Current Internet Legal Issues, June 2000
Last Updated: 29 June 2000
A paper presented at the Australian Unix and Open Systems User Group (AUUG) Conference, Canberra, 29 June 2000, by Kimberley Heitman, Chair EFA.
Scope of paper: Current legal issues relating to networks:
- Harassment and DOS Attacks
- Illegal content
With the increasing numbers of people, businesses and Government agencies using computer networks, legal issues are being highlighted as differing expectations are imposed upon the Internet, ranging from attempts to control access to content to attempts to regulate the activities of people using the global networks.
As Internet usage rises, competing interests are seeking to apply the law in traditional ways or to expand legal controls over international links or analogous legal contexts. In some areas, traditional legal remedies are being used effectively - in others the global nature of the Internet challenges cultural insularity and the ability of local law-enforcers to influence conduct outside their jurisdiction.
In this context I particularly refer to malicious or fraudulent behaviour rather than the milder European definition that includes probes of computer networks by curious youngsters. The Dutch Internet Service Provider, xs4all.nl, had a policy for many years of offering 6 months' free access to anyone who could obtain unauthorised access privileges, as a relatively benign form of security testing. However, in its undoubtedly criminal form, the term "hacking" is better described in terms of harmful access to private information leading to abuse of that knowledge or malicious damage to that data.
Early convictions for "hacking" offences were notoriously uncertain - authorities veered between confusion as to whether a crime had been commited or to the other extreme of gross over-reaction. For example, a few early convictions for unauthorised access to a network were prosecuted as theft of minute amounts of electricity or calculated by reference to cost of provision of the access improperly obtained. Typically the young offenders were placed on good-behaviour bonds for conduct involving a few dollars' theft yet liable to penalties of many years in prison. A few unlucky hackers were "made examples of", and sentenced to long gaol terms, many others were not prosecuted as authorities and system operators were uncertain as to whether a law could, or should, be applied.
On the face of it, the Australian Federal Crimes Act had always provided for penalties for abuse of a telecommunications service, whether data or voice, using a definition of "offensive" conduct that had been expanded by a series of leading cases to catch any conceivable misuse. However, prosecution by the Federal Police implied a level of seriousness and a commitment of police resources that was not often manifested. During the nineties, States and Territories enacted laws independently which effectively defined two offences - unauthorised access to a network, and damage to the data on a network. Both carried gaol terms, with the latter offence typically being considered more serious as a degree of criminal and wilful damage was seen as analogous to property damage, and often involved expense to rectify.
Now that these laws have been in place for some time, the necessary evidence to support a conviction and the degree of seriousness necessary to prompt a police investigation, a prosecution and a court case have become settled issues. It is an established principle that if considerable financial loss was occasioned, a prosecution will issue and the perpetrator will be sentenced in accordance with tariffs applicable to any other type of fraud, and more severely than other forms of damage. Hacking others' credit card information is certainly gaolable, as is obtaining commercial Internet access by fraud. On the other hand, obtaining access to particular parts of networks or subdirectories is unlikely to be punished in such a severe way.
As in many legal issues on the Internet, proving the identity of the perpetrator is often an evidential burden for prosecutors, since without "owner-onus" on computer systems, the identity of the user of a computer may evade proof beyond reasonable doubt. Anonymisers, use of web-based posting mechanisms such as Remarq or use of the Internet accounts of other family members add to this difficulty.
More fundamentally, prosecution of hacking can be impractical if the perpetrator is outside the jurisdiction of the investigating authorities. If the offender is in another country, it is a tall order to obtain cross-jurisdictional assistance from the police or system operators in that foreign country - let alone to justify calling in Interpol.
"Hacking" of web pages appears to be developing as a malicious prank, similar to graffiti. For example, following the passage of the Broadcasting Services Act, the web site of the Australian Broadcasting Authority was repeatedly defaced, by exploiting security deficiencies in the web server. For the system administrator, the prosecution uncertainties make self-help the best remedy. Adequate security on publicly-accessible networks is a minimum standard in an Internet-enabled world, and petty security breaches continue to be a means by which security procautions are tested and fine-tuned.
This is receding as a controversial legal issue as the results of the efforts of Phil Zimmermann and his program "Pretty Good Privacy". Despite the best efforts of the United States and fellow members of the anti-cryptology treaty "The Wassenaar Arrangement", the program was widely distributed through mirror sites all over the world. The program's essential feature was the ability to encrypt at any level of protection desired by the user, notwithstanding that military intelligence and law enforcement bodies did not want the public to have military-grade encryption for personal use.
From a state-security perspective, it was an unacceptable risk for terrorists, spies and criminals to be able to encrypt communications so effectively that it was beyond the ability of Government to resolve to plain text. However, suppression of mathmatics was ever a losing strategy, and Phil Zimmermann and his supporters made the algorithms and code required for strong encryption availbale to anybody for any purpose. While the Governments were concerned and made to look powerless as treaty obligations and aspirations were sidestepped, simultaneously the availability of more powerful computers and networked decryption programs made weak encryption useless as a security protection for e-commerce. Once the Electronic Frontiers Foundation had established that standard bank-grade encryption could be cracked, the pressure from the banking industry and online merchants to continuously raise the strength of encryption to exceed the capacity of unknown individuals to decrypt became overwhelming.
Realistically, developers of encryption software for legitimate purposes are now encouraged to use effective means to protect the security of transactions and the privacy of transmitted data generally. Within Australia, a reasonable use of encryption would not lead to real problems with security agencies even if the literal word of the Wassenaar Arrangement is breached. In fact, Australia's toleration of exported cryptography products is a commercial advantage in the international marketplace that is acknowledged as Government policy.
EFA can claim a major contribution to the debate with its publication of the Walsh Report, commissioned by the Australian Government and completed by a former security chief. The report was originally suppressed by the Government, then released in a heavily-edited format. Amusingly, it was discovered by EFA that unedited copies had been widely distributed to university libraries, and the suppressed parts were those which detailed why strong encryption could not be effectively outlawed. For a former security chief to admit the powerlessness of authorities to control private use of encryption was a telling blow to the Government's policy of attempting to do so, and the attempts to prosecute Phil Zimmermann in the United States under laws relating to the export of dangerous weapons became ludicrous as his program became both ubiquitous and an increasingly legitimate use of technology. Eventually the US Government dropped the charges, admitting at last that suppression of encryption software was impossible.
Whether one agrees or disagrees with censorship of Internet content, there are legal issues relating to implementation of a censorship regime by any national Government. Early attempts to control offensive material on the Internet by State and Territory authorities were hampered by ad-hoc enforcement and imperfect analogies with classification schemes relating to offline media. In the early nineties, prosecution was based on subjective judgements by local authorities, leading to police action over material ranging from rude jokes to pictorial evidence of child sexual abuse.
Victoria, Western Australia and the Northern Territory opted in the mid-nineties to legislate in relation to the obligations of systems adminstrators to control the availability of criminalised content, unfortunately begging the question as to the impact on cross-jurisdictional access to content deemed illegal in one State or Territory but not specifically criminalised in another. For example, WA and NT permitted networks which permitted access to material unsuitable for children whilst Victoria did not. Following a series of Federal studies and reports, last year the Federal Government enacted the Broadcasting Services Act that banned certain material nationwide and imposed particular requirements on the operators of publically-accessible networks.
In brief, the Australian Broadcasting Authority has the power to ban any static Internet content, newsgroup or particular web site. System operators are not required to monitor Internet content for offending material, but are obliged to abide by the Internet Industry Code of Practice which includes obligations to inform users and content providers of their legal responsibilities and to provide for the use of users one or more of a number of filtering technologies. These range from web proxy software, a number of client-side web browser filters or child-oriented services such as Kidz.Net.
Since the Act came into operation on January 1 this year there have been a handful of Australian sites shut down, one notice in relation to a newsgroup and a series of complaints to foreign law enforcement bodies as a result of complaints made by the public. The problems of enforcing local standards on the global Internet have been well demonstrated, with sites banned in Australia re-emerging as offshore sites within hours and at least half of the complaints relating to overseas sites outside the jurisdiction of the ABA.
Interestingly, while the Government conceded that the large number of sites outside Australia made compulsory blacklists impractical, at present the Government appears to be relying on blacklists to enforce its ban on Internet gambling. This may be based on the Government's belief that there are only about 1000 gambling sites worldwide, a figure that is an under-estimate - anecdotally there are twice that many in the city of Las Vegas alone.
System operators may at least be satisfied that prosecutions for transmission of unlawful Internet content is likely to be uniform nationwide, and that section 91 of the Act seems to over-ride State and Territory laws affecting them in their capacity as operators of infrastructure. However, that any Australian can access any site outside Australia notwithstanding the passage of the Act remains a major problem for censorship within this country, and it is arguable that the Internet has instead adopted an international standard which effectively permits any material permitted in at least one country in the world. International police cooperation is limited to investigation of pictorial child abuse sites in relation to content regulation, although of course Internet-related terrorist activities and fraud are subject to the same international prosecution policies as exist for offences of those types in the offline environment.
With more people getting online comes all of the frictions of the offline world. As the Internet becomes less of a curiousity and more of a basic communications resource, it is to be expected that inter-user friction will increase at least proportionately. Because of the relative anonymity of Internet interactions, and that people are not necessarily resident within the same locality, there appears to be an added element of risk-taking in personal expression that often leads to friction. The term "flaming" reflects the normality of robust debate, personal attacks and aggressive email that characterises the Internet forums such as Internet Relay Chat, Usenet newsgroups, mailing lists and web-based chatrooms.
Equally, the ersatz confidentiality of email communication leads to romances and friendships developing across national borders and going through the twists and turns of human relationships. Threats and offensive behaviour are arguably as upsetting in the online world as in the offline world, perhaps even occasioning an added degree of seriousness when coupled with computer-based attacks such as viruses, forgeries and denial of service attacks.
These offences are well-covered by State and Territory laws relating to offensive behaviour of general application - a threat is a threat however delivered. Equally, the Federal catch-all of "offensive use of a telecommunications service" covers most misuse of computers, with other sections of the Crimes Act specifically criminalising particular types of misbehaviour. It is quite routine for restraining orders or prosecutions to issue when both the offender and the complainant are within the same jurisdiction, and not uncommon for such orders to cross State and Territory boundaries.
Of course, persuading a foreign Government to act is difficult, rare and sensitive to differing laws of evidence, applicable offences and perceived degrees of seriousness. However, the laws of general application hold up well since the unlawful act relates to the behaviour of the offender rather than the use of the computer per se. It is difficult to conceive of a communication sent across computer networks of a threatening or harassing nature that would not equally be an offence if delivered by the postal service or via voice telephony. While harassment of an individual can be harrowing, a sustained denial-of-service attack such as a ping flood, packets-with-payload or distributed DOS attacks have the potential to shut down a site of any size, at inconvenience to any number of users. The recent publicity over distributed DOS attacks on the Yahoo site (among others) show the community concern over DOS attacks is at a high level, and that anyone identified as a perpetrator can expect severe punishment. However, the bumbling attempts to identify the source of the "Love Bug" email "virus" also demonstrates that damage can cross national boundaries and that prosecutions may flounder under local law enforcement failings.
Australian law generally follows the British tradition of allowing people and companies to recover damages for loss of reputation under the laws of libel and slander, without the exceptions relating to freedom of expression guaranteed under the US Constitution.
For a system operator, the traditional laws of defamation result in liability being placed upon the network as a secondary publisher of defamatory material once the system operator becomes aware of that material and fails to immediately remove it. It is settled law that a post to the Internet or a web page may be defamatory, and apart from being able to sue the originator of the offending material, the defamed person may also sue all distributors of that material as secondary publishers, subject to those notice requirements.
A famous online litigant, Laurence Godfrey, has successfully used the laws of defamation and the international legal quagmire to obtain monies by suing ISPs for permitting material alleged to be defamatory to continue to be available from their network. The Melbourne PCUG, New Zealand Telecom and British ISP Demon Internet are among his defendants who have found it cheaper to pay than to defend claims of defamation, especially in the context of litigation across jurisdictions. It is relatively cheap to start a defamation case compared with the enormous costs of proving the issue in Court - consequently it makes commercial sense to pay a smallish sum of damages to a Plaintiff rather than incur the expense of defending a trial, however meritorious the defence may have been.
Currently an associated legal issue - liability for hyperlinks - has threatened to broaden liability for online defamation by including as co-publishers anyone who links to a page or newsgroup article alleged to be defamatory. This issue is currently before the Courts in San Francisco at the suit of one Curzon-Brown, a teacher who alleged that a web site defamed him. In an attempt to suppress the alleged libel, Curzon-Brown sought damages from anyone linking to the offending site.
Within Australia, it is arguable that the Broadcasting Services Act section 91 actually provides a defence to an ISP that innocently transmits material subsequently found to be defamatory - however if notice has been given, it is possible that the defence fails. As "deep-linking" is a highly controversial issue in legal circles - is it a re-publication or just a reference - this is a moot point that may be argued in each jurisdiction in the future.
Once again, cross-jurisdictional variations on the rights of free speech may lead to uncertainty as to the legal position in relation to material posted or hosted in other countries. Is the relevant Court located in the country where the material was placed online, the country where the defamed person resides or in any country that provides Internet access at the choice of the defamed person. Certainly a defamed person would prefer to have the case decided under British law rather than the more liberal attitudes towards robust free expression in countries such as the United States or Holland, or might prefer the corrupted legal system in a country without the structures we would expect from a system that embodied the rule of law.
In the meantime this remains a key issue for operators of computer networks, best addressed by having rapid response systems in place to deal with complaints about hosted content.
This year's hot legal issue relating to Internet usage has been copyright violations, especially in relation to distributed piracy networks and the Napster program and service.Owners of intellectual property have ever been in the forefront of test cases involving compuer networks, and already the Napster case has given rise to unusual legal precedents as national copyright laws try to tackle unauthorised distribution of musical works. Equally, the litigation which followed the so-called DVD crack demonstrated the vigour with which owners of intellectual property are prepared to defend their exclusive rights to licence distribution and modification of that I.P.
Like defamation, copyright violation becomes the problem of the network operator once notice has been given - even under the relatively modern approach taken in the proposed amendments to the Federal Copyright Act. The duty of a network administrator to prevent notified abuses of copyrights has already extended to blocking propagation of newsgroup articles and using technical means to reduce the incidence of such abuse. It is arguable that this duty may extend in the future to black-banning alleged offenders, blocking Napster traffic or sampling web pages.
However, this sort of legal action seems to be doomed to failure if anonymised distribution systems such as FreeSource take hold, with infinite varieties of techniques to conceal traffic, its origins and destination. Furthermore, privacy rules imposed upon carriers also bind content hosts, so it is sometimes a matter of initiating litigation merely to require the network operator to lawfully release confidential client information for the purpose of locating the alleged offender(s).
The debate over "deep-linking" will likely be resolved under current copyright litigation, with the web site MP3Board initiating legal action in California to seek a declaration that deep-linking does not constitute a re-publication for the purposes of copyright law. Most legal commentators, while acknowledging the issue is untested in significant jurisdictions, have guessed that the degrees of separation possible with hyperlinking (to the file, to the page, to the directory, to the computer, to the network) mean that the line is probably drawn at the level where a link results in a browser downloading the particular copyright infringement. As copyright violation is both a civil tort and a criminal act, an element of "mens rea" or "guilty intent" is required to obtain a conviction, leading to the conclusion that a link to a particular file demonstrates an intent to violate IP, whilst a link to a page may not.
One of EFA's chief concerns relates to online privacy, and the extent to which connected networks can lead to aggregation of databases and data mining. Whilst generally EFA is of the view that existing laws adequately regulate online activity, privacy is a special case because of the magnitude of intrusion occasioned by global access and computer-assisted search facilities. The recent furore over the Crimenet site is one such instance, the concerns about the Packer private database company Acxiom another. Obvious examples of problems with aggregated databases include instances of two separate databases being combined and cross-referenced to the potential detriment of those listed therein - such as the example where a health insurance company purchases a hospital. Similarly, the sale by the Australian Tax Office or the Australian Electoral Commission of information obtained under compulsion of law in a form ready-made for spamming challenges notions of fair use of gathered data and individuals' rights to be left alone.
At present, the Federal Privacy Bill is before Parliament and has been strongly criticised as a legitimization of improper privacy intrusions and a weak Bill incapable of providing a proper framework for rights of privacy in the digital age. Like content regulation, the Bill proposes that the principal means of enforcing privacy will be left to industry codes of practice - unlike content regulation there is no mechanism for proactive Government action against transgressors nor effective remedies against proven violators. By contrast, the Bill presently before the Victorian Parliament goes much further in establishing a conciliation and arbitration process, defining and protecting certain privacy rights, and establishing a right to sue for damages for breach of privacy.
It has been suggested that the present Government, which last year rejected any form of privacy rights enforceable within the private sector, was persuaded to bring in a weak privacy law for fear its total absence would lead to trade sanctions and e-commerce being stifled. The privacy-conscious European Union has pressured countries such as the United States and Australia to adopt privacy laws in order to continue to do business with its member nations. It remains to be seen as to whether the Federal Bill will satisfy the concerns of international trade and e-commerce, but in any event I'd predict that the awareness of the erosion of privacy made possible and fast by interconnected computer networks will eventually result in a desire by ordinary Australians for rights of privacy enforceable against those who would profit from the trade in private information.
8. Illegal Content
While the Internet censorship debate in this country has focused on pornography, it should not be ignored that the borderless Internet also frustrates attempts to regulate information of other kinds. The benign network effect of "dis-intermediation" (cutting out th emiddle-man) which permits such socially-useful material as online professional databases also permits unqualified opinion to flourish next to traditional and regulated sources of information.
Recently concerns about so-called "doc.coms" giving unqualified or controversial medical advice online can be translated to many other subjects. The Australian Government agency ASIC recently prosecuted the owner of a site "Chimes" which gave investment advice of various kinds, on the basis it was not a licenced investment advisor. Similar sites challenge regulated, expert opionion in many regulated professions, and even within regulation at a national level, cross-jurisdictional issues afflict attempts to control the free flow of information on the global Internet. Is a Bangkok medical clinic web site going to be shut down at the request of the Australian Medical Association?
Many issues are cultural - French laws prohibit sites selling aspirin or Nazi memorabilia but tolerate radical politics or the advertising of tobacco products, Dutch law tolerates cannabis advertising, American law tolerates so-called "hate sites". In a global medium, it is difficult for any country to impose its views on its neighbours. While the availability of potentially-dangerous information (such as fireworks recipes) in offline media is for some countries reason enough not to seek an online ban, others argue that the Internet should be more severely regulated than public libraries because children allegedly have greater ease of access than in an offline environment. Other countries strive for consistency with offline restrictions under the assumption that because online/offline standards should be the same, they will be!
For a content provider, the issues discussed above are fundamental as to liability for criminal prosecution, civil liability and whether an e-business is permitted, and as such is of immediate professional interest. For a network adminstrator, the issues of concern are more likely to impact via a secondary liability for content hosted or transmitted, or alternatively the vicarious liability for the conduct of one's employees. An employer is liable for the conduct of employees to third parties, even if that conduct was not authorised or permitted if proper monitoring procedures were not put in place.
Ultimately the challenge of participation in a global network is manifesting in the erosion of influence of national authorities in favour of international ones, notwithstanding that attacks and litigation from afar are undoubtedly greater risks. While the public, worldwide, comes to terms with the new sources of information and other content, the ability and the will of national Governments to continue regulation of various types of behaviour is reducing at the same time as individuals are becoming capable of suing citizens of other countries. As one of the world's oldest professions, law is now confronting the challenge of adapting to a global online future as well as other older professions, or risking irrelevance where the laws of different nations substantially conflict.
Kimberley James Heitman
B.Juris, Llb, AACS
Barrister and Solicitor, Western Australia
Chairman, Electronic Frontiers Australia Inc