My previous column gave a number of examples of how governments, regulators and even spies focus on intermediaries to achieve what they want. The intermediaries used may or may not be online themselves, though most of the examples involved Internet Service Providers and web hosting services.
This column reviews the policy questions, though without attempting any definitive answers. Feel free to propose your own answers in the Comments, or raise further questions, or improve my analysis.
Approaches to liability
Three major approaches are taken to the role of intermediaries, as we saw in the previous column (without so classifying them):
- Use the intermediaries to get the real names and addresses (or other information) of the people who are carrying out the targeted activity, usually based on known IP addresses obtained from other sources.
- Make the intermediaries enforce the rights of the plaintiffs or state against the targeted people, whether by taking down offending content or by blocking financial transactions, or possibly by preventing access to online services completely.
- Make the intermediaries liable themselves for the consequences of the targeted activity, so they will have to indemnify the plaintiffs for their losses. We have not dealt with this direct liability issue much so far, except for the consequences of linking in defamation actions.
One should note that these approaches may be taken privately, i.e. through private rights of action or in some cases even private uses of technological measures that do not depend on state assistance. They may also originate in state action, either to support private rights or to allow state agents (law enforcement officials, tax collectors, and so on) to do their business.
A number of conflicting principles apply to the decision whether a particular approach to intermediary liability might be appropriate for particular purposes.
The first question, surely, is whether the measure will work. Will it produce names? Will it end infringement or defamation or whatever perceived mischief is targeted? If it is likely to affect the wrong people – e.g. people associated with a particular IP address who had nothing to do with the targeted activity – then governments may not wish to expend public resources on it, including the courts. Private parties may also decide the return on their investment is not good enough to sustain the measure.
Does the use of intermediaries allow for any subtlety of effect, or is it just yes or no for the ‘regulated’ activity? The Federal Court in the Teksavvy case (discussed below) kept jurisdiction over the conduct of the plaintiff as it used the information obtained from the intermediary. The Copyright Act‘s notice-and-notice provision at least allows the poster of the content to make submissions, and perhaps avoid unduly restrictive takedowns. The US had a very hard time writing regulations to govern the banks’ duty to refuse to process Internet gaming transactions.
It is not an argument against online enforcement, including through intermediaries, that such enforcement is much more effective than offline efforts. Fishing with a net rather than a line is not objectionable in principle. One may debate, perhaps, whether a point is reached when mass enforcement methods have ‘ecological’ impacts on the legal world. Are our traditional legal rules acceptable because enforcement is not 100% effective? Security experts say we would not want to live in a completely secure world, because it would be a prison. Similarly, some of the concern about technical protection measures for copyright arises because of their indiscriminate effect in an area where some careful distinctions are necessary. Let us look at some of the other factors that may help evaluate intermediary liability.
Even if the measure touching the intermediaries is effective in action, is it cost-effective? Are there other means to get to the target that would be less costly for the party or the government. Ideally such a calculation would include the costs to the intermediaries of having to take the actions requested or required: keep communications data for long periods, make the data available to law enforcement or to civil parties, give notice to alleged infringers, interfere with banking transactions (or sort out the illicit from the routine transactions in the first place), even pay damages for not stopping harm to others.
Some have argued that intermediaries are ‘low cost avoiders’ of the behaviour sought to be controlled, i.e. they are the cheapest route to regulatory effect. That may be true in some cases, though perhaps hard to demonstrate all the time. However, the desirability of targeting the intermediaries is not just a matter of cost, as discussed below. A ‘law and economics’ approach does not have all the answers.
Some people have suggested that if intermediaries are going to be required to store information and make it available, the state should pay them to do so, since the costs are not being incurred for a business purpose. Not surprisingly, few governments have rushed forward to volunteer to pay.
The Copyright Act (s. 41.26, in force in January 2015) on its face allows intermediaries to charge a fee for giving the notice in the notice-and-notice system, but only if the Minister makes a regulation setting a maximum fee. The notice about the coming-into-force of that section says there will be no regulation at this time, which means no fee. The formal order mentions no regulation either.
The cost calculation will not always be easy. It is arguable that it is worth paying something – or imposing some costs – to achieve the intangible values of a well-ordered society where rights are respected.
- Impact on competing values
Even if hitting the intermediaries is effective and cheap, there may be reasons to discourage it. Other values may be more important. The main ones mentioned in this context are privacy, freedom of expression and ‘user rights’ in copyright.
Turning over the names of subscribers of an ISP or customers of a web hosting service can be an invasion of their privacy. The previous column noted the Spencer decision of the Supreme Court of Canada that discussed how intrusive such information can be and how extensive inferences can be made from a small amount of browsing data. It also mentioned the Voltage Pictures v John Doe decision of the Federal Court (the Teksavvy case, after the name of the ISP), giving a copyright content owner a limited right to customer data but restricting the uses that could be made of it and subjecting those uses to court supervision. (See for example paragraph 9 of the order, at page 58 of the decision.)
The European Union in 2006 enacted a regulation to require ISPs to retain customer information for up to two years, for the use of law enforcement authorities. This rule was said to be required to combat terrorism. Recently the Court of Justice of the EU held the regulation invalid as putting the personal information of subscribers at too much risk, although the regulation contained some privacy protections. The English government (among others) continues to require such retention, going so far as to adopt updated rules, though this has been controversial. A court challenge is contemplated.
In holding that the mere linking to defamatory material did not constitute defamation, the Supreme Court of Canada in Crookes v Newton noted the threat to freedom of expression in spreading liability too broadly.
The Court of Justice of the European Union in the Google ‘right to be forgotten’ decision mentioned in the previous column has been widely criticized as unduly restricting Google’s freedom of expression. Reporting of search results as it sees fit is considered to be a form of expression. It is an interesting argument, given that Google has long insisted that it is not ‘media’. (It may be noted that the Court did not refer to a right to be forgotten; that term has been used in popular discussion of the decision. The Court disposed of the case under the existing provisions of the 1995 EU Privacy Directive.)
The decision does not require taking down the information, just the links between the person’s name and the information. So other methods of referring to it can still turn it up. Practical criticism abounds, however. For example, the House of Lords recently said a right to be forgotten was unworkable.
In any event, the right of researchers, and indeed the general public, to have access to information that may be important for numerous reasons, is an important countervailing value to the privacy intended to be protected by the ruling.
So ‘privacy’ as a value can go both ways, as a reason not to attack the intermediaries or as a reason to focus on them. There is no escaping the need to make difficult judgments.
Using intermediaries to put pressure on web posters for copyright infringement can lead to undue challenges for the posters. The rights to reproduce copyright work can be complex, involving study and criticism and fair use. The intermediaries have little incentive to stand up for their customers or to restrict the demands put on them – it’s not their fight. This is particularly true in a US-style ‘notice and takedown’ system, where any demand to a hosting service may result in the suppression of the targeted material – whether or not there is a good defence. The poster is put at a disdvantage without any adjudication, and getting to adjudication is likely to be slow and expensive.
The difficult judgments to be made are essentially those about proportionality. Are the costs worth incurring to achieve the benefits? How can one weigh the value of privacy or free expression?
It is fair to consider the seriousness of the targeted activities compared to the cost and loss caused by the effects of the policy on intermediaries. This is the kind of balancing that then Justice Minister Vic Toews was suggesting when he said that people who did not support his bill to broaden law enforcement access to ISP subscriber data were in effect taking the side of child pornographers. Public reaction to this suggestion was strongly negative, and the bill was withdrawn, at least in that form. Again, there is no escaping the need to evaluate, and the public evaluated the competing threats differently from the minister.
As noted in the previous column, some jurisdictions, notably England and France, have had laws that require or permit an Internet intermediary to cut a subscriber off from the Internet if the subscriber infringes copyright three times. Such laws have been widely criticized as disproportionately harsh. The French law, known as HADOPI from the acronym for its enforcement authority, was repealed in 2013. Nonetheless the agency seems to carry on and is asking for greater powers. The UK’s Digital Economy Act, 2010, sets up a kind of notice-and-notice system. It also allows the government to order the blocking of infringing websites, but the government has said it will not use that power. A Parliamentary review says that barring individual users from the Internet would take additional legislation.
In recent years, access to the Internet has been recognized as an essential feature of contemporary life by a German court and as a human right by the United Nations Human Rights Council report. While human rights are not absolute, if the UN argument catches on, it may be hard to find that any legal rule that deprives someone of the connection is proportionate to the economic or reputational rights that the rule might be designed to promote.
In the mid-1990s, the United States Congress made a similar judgment about the comparative benefit of free expression and liability, though it probably aimed to protect electronic commerce more than human rights. In any event, Congress chose to do this by shielding Internet intermediaries from liability. Communications Decency Act, part of the Telecommunications Act, 1996, immunizes interactive computer service providers from liability from any content they carry, so long as they did not participate in its creation.
The effect of s. 230 of the CDA has been to deny a remedy to some people in what would appear to be worthy causes: a person whose phone number was published online with the false statement that he was a child abuser, leading to a lot of harassment; an attack on a ‘revenge porn’ site that published embarrassing pictures of people’s ex-lovers; attacks on malicious reviewers of services like hotels or restaurants, often in the pay of rival services. If a remedy in such cases is not available against the intermediaries, it is essentially not available at all. S. 230 is litigated frequently, but the service provider almost always wins.
In short, judgments on the ‘proportional’ balance of protections can also be difficult in borderline cases.
- Media neutrality
The basic thesis of imposing liability on intermediaries, or duties to influence their customers, is that the government, regulators or the legal system (through the courts) sees the customers doing a ‘bad’ thing, something prohibited or discouraged by law, and the system acts to take away the tool by which the person does it.
It is a good general principle for devising rules of law applicable to Internet activities that they should not differ from those applicable to the offline world unless they must in order to deal with particularities of the Net and its transactions. This is ‘media neutrality’ – the law works in the same way in any medium of communications.
Is there an offline equivalent of intermediary liability? If not, is it sufficient reason to depart from neutrality because finding and persuading intermediaries is just so much easier there than the target offenders? Is the convenience enough? Or does the ease of Internet publication and the resulting volume of communications from all sources require a much more ‘convenient’ response than the slower, less voluminous offline communications that are handled by the traditional law that provided remedies against the actual wrongdoers?
The defamation defence of ‘innocent dissemination’ discussed in the previous column is needed because anyone in the publication and distribution chain may be held to have ‘published’ the offending text. Thus offline intermediaries in the publishing process, like printers, booksellers and libraries, can be targeted, though they are protected against liability if they have no knowledge of the defamatory material. The same principles work online – but the protection can be ended by giving them notice of the alleged defamation.
Copyright law has similar principles, by which notice of infringement given to a broadcaster or publisher will provide a foundation for liability if the transmission or publication continue.
For other kinds of regulation, targeting intermediaries is not novel in the offline world. Examples were given in the previous article about tax collection – or at least information-gathering about tax avoidance – through transport companies. It could be argued that the way retail sales tax is collected in Canada uses intermediaries, since the vendors collect and remit the tax, but legally it is the purchasers who pay it (so it will be a ‘direct tax’ for constitutional reasons, as well as for ease of administration.)
Law enforcement authorities have a long tradition of tapping phones and other physical communications media, subject to judicial supervision under law. Their access to digital information is an extension of this, and the debates focus not on the idea of access but its exercise and its limits in view of the nature of the media and the information available.
In sum, media neutrality is worth considering in designing a regulatory system, but each use of intermediaries will stand on its own analysis.
It is worth noting that media neutrality is not the same as technology neutrality, under which the law does not prescribe the specific technology to which legal consequences attach. That too is a desirable principle, especially in areas where technology is evolving quickly. Technology may create business models involving intermediaries that did not exist before, but the legal response should be as little specific as possible about how the technologies work.
At some point legal systems, and governments in legal systems, have to be seen to be doing what some degree of popular consensus considers ‘the right thing’. The system cannot be widely perceived as unjust for a long time. Such a situation leads to changes of government, if not revolution. This affects the need for balancing the rights at stake in imposing liability on intermediaries, as one does in determining many other aspects of the rule of law in a country.
The international element needs to be considered as well. Ron Deibert, a pioneer of Internet security in the interest of human rights, has pointed out that if countries perceived as liberal democracies allow, or even promote, excessive degrees of control of online conduct through intermediaries, how can they complain if repressive regimes do the same to their citizens? While the purported reasons are the same – national security, anti-piracy and other forms of crime – the notion of what constitutes illicit behaviour in those regimes may be much broader, and its sanctions much more severe, than what we find acceptable.
Deibert has described a ‘stewardship principle’ that would have liberal democracies conduct themselves in a publicly demonstrably responsible and restrained way, to set a good example. Will such moral suasion work in today’s Internet? It may be that voluntary restraint in the use of legal power is a useful guideline in some societies. We are less concerned in this column with international applications, but it is interesting to consider how it might work, and how that might be reflected in a purely domestic setting.
In the light of the competing values and interests that contribute to determinations of liability and the appropriate methods to impose it, purporting to ‘conclude’ anything would be risky. Nothing much can be concluded at this point. One may be able to draw out some elements of intermediary liability for further consideration.
As the classic Industry Canada study from 1997 put it, ‘The Cyberspace is not a no-law land‘. Legal relationships that exist offline also exist online. No one should expect immunity from legal consequences for online activity. Since one needs intermediaries to get online, it is no surprise that people who want to impose those legal consequences look to the intermediaries as a route to doing so.
That said, the law that applies online includes legal rights such as human rights, constitutional rights, privacy rights and others. Those rights may restrict some actors as they protect or empower others. It is important that the indirect application of legal liabilities through intermediaries does not undercut these other rights in the process, because intermediaries may be less able or even willing to assert them.
A key principle in all of this is proportionality, one that we are familiar with in the offline world as well. The courts have clearly begun the task of deciding where to draw the line. As the technology and technology-enabled activities evolve, the line will no doubt need to be redrawn frequently. Just where it goes for particular legal obligations will continue to be subject to debate.
In this context, is there a case to be made for legislation on intermediary liability? Should Canada have a counterpart to s. 230 of the Communications Decency Act? Is there a less radical way of achieving that end? If legislation is wanted, should it focus on areas of legal liability, say with different rules or possibilities for defamation, copyright, tax, criminal activity, and so on? Or does one get a better or more economical result with a law that touches the role of the communications service regardless of content?
And of course in Canada we would have to decide if such legislation would be a matter for federal or provincial jurisdiction. The answer might depend on whether the focus is on the medium or the message.
The discussion will no doubt continue. Feel free to participate, including in the comments here.