot of them from alleged pedophiles.
The original newspaper reports remain online. They can be found with smaller search engines not subject to European law. It remains to be seen if the decision is effective to protect privacy or whether it just adds costs to a system that can be avoided by those who know how.
Courts in the United States have refused to order Google to take down links, whether to a misleading report or because of the form of the search results (the latter not really being in its intermediary function). A discussion of several cases in the light of the EU decision is here. The author emphasizes the importance of Google’s freedom of expression, which outweighs the privacy interest, if any – privacy not being generally protected by most state law.
To date no search engine or other data holder has been subjected to a right to be forgotten under Canadian privacy law.
5. Tax collection: online businesses, real-world intermediaries
Our tax collection system depends very largely on self-assessment by taxpayers, for income tax and also for sales tax. However, it is definitely a ‘trust but verify’ system. Taxpayers are subject to audits, and information is collected from third-party sources. Perhaps the most important example is the remittance of income and tax information by employers about their employees. It ensures that the tax authorities know what the employees earned, and they can see (and count) the taxes paid.
When transactions go online, it becomes harder for the tax people to audit them. Bits and bytes as they move are not identifiable, especially if encrypted. Online banking transactions are subject to audit just as offline transactions are. However, less traditional transactional intermediaries have been brought into the picture as well.
One dramatic example was the Canada Revenue Agency’s demand on eBay Canada to provide it with a list of ‘power sellers’, those who were making the most transactions and probably earning the most money through online auctions. Sales tax might properly be chargeable on the transactions too. The CRA wanted to start with the high-value files. While the transactions were online, the data about them were on real computers run by a real business that was subject to Canadian law.
An interesting element of the case – the reason that the demand on this intermediary made the news – was that the data were stored in servers located in the United States and owned by the parent company, eBay itself. Nevertheless the Federal Court of Appeal held that the data were needed for eBay Canada to do business (notably to collect commissions on the sales), so were accessible to the Canadian company. The data must therefore be produced to the Canadian authorities. (An accountant’s view of the case – and the use of intermediaries – is here.)
US tax authorities have made use of less traditional intermediaries to track online sales, notably to recover sales taxes imposed at a higher rate in the buyer’s state than in the seller’s – as is often the case for alcohol and tobacco. Demands have been made for the records of interstate trucking companies who were making the deliveries of the goods bought online, to find out who the buyers were – and thus who was liable for the tax.
6. Law enforcement: ISPs, cell phone companies, social media (geolocation)
The Internet is full of information on who people are and where they are, as well as what they are saying. These are questions that interest law enforcement authorities. By the nature of the Internet, the information can be, even must be, in the possession of intermediaries. These intermediaries may be traditional ones, such as telecommunications companies – wiretaps have been used for a long time, and non-traditional ones like devices connected to the Internet of Things.
To some degree, law enforcement authorities are looking for the same information as copyright owners and people who believe themselves defamed: subscriber information – who created the content that has been discovered in some other way. Canadian privacy law generally requires personal information to be kept confidential by those who hold it. Disclosure without the consent of the person involved is allowed only in narrow circumstances. One of those is disclosure to law enforcement authorities in the course of a lawful investigation.
This provision was widely used, but the Supreme Court of Canada recently imposed some restrictions. In R v Spencer, the Court held that the provision of PIPEDA did not create any right to get the information; it dealt only with the ability of the data holder to release it. General police interest did not constitute a legal investigation, especially for information for which there is a reasonable expectation of privacy. Subscribers had such an expectation for their identifying information in the hands of ISPs and web hosts, and a provision in a hosting agreement that the host might release information to the police did not overcome that expectation. So intermediaries will still be source of this information, but more usually in the face of judicial authorization of its release.
The technology we use today frequently indicates our location to providers of the technology. The obvious example are mobile phones, whose communications systems have to know where we are in order to send and receive calls. The systems also need to remember the location data at least when calls are made and received, in order to bill the customers for their usage.
Telecoms have typically handed over to law enforcement authorities mobile phone records for specified phones. This has helped identify suspects as being present at the scene of the crime, and allowed police to follow suspects until a crime is committed or evidence is disclosed.
Social media frequently broadcast location data as part of their service, from FourSquare to GroupOn, and if the media themselves do not broadcast it, the users do it themselves. These records are kept and are available, either on request or on a subpoena or warrant, to parties with legal interests in having them.
The strong tendency to link other devices to the Internet – from fridges to cars to electrical generating stations – makes new kinds of businesses into information intermediaries: appliance manufacturers, auto dealers, power utilities – and many more. And the self-sensing and recording capacities of the devices themselves turn them into potential intermediaries. The data from a car recording what speed the car is driven at and the braking patterns can be of interest to insurance companies (who offer incentives to customers to use such devices) to lawyers in motor vehicle negligence cases to law enforcement authorities.
It is rare that law enforcement seeks the content of messages from Internet intermediaries, largely because the contents are not usually kept. The records that are kept, and thus sought, are ‘metadata’ – the records of who and where and when communications were made. It has been demonstrated that metadata can be very effective in identifying much more than basic name and address. They can show browsing habits that themselves disclose personal interests, possibly health or social concerns, and much else. The Supreme Court in the Spencer case mentioned above described in some detail the types of information deducible from metadata, and affirmed the strong privacy interest that people have in the metadata as a result. (See paragraphs 32, 46 and 47 among others.)
There is likely to be more judicial scrutiny of efforts to obtain information from at least some kinds of intermediaries as a result of this decision. How it affects legislation on the topic, we will consider in the next part of this article.
Meanwhile two Canadian ISPs, Teksavvy and Rogers, have recently disclosed to the public the number of requests for subscriber information that they have received from law enforcement authorities. Some American bodies have done this for some years, notably Google and Verizon. Letting people know what is being done, or sought to be done, with their information, is a step toward a transparent system whose merits can then be debated more effectively.
7. National security: ISPs, cloud services, social media, and just about everybody else
That government agencies with a mandate to care about national security have an interest in Internet communications is no longer news, if it ever was. The activities of the National Security Agency and the Federal Bureau of Investigation in the US, the Communications Security Establishment of Canada (CSEC) here, and the offices of various other governments, have been increasingly well documented.
These agencies too have relied on intermediaries, though not always with the knowledge of the intermediaries themselves. The agencies have sometime broken the security of the communications service providers. On occasion they have made deals with the providers to give them a way of intercepting communications despite their apparent security. They have used broad empowering legislation to compel production of data from all kinds of services about their clients. Recently a court held that Microsoft could not refuse to disclose information to the US government though the information was held outside the United States. The fact that Microsoft, in the US and thus subject to US law, had control of the information and was able to access it, meant that the information had to be produced.
There is no reason to think that Canadian law would be different on the point. Consider the eBay tax case mentioned in section 5 of this article.
The US government has pressed financial intermediaries to help it reduce the capacity of Wikileaks to continue to embarrass it on security matters. After the revelations of documents from Bradley/Chelsea Manning, the government prevailed upon the credit card companies, Visa and MasterCard in the lead, not to process donations to Wikileaks. The same arrangement was made with PayPal. One wonders to what degree this financial pressure was a matter of preventing future threats to security and to what degree it was intended to punish Wikileaks for the embarrassment. In any case, the use of the financial intermediaries served both ends.
We see that governments and private interests have all been seeking solutions for the relative anonymity and relative invisibility of electronic communications. Sometimes the solutions seem to lie in proxy enforcement or proxy regulation: apply to the intermediaries, either for information not otherwise available, or for enforcement on third parties (as with the three-strikes laws), or for contributory liability themselves.
Whether all these techniques make sense as a matter of policy, or whether regulatory interests should be better balanced against others – either efficiency or privacy – we will review in the second part of this discussion, in the next column.
Meanwhile, feel free to mention in the comments other examples of the regulatory use of intermediaries, or to say what you think of the ones mentioned.