[Home] [Databases] [WorldLII] [Search] [Feedback] New Zealand Law Commission

[Database Search] [Name Search] [Previous] [Next] [Download] [Help]

• The Value Of Information
• Breach Of Confidence
• Unlawful Interference With Economic Relations
• Unjust Enrichment
• What Is To Be Done?
• Ideas For Future Reform
• A New Statutory Tort?
• The Interrelationship Between The Law Of Torts And The Criminal Law
• The Availability Of Insurance To Protect Against The Wrongful Misuse Of Information
• Liability Of Internet Service Providers
• Overseas Regulation Of The Liability Of Isps
• Defamation

13 The law of torts

197 IN ECOM 1 we analysed how various tortious remedies applied to the electronic environment. After discussing the general nature of the law of torts,²⁹⁸ we dealt separately with the torts of trespass to property,²⁹⁹ breach of confidence,³⁰⁰  negligence³⁰¹ and defamation.³⁰²  We then sought submissions on whether legislation should be introduced to limit the boundaries of liability in tort, having regard to the problems in defining one’s neighbourhood in the electronic environment.³⁰³ Our provisional view was that it would not be feasible to introduce legislation because of the difficulty in articulating restrictions in a sensible and workable manner.³⁰⁴ The great majority of submissions received supported that view for the same reasons that courts refuse to constrain the tort of negligence: circumstances in which the tort may need to be invoked in the future cannot readily be predicted.³⁰⁵

198 Of more concern to those persons making submissions on the torts chapter was the need to clarify the liability of Internet Service Providers (ISP) for acts or omissions of their subscribers. Submissions underscored the view that too much uncertainty surrounds the issue of ISP liability. Different views were put forward as to the means of clarifying liability.

199 We have come to the view that it is appropriate to clarify the basis of ISP liability in the interests of ensuring that the law is as predictable as possible in this area. We address the reasons for our views at paras 240–261.

200 Although unconnected with the points made in submissions, it has also become clear to us that we need to address the interrelationship between the criminal law and the law of torts³⁰⁶ to investigate whether there are any significant gaps in the law’s protection of information which has been wrongfully obtained. We deal with this issue first.

THE VALUE OF INFORMATION

201 We agree with the view of Fitzgerald that:

. . . the fundamental premises of the new society include the notion that information is currency, there is an intangible delivery of products, there is non-territorial and decentralised nature to the way we do business. Time, space and physicality disappear into the background . . . information needs to be freely available to ensure social and cultural prosperity.³⁰⁷

202 We said in our Computer Misuse report that

It is necessary to ensure that computer systems are not used to cause harm to others. Computers are relied on to perform vital functions in many sectors of our society. They are used to administer banking and financial systems, transport control systems, communication systems, hospitals and a variety of other complex operations. A person who gains unauthorised access to a computer can cause major disruption. Computer misuse can cause extensive economic loss, not only to an individual company but also on a nation-wide scale; it can put lives in danger. Unauthorised interference with an airport control system or computers in a hospital are examples of the latter.³⁰⁸

We then asked whether the time had come to redefine “information” as a property right for both civil and criminal law purposes.³⁰⁹ We said:

It is necessary to protect commercial information which may be of immense value. For many businesses operating in this environment, the information which is stored on their computer will be its most valuable commodity. It is important to recognise and protect the intellectual capital of information stored on a computer. The importance of information as a business asset in the knowledge economy may justify redefinition of information as a property right for both civil and criminal law purposes. In essence, it is both the information and the systems which we are proposing to protect in our recommendations in this report. The question whether information should be regarded as a property right for civil law purposes will be addressed further in the second Electronic Commerce report . . .³¹⁰

203 The United States is, by far, the country whose citizens constitute the biggest number of users of the internet in the world. New Zealand, in 1996, had 200,000 users of the internet and a projected number of users for the year 2000 of 700,000.³¹¹ This compares with the 1996 estimated number of United States internet users of 47 million.

204 Clearly, United States case law on electronic commerce is likely to reflect issues which will come before New Zealand courts in the future. United States case law on misuse of information through electronic means is of assistance in addressing whether there is a demonstrable need, in New Zealand, for better legal protection of information. We limit discussion to the practice of framing and the act of defaming. It is important to bear in mind that intellectual property rights already exist to protect information which is seen by the law as having proprietary characteristics. Thus, our assessment of the question posed in paragraph 202 is addressed in a wider context.

205 Framing is a variation of hyperlinking in which the linked site appears in an open window on the linking site.³¹² The practice of framing involves two distinct issues: the confusion of consumers³¹³ and the commercial use (or misuse) of information. We concern ourselves here with the latter. It is important to remember that the linking of information of itself does not constitute misuse of information in any proprietary sense. In functional equivalent terms, one can say that framing a picture which has been purchased from an art gallery would not constitute misuse of the picture. But, when a hyperlink³¹⁴ in a website (“the hosting website”) connects the user to another website (“the retrieved website”) and presents the information in the frame of the hosting website then the information in the retrieved website may well appear to be an original product of the hosting website. The association created by the hyperlink may be positive or negative, depending upon a myriad of factors such as:

• the reputation of the hosting website;
• the influence the link will have on the number of “hits” to the retrieved website;
• whether the connection slows the speed of use of a website; and
• whether the connected website is a competitor of the retrieved website.

Assuming the retrieved website owner considers the association created is detrimental, does (or, should) that person³¹⁵ have any claim or action against the owner of the hosting website?  And, if so, on what conceptual basis?

206 When framing is alleged to constitute misuse of commercial information, the common allegation in the United States is breach of copyright or trademark law. Inherently, such actions require a plaintiff to establish that the “information” is “intellectual property” to which rights at law exist. If the parties are contractually related the linking may amount to a breach of contract. There may also be a cause of action in trespass if the retrieved site has taken steps to notify users that linking is not permitted without consent, the forcefulness of which will be strengthened by the retrieved website having put in place technological barriers in an attempt to pre-empt linking.³¹⁶ Finally, in the United States there is a claim based on misappropriation.³¹⁷

207 In New Zealand, four remedies that may be of assistance to a New Zealand litigant are (a) an action for breach of copyright,³¹⁸ (b) an action based upon section 9 of the Fair Trading Act 1986³¹⁹ (misleading or deceptive conduct in trade), (c) an action for unjust enrichment,³²⁰ (d) a common law action for passing off ³²¹  or (e) a claim based on unlawful interference with economic relations.³²² More generally, these causes of action, in addition to the actions discussed in ECom 1 (trespass to property, breach of confidence, negligence and defamation), provide protection against the misuse of information, whether that misuse causes loss to the person from whom it is obtained or confers a benefit (financial or otherwise) on the person who has acquired the information.

208 In determining whether there are any significant gaps in the law’s protection of information an assessment is required of the protection afforded to information by existing causes of action. The difficulty of doing so is that most of the causes of action that may protect against the wrongful use of information are of common law or equitable origin. Common law and equitable causes of action have the characteristic of being evolutionary in nature, making them adaptable to new circumstances. Two maxims of equity demonstrate this inherent flexibility in relation to equitable causes of action:

• “Equity will not suffer a wrong to be without a remedy”; and
• “Equity looks on that as done which ought to be done”.³²³

209 Until particular cases involving the misuse of information come before our courts pleading reliance upon a common law or equitable cause of action, it is difficult to be emphatic that existing causes of action will provide a remedy. Our provisional view is that the protections offered by the action for breach of confidence (which is generally regarded as being of equitable origin), the tort of unlawful interference with economic relations and the claim of unjust enrichment (which is considered by some to be quasi-contract in nature and others as a restitutionary claim), as well as the wide ranging nature of section 9 of the Fair Trading Act 1986 (designed to provide a remedy for misleading or deceptive conduct in trade, or for conduct likely to mislead or deceive), should be sufficient to deal with most cases.

210 For convenience, we outline briefly the protections which are likely to flow from causes of action based on breach of confidence, unlawful interference with economic relations and the restitutionary claim based on unjust enrichment. We do not consider separately a cause of action based on section 9 of the Fair Trading Act 1986 as that is well known. The Court of Appeal has emphasised on a number of occasions that the words of section 9 of the Act should be given their ordinary meaning; the Court of Appeal has also emphasised the wide ranging nature of the remedial provisions contained in section 43(2) of the Act.³²⁴

Breach of confidence

211 The law relating to breach of confidence has an inherent flexibility designed “to keep pace with changing social and economic circumstances and to cater for the needs and changing requirements of the times”.³²⁵

212 Although information, of itself, is not regarded as property,³²⁶ the breach of confidence action has been used to protect proprietary interests in information.³²⁷ However, authority is divided on whether such application is appropriate. At the very least it can be said that the breach of confidence action does have the potential to provide a remedy for the wrongful taking of information.³²⁸ The case of Franklin v Giddens illustrates this potential. ³²⁹ 

213 In Franklin, the plaintiff had, by a secret method of cross-breeding, produced a new type of tree. The defendant stole the specimens and thereby discovered the previously secret genetic structure of the wood. The plaintiff succeeded in an action for breach of confidence. Justice Dunn emphatically rejected the argument that there must be a private relationship of confidence between A and B before one could be liable to the other for breach of confidence. He was “quite unable to accept that a thief who steals a trade secret, with the intention of using it in commercial competition with its owner, to the detriment of the latter, and so uses it, is less unconscionable than a traitorous servant”.³³⁰

214 The crux of the issue seems to be whether the circumstances are such that the person who acquired the information ought reasonably to know its confidential nature. Put more formally by Fullagar J in Deta Nominees Pty Ltd v Viscount Plastics Pty Ltd:³³¹

Would a person of ordinary intelligence, in all the circumstances of the case, including, inter alia, the relationship of the parties and the nature of the information and the circumstances of its communication, recognise this information to be the property of the other person and not his own to do as he likes with.

215 Clarke is of the view that if it is a correct statement of the law to say that the person who obtained the information and others who have subsequently received it will be restrained from being able to use it then

[t]here seems to be no reason why a hacker who dishonestly obtains unauthorised access to confidential information held on a computer should not be restrained from using that information by an action for breach of confidence.³³²

The main obstacle to such use of the action is a decision of Sir Robert Megarry VC in Malone v Metropolitan Police Commissioner.³³³ In the Vice-Chancellor’s view, “a person who utters confidential information must accept the risk of any unknown overhearing that is inherent in the circumstances of communication . . .”³³⁴ – the means of communication in that case was by way of telephone.

216 Mindful of Malone, the Law Commission for England and Wales concluded that it was doubtful whether acquiring information by reprehensible means would render the obtainer of such information subject to an obligation of confidence.³³⁵ The case could, of course, be easily distinguished on the effort required to “overhear” information conducted by electronic means as compared with telephonic means.

Unlawful interference with economic relations

217 The leading case in New Zealand concerned with the tort of unlawful interference with economic relations is Van Camp Chocolates Ltd v Aulsebrooks Ltd.³³⁶ Van Camp alleged that AB Consolidated Ltd (ABC) unlawfully interfered with its economic interests (the legal successor to the business and liabilities of ABC was Aulsebrooks). In summary, the basis of the allegation was that confidential information had been misused to produce a food bar of inferior quality which was associated by consumers with food bars manufactured by Van Camp. It was alleged that Van Camp had, in consequence, lost sales and that its trade reputation had been damaged. The Court of Appeal was asked to rule as to whether a claim based on a tort of unlawful interference existed.

218 Justice Cooke (as he then was), delivering the judgment of the Court, said: ³³⁷ 

As long ago as 1914 the tort was recognised in this Court in Fairbairn, Wright & Co v Levin & Co Ltd 34 NZLR 1 . . . Sim J delivering the judgment of Edwards J and himself said at pp 29–30 that ‘. . . if, for the purpose of advancing his own interests, a trader uses against a rival weapons that are unlawful and thereby causes him injury, the latter has a good cause of action for damages’.

After referring to Merkur Island Shipping Corporation v Laughton,³³⁸ in which the House of Lords accepted that there is a tort of interfering with the trade or business of another person by doing unlawful acts, Cooke J concluded that the tort of unlawful inference is a recognised tort in New Zealand,³³⁹ although:

its boundaries will receive closer definition as cases emerge, and we see insufficient reason for discarding a judicial remedy which from time to time may be useful to prevent injustice.³⁴⁰. . . The essence of the tort is deliberate interference with the plaintiff’s interests by unlawful means.³⁴¹

219 It is unclear what kinds of acts may be relied upon to constitute the “unlawful means” requirement. The Court in Van Camp reserved its opinion on whether “. . . misuse of confidential information in breach of the defendant’s duty to a party other than the plaintiff can constitute unlawful means for the purposes of this tort”.³⁴²

220 The general nature of this tort does, in our view, provide a basis for the courts to develop principles dealing with misuse of business information in the electronic environment.

Unjust enrichment

221 Burrows (et al) Law of Contract in New Zealand states:

The law has for a long time had a series of rules enabling one person to recover money from another where the retention of money or some other benefit would unjustly enrich that other party at the expense of the first.³⁴³

We focus on receipt of a benefit.

222 The law of unjust enrichment will assist where “the plaintiff has conferred a benefit on the defendant in circumstances where it is fair that it should be paid for”.³⁴⁴ It is interesting to note that this area of law has changed from being referred to as “quasi-contract” to “restitution” because in reality most of the cases had “little or nothing to do with contract”.³⁴⁵

223 With abandonment of the label quasi-contract, there has been a search for a principle to underpin this branch of the law. Although unjust enrichment of itself does not yet appear to be a sufficient basis for a cause of action, in New Zealand it has been referred to as an underlying rationale in claims of restitution. Put simply by Lord Browne-Wilkinson,

. . . the concept of unjust enrichment lies at the heart of all the individual instances in which the law does give a right of recovery.³⁴⁶

224 While the limits of the unjust enrichment action are unclear, this means there is much room for development to “. . . mould the current complex mass of precedent into a new coherent whole”.³⁴⁷

225 Professor Peter Birks has called for statutory clarification of the unjust enrichment action in terms of the following formula:³⁴⁸

(a) Unjust;

(b) Enrichment of the defendant;

(c) At the expense of the plaintiff;

(i) by subtraction from the plaintiff; or
(ii) by doing wrong to the plaintiff;

(d) Where no defences are applicable.

226 Fitzgerald and Gamertsfelder staunchly advocate that unjust enrichment law, more so than the traditional doctrines of tort, will emerge as the obligation which most adequately protects unjustified interference with information.³⁴⁹ Without analysing the advantages and disadvantages of such development, the focus on the “benefit” in the cause of action lends itself to the contemplation of intangibles, which are the currency of the information industry. Another advantage of application of a restitutionary action to the misappropriation of information is the nature of the remedy; restitution is concerned with restoration to the plaintiff of the benefit received by the defendant, not with compensation for loss or damage.³⁵⁰

227 Fitzgerald and Gamertsfelder conclude:

Unjust enrichment is to the information age what the tort of conversion was to the mechanical/industrial age. In essence they are the same obligation dealing with different degrees of tangibility. . . . Intellectual property lawyers should pay unjust enrichment more attention, as not everything will fall under the label of copyright or patent . . . and unjust enrichment lawyers should seek to exploit this golden opportunity to make their area of law the road map for the protection of intangible value in the information age.³⁵¹

What is to be done?

228 Issues involving electronic commerce are only just beginning to be litigated in New Zealand courts. The demand for added protection for information cannot be gauged until equity and the common law, in combination with statutory provisions such as the Fair Trading Act 1986, have been given the opportunity to meet such a demand. We are of the view that there is not, as yet, a demonstrable need for legislative intervention to provide greater protection against the misuse of information.

229 We did not, in ECom 1, discuss these issues in as much depth. The further work which we have done meantime has led us to the view that there is a need to focus on whether existing statutory, common law and equitable actions are sufficient to meet the needs of those involved in electronic commerce. We invite submissions on this issue with the intention of addressing matters further in our third electronic commerce report which we intend to publish late 2000. In order to assist those who wish to make submissions on these issues we now put forward some ideas for future reform. We make it clear that these are no more than ideas and that, unless the contrary is expressly stated, the Commission has not yet formed views on their respective merits.

IDEAS FOR FUTURE REFORM

230 As foreshadowed in our Computer Misuse report, we have considered the possibility of regarding information per se as property.³⁵² We have concluded that that course of action would be inappropriate for the following primary reasons:

• there would be considerable difficulty in determining what is property and what is not. There is no commonly accepted definition of “property”. Problems also exist in attributing property rights to particular people.³⁵³
• in effect, the civil law would outstrip its criminal counterpart. Property per se is not protected under the criminal law. Society is protected against persons dealing with property in various ways, eg knowingly or recklessly or carelessly.
• as demonstrated by the above point, the effect of creating this new cause of action would be to cut across existing causes of action (notably intellectual property, passing off and breach of confidence), muddling existing law. The potential disturbance of an “information as property” right to intellectual property law is illustrated by the following:

The law has traditionally resisted characterising information per se as private property. As a matter of public policy the classical intellectual property system forbids the extension of exclusive statutory rights to products or processes that are not to some extent, inherently innovative. The regime is underpinned by the premise that intellectual property rights attach only to significant creative contributions that might not have been undertaken in the absence of reward or unfair competition. Copyright law gives creators limited property rights in their expression of ideas, but regards the information contained in a copyrighted work, like the work’s ideas, to be in the public domain and available to be freely used by all.³⁵⁴

• a likely consequence of introducing a cause of action for wrongful “taking” of information will be that parties may no longer have adequate incentives to make their own provision for the importance of information to them.

A NEW STATUTORY TORT?

231 Having rejected the redefinition of “information” as property, we considered other options for reform. We wish to raise, for submissions, whether it would be appropriate to consider enactment of a statutory tort which would give the owner of a computer system a right of action against a person where that person had breached criminal legislation dealing with computer misuse and, as a result, caused loss or obtained benefit. Legislation has just been introduced into Parliament to address certain aspects of computer misuse but it is far from clear whether that legislation will be passed in the form introduced or not.³⁵⁵ Accordingly, we seek submissions on the question of whether users of electronic commerce believe there is sufficient uncertainty in the law to justify enactment of a statutory tort. If there is support for the concept we will examine it in detail in our third report.

232 At present, we tend to the view that if a statutory tort could be justified it should attract liability on proof, to the civil standard, that the criminal law had been breached. That would enable a party who has suffered loss, or can prove that the wrongdoer has obtained a profit, to recover that loss or an account of the profit from the wrongdoer on proof, on a balance of probabilities, that the wrongdoer has infringed the computer misuse legislation.

233 From a preliminary consideration of introducing a statutory equivalent to computer misuse, two factors will have significant influence on the desirability of introducing a civil equivalent to computer misuse:

• the interrelationship between the law of torts and the criminal law; and
• the availability of insurance to protect against the wrongful misuse of information.

We give a brief outline of these two issues for the assistance of those who intend to make submissions on these matters.

234 An alternative approach would be to consider the suggestion of Professor Birks³⁵⁶ of codification of the law of unjust enrichment in the manner suggested by him. We invite submissions on whether that is an appropriate response to the issues raised.

The interrelationship between the law of torts and the criminal law

235 The interrelationship between the law of torts and the criminal law raises the question whether it is appropriate for civil law remedies to be used, essentially by way of deterrence, in conjunction with criminal law measures enacted for that purpose. We say that because it is reasonably clear that many of those currently responsible for computer misuse will be of an age and of a means which will likely render civil liability empty. The difficult issues concerning the interaction of the civil and the criminal

law was referred to, in passing, by Hammond J in Powerbeat International Limited v Attorney-General.³⁵⁷ In the course of his judgment, Hammond J observed:

. . . it has to be acknowledged that in many legal systems in the world today, the criminal law is given [primacy] even over the civil law in this area. For instance, in a notably high technology economy – that of Japan – the primary line of attack on pirates and infringers is through the criminal law (see Doi, Intellectual Property Protection and Management – Law and Practice in Japan (1992)).
Whatever views may be taken on what are very difficult issues of public policy, and economics, there has in fact been increasing reliance on general criminal law provisions relating to dishonesty against pirates and copiers, with mixed success.³⁵⁸

The question inherent in Hammond J’s observations is: should the criminal law alone deal with these types of issues?

The availability of insurance to protect against the wrongful misuse of information

236 One of the purposes of the law of torts (in general) is to provide compensation for the wronged individual. However, as is stated by Balkin and David in Law of Torts,³⁵⁹

If the principal aim of tort law is to provide compensation for many of the losses suffered through our modern way of life, that compensation will scarcely ever be effective unless the defendant is insured against his liability.

237 Mr C Nicoll³⁶⁰ in Insurance of E-Commerce Risks³⁶¹ identifies three broad categories of e-commerce risks as being: 

• Business interruption:

A business may be brought to a standstill if its computer system ceases to work or its credibility is seriously compromised. 

• Legal liabilities:

The ability of a computer to present information to the outside world can bring legal liabilities down upon its proprietor and persons responsible for the information itself. The interactive nature of a computer can mean information in large volume may pass through or be stored within a system so its owner has no real editorial power over content. The interactive nature of a computer within a network also makes it a conduit for the transfer of data in the form of an executable program. Such a program may cause damage to the system to which it is transferred. Specific risks of significance are: liability for the tort of defamation; liability for intellectual property infringement; liability for breach of confidential information; liability for negligent misrepresentation; liability under a contract made mistakenly by means of a computer; and liability for damage to a third party’s system by the transfer to it of an executable program.

• Penetration costs:

Security measures have become a challenge for the socially, although not technically, inadequate who will seek to penetrate systems not for financial gain but simply to leave a calling card or graffiti tag in the form of a virus (whether merely irritating or devastatingly destructive).

238 Based upon a consideration of the London insurance market, Nicoll concluded

While cover of one sort or another seems to be available for most problems that can occur with e-commerce, “off the shelf” packages need careful consideration. The prudent proposer, at the present time, is advised to seek advice to ensure it gets a properly tailored product to suit its individual needs.

239 We seek submissions on whether the New Zealand insurance market provides adequate cover for e-commerce risks. We are particularly interested in establishing whether the cost of insurance cover is considered to be cost effective by businesses operating in electronic commerce. The adequacy or otherwise of an insurance market may have relevance to our consideration of whether a statutory tort is required.³⁶²

LIABILITY OF INTERNET SERVICE PROVIDERS

240 The liability of an ISP – a secondary actor – is topical because it operates on a radically different basis to traditional carriers of communications. As put by Longdin:

Technology allows operational malleability and providers can play more than one role or fit (or semi-fit) several functional metaphors from one moment in time to another. (. . . for example, a systems operator could be functioning as a common carrier, broadcaster, or publisher simultaneously, or in quick succession, and a university could function as an Internet access provider as well as a cable service programme provider.)³⁶³

241 The liability of an ISP is also a matter of particular interest to plaintiffs in internet cases involving defamation as the ISP

• is more likely to have “deep pockets”; and
• is easier to locate than the primary publisher.

242 An ISP faces a diffuse range of potential liabilities. Liability could arise from such activities as: caching;³⁶⁴ the uploading or downloading of information conducted by the ISP’s subscribers; linking, framing, or hosting a website on which a defamatory message is published; and publishing.³⁶⁵

243 Service providers are categorised by Counts and Martin into three groups:

• the content provider;
• the pure access provider; and
• the mixed provider.³⁶⁶

The content provider would, for example, be the provider of a newspaper published on the internet. A pure access provider is a mere carrier, for example MCI Mail, which provides an electronic communication system through which subscribers communicate. In the United States, common carriers are exempt from liability resulting from the content of what they transmit provided certain conditions are met.³⁶⁷ The rationale for such an exemption is that it would be unfair to pin legal liability to common carriers when they are unable to alter harmful messages, unless given prior notice of their intended transmission.³⁶⁸ Moreover, if common carriers were responsible for screening all of their messages, efficiency would be seriously impaired:

Taken to its (il)logical extreme, such a rule could drive a phone company to prohibit real-time conversations between individuals, since the phone company would have to screen each sentence for potentially defamatory material.³⁶⁹

244 More difficult issues arise when the content and pure access functions are mixed. The internet content provider, in stark comparison, has control over the content of a publication and therefore can (rightly) expect to be held liable. Often the publisher edits every word prior to publication as well as selecting which material to publish and in what form.³⁷⁰

245 Both content and the pure access service providers have analogous counterparts in the real world. As a consequence, it should not be difficult to apply existing law to them. The same can not be said for a mixed provider.

246 A mixed provider necessarily fulfils roles of both content and pure access providers. There are not any industry standards for the role played by mixed providers; some exercise a great deal of editorial control over postings, while others merely provide the forum and abdicate responsibility for what is posted. Two United States actions against service providers illustrate how difficult it is to assess (and indeed predict) the legal responsibility of a mixed service provider.

247 In Cubby Inc v CompuServe Inc³⁷¹ the District Court found that a service provider that exercised no control whatsoever over the material accessed by its subscribers should be classified as a secondary publisher. The Court in Cubby stated:

Compuserve has no more editorial control over such a publication than does a public library, book store, newsstall or news-stand, and it would be no more feasible for Compuserve to examine every publication it carries for potentially defamatory statements than it would be for any other distributor to do so.³⁷²

248 The inference arising from the Cubby case is that due to the size and speed of the internet an ISP is a mere distributor of defamatory material unless there is an aggravating factor. To require otherwise would be to require the ISP to monitor everything and thereby inhibit the flow of information.³⁷³

249 On the other hand, in Stratton Oakmont Inc v Prodigy Services Co,³⁷⁴ the New York Supreme court held that a service provider which took steps to screen postings for offensive language and to enforce guidelines issued to its subscribers was exercising a degree of editorial control sufficient to make it liable as a primary publisher.³⁷⁵ The trial court stated:

Prodigy’s conscious choice, to gain the benefits of editorial control, has opened it up to a greater liability than Compuserve and other computer networks that make no such choice . . .³⁷⁶

250 In our view, the “degree of editorial control” approach to determining the liability of a mixed service provider is undesirable for two reasons:

• first, it discourages screening for offensive material. Besides it being desirable for offensive material to be removed as frequently as possible, if ISPs are encouraged to not screen in order to avoid being considered a primary publisher, the effect would be to leave the defamed party with no legal redress at all, given the high likelihood that a judgment against an original publisher would be rendered empty because the original publisher was either unlocatable or impecunious.³⁷⁷
• secondly, the test is not sufficiently precise to provide an ISP with predictable criteria upon which to base their practices. The issue is: how much editorial control would be enough to trigger liability?³⁷⁸ For example, does refusing to allow websites of a disreputable nature to link to your website constitute “editorial control”.³⁷⁹ An arguable analogy of this refusal in the real world is the editor of a magazine refusing to publish an article containing defamatory material.

251 It is not feasible nor fair to require ISPs to monitor content and remove material that is offensive or would give rise to a legal claim. Distributors do not have the resources or expertise to review all of the material they receive.³⁸⁰ Even if they did:

• detection of legally actionable material will not often be caught by monitoring or packet sniffing technology.³⁸¹ For example, a word may not itself be defamatory but in its context may imply a defamatory meaning – subtle nuances can not be searched for through a conventional search engine;
• a search at 12 noon will not pick up a change (which may be minor but significant) at 12.05 pm – the ability to alter the information regularly is an important consideration;
• to hold ISPs liable may discourage the use of electronic commerce (and in particular the internet) by increasing the time and expense involved in digital transmission;³⁸²
• the speed of transmission and the large volume of digital traffic means that detection of infringement is likely to be (and can not, for the reasons that make content monitoring impracticable be anything but) after the fact.³⁸³ And so, the issue becomes a factual one of how long should a legally objectionable message take to be removed by an ISP;
• requiring ISPs to remove, for example, a defamatory message, has the potential to impose on them a greater burden than their analogue counterpart: if a defamatory message is posted on a website and removed by the ISP that is not necessarily the end to the matter; there is nothing to prevent ongoing repostings (perhaps by a competitor), with the costs of locating and removing material falling on the ISP;³⁸⁴ and
• monitoring itself could constitute a breach of privacy or, if our computer misuse legislation is enacted, unauthorised interception with data stored in a computer.³⁸⁵

252 It is however extremely important that mixed service providers can be certain of when their actions attract liability, and can encourage practices that remove and discourage the publication of illegal and offensive material on the internet. Hence we recommend liability be founded on actual knowledge. Counts and Martin have dubbed such a test “the graffiti principle”,³⁸⁶ using the case of Heller v Bianco³⁸⁷ to illustrate that principle.

253 In Heller v Bianco a Californian appellate court found a tavern owner could be liable for a message scrawled on the bathroom that stated, in essence, “Call this number for a good time and ask for Isabelle”. The tavern owner was informed of this message and asked to remove it by Isabelle’s husband. The bar-tender responded that he would remove the message “when he got around to it”, but failed to remove it. The court held that those “who invite the public” into their business have an obligation “not to knowingly” allow their premises to be littered with “defamatory matter”.³⁸⁸ The court found:

By knowingly permitting such matter to remain after reasonable opportunity to remove the same the owner of the wall or his lessee is guilty of republication of the libel . . . Republication occurs when the proprietor has knowledge of the defamatory matter and allows it to remain after a reasonable opportunity to remove it.³⁸⁹

We turn to look at how other countries are dealing with the liability of ISPs.

Overseas regulation of the liability of ISPs

254 The Australian Bill does not include a provision dealing with the liability of ISPs.

255 The Singapore Government considers it essential to:

. . . manage the exposure of network providers to risks of liability for third party content. The EC Policy Committee proposed that an ISP should not be held liable for third party content outside his control for which it merely provides access (for example, content of websites hosted overseas). However, the network providers will still be subjected to their obligations under existing licensing regimes from agencies . . . Network providers are also liable for their own content, or third party content which they adopt or approve of.³⁹⁰

256 The Singaporean Government’s stance on ISP liability is reflected in section 10 of its Electronic Transactions Act 1998 which provides:

10 Liability of network service providers
(1) A network service provider shall not be subject to any civil or criminal liability under any rule of law in respect of third-party material in the form of electronic records to which he merely provides access if such liability is founded on –
a. the making, publication, dissemination or distribution of such materials or any statement made in such material; or
b. the infringement of any rights subsisting in or in relation to such material.
(2) Nothing in this section shall affect –
(a) any obligation founded on contract;
(b) the obligation of a network service provider as such under a licensing or other regulatory regime established under any written law; or
(c) any obligation imposed under any written law or by a court to remove, block or deny access to any material.
(3) For the purposes of this section –
• “provides access”, in relation to third-party material, means the provision of the necessary technical means by which third-party material may be accessed and includes the automatic and temporary storage of the third-party material for the purpose of providing access;
• “third-party”, in relation to a network service provider, means a person over whom the provider has no effective control.

257 In Europe, there has been

. . . considerable legal uncertainty within Member States regarding the application of their existing liability regimes to providers of Information Society Services when they act as “intermediaries”, i.e. when they transmit or host third party information (information provided by the users of the service).³⁹¹

The rationale for inclusion of provisions governing liability of intermediaries was to unify the stance to be taken by Member States as “. . . divergent principles have been adopted in those Member States which have introduced new legislation specifically addressing this issue”.³⁹² The situation also leaves “. . . different parties (service providers, content providers, persons whose rights have been violated and consumers in general) under considerable legal uncertainty”.³⁹³

258 Section 4 of the Proposal for a European Parliament and Council Directive on Certain Legal Aspects of Electronic Commerce in the Internal Market makes comprehensive provision for the liability of intermediaries. We reproduce section 4 (Liability of intermediaries) in full:

Article 12

Mere conduit

1. Where an Information Society service is provided that consists of the transmission in a communication network of information provided by the recipient of the service, or the provision of access to a communication network, Member States shall provide in their legislation that the provider of such a service shall not be liable, otherwise than under a prohibitory injunction, for the information transmitted, on condition that the provider:

(a) does not initiate the transmission;

(b) does not select the receiver of the transmission; and

(c) does not select or modify the information contained in the transmission.

2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.

Article 13

Caching

Where an Information Society service is provided that consists in the transmission in a communication network of information provided by a recipient of the service, Member States shall provide in their legislation that the provider shall not be liable, otherwise than under a prohibitory injunction, for the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients of the service upon their request, on condition that:

(a) the provider does not modify the information;

(b) the provider complies with conditions on access to the information;

(c) the provider complies with rules regarding the updating of the information, specified in a manner consistent with industrial standards;

(d) the provider does not interfere with the technology, consistent with industrial standards, used to obtain data on the use of the information; and

(e) the provider acts expeditiously to remove or to bar access to the information upon obtaining actual knowledge of one of the following:

– the information at the initial source of the transmission has been removed from the network;
– access to it has been barred;
– a competent authority has ordered such removal or barring.

Article 14

Hosting

1. Where an Information Society service is provided that consists in the storage of information provided by a recipient of the service, Member States shall provide in their legislation that the provider shall not be liable, otherwise than under a prohibitory injunction, for the information stored at the request of a recipient of the service, on condition that:

(a) the provider does not have actual knowledge that the activity is illegal and, as regards claims for damages, is not aware of facts or circumstances from which illegal activity is apparent; or

(b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.

2. Paragraph 1 shall not apply when the recipient of the service is acting under the authority or the control of the provider.

Article 15

No Obligation to Monitor

3. Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.

4. Paragraph 1 shall not affect any targeted, temporary surveillance activities required by national judicial authorities in accordance with national legislation to safeguard national security, defence, public security and for the prevention, investigation, detection and prosecution of criminal offences.

259 There seems to be a number of consistent themes running through the way in which various States are dealing with this issue. For example,

• In California, the touchstone is actual knowledge of the existence of objectionable or defamatory information and a failure to remove the information in a timely fashion.³⁹⁴
• In Singapore, an ISP is not liable to criminal or civil sanctions provided its role is merely to provide access. The term “third party” is defined in section 10(3) of the Electronic Transactions Act 1988 (Singapore) to mean a person over whom the ISP has no effective control; presumably control (and, hence, an ability to control publication) would exist at the time that actual knowledge of the existence of objectionable or defamatory material is obtained.
• The touchstone for no liability under the proposed European Union Directive is that the ISP is a mere conduit, or received information by way of caching of which it has no knowledge, or has no actual knowledge that an activity is illegal or knowledge of facts or circumstances from which illegal activity is apparent. Once actual knowledge exists, there is an obligation to act expeditiously to remove or to disable access.

260 In our view, legislation should clarify that ISPs have no liability unless they have actual knowledge of the existence of information on the website which would be actionable at civil law or constitute a crime. The legislation should go further to provide an obligation to remove promptly any information drawn to an ISP’s attention. But it should also be made clear that the ISP is not liable for any reposting of that information by a third party unless or until it obtains actual knowledge of reposting and fails to act to remove. We recommend accordingly.

261 This recommendation is of a general nature. It is intended to clarify the circumstances in which an ISP may be liable. We contrast this recommendation with our specific recommendation in relation to the Defamation Act 1992 which, because of its nature as a statutory defence, requires a specific provision rather than a general one.³⁹⁵ This recommendation is intended to cover all actions (other than those of contractual origin in which the contract defines the obligations) brought against ISPs. Examples of cases to which the provision would apply are actions under section 9 of the Fair Trading Act 1986 and tortious claims.

Defamation

262 Defamation is one example of a tortious action. The potential effect of defamation law on discourse over the internet

. . . has attracted considerable comment, in part because a high proportion of the small number of [overseas] lawsuits arising out of Internet communications have involved defamation claims . . . Actions have been brought in Australia, the United Kingdom, and the United States.³⁹⁶

The potential for defamation of third parties is an important issue in the context of an electronic medium which provides an ability to publish a statement both widely and anonymously.

263 In ECom 1, after considering overseas case law, we stated:

There is little doubt that electronic transmission of a defamatory statement which identifies the plaintiff constitutes publication for which the publisher will be liable . . . The main issue is not therefore whether liability in defamation can arise from electronic communications, but rather who may be liable and, in particular, whether network service providers may be liable for publishing defamatory comments made by their subscribers.³⁹⁷

264 We then examined the potential liability of ISPs and concluded that liability would turn upon a factual conclusion as to how much editorial control the ISP had over the defamatory material. As to the availability of the defence of innocent dissemination provided for by section 21 of the Defamation Act 1992 (set out at ECom 1, para 190),³⁹⁸ we expressed the view that that:

The definitions of “processor” and “distributor” in section 2(1) of the Defamation Act 1992 are probably sufficiently broad to include computer network service providers.³⁹⁹

Section 2(1) of the Defamation Act 1992 defines a “Distributor” as including a bookseller and a librarian; and a “Processor” as meaning “. . . a person who prints or reproduces, or plays a role in printing or reproducing, any matter”.

265 Since publication of ECom 1, Morland J in Godfrey v Demon Internet Ltd (Demon)⁴⁰⁰ has considered the ability of an ISP to avail itself of the defence of innocent dissemination provided for by the United Kingdom Defamation Act 1996, section 1.⁴⁰¹ The relevant part of section 1 of the Defamation Act 1996 (UK) provides:

(1) In defamation proceedings a person has a defence if he shows that –
(a) he was not the author, editor or publisher of the statement complained of,
(b) he took reasonable care in relation to its publication, and
(c) he did not know, and had no reason to believe, that what he did caused or contributed to the publication of a defamatory statement.
(2) For this purpose . . . “publisher” means a commercial publisher, that is, a person whose business is issuing material to the public, or a section of the public, who issues material containing the statement in the course of that business. . . .

266 The distinction drawn in the New Zealand and United Kingdom legislation is between primary and secondary publishers. The importance of the distinction is that only a secondary publisher can invoke the defence of innocent dissemination.

The [United Kingdom] Defamation Act 1996 sends mixed signals to service providers regarding their responsibility for what is posted and accessed through their computer systems. On the one hand, any steps taken to exercise a measure of control over the content of Internet communications might be interpreted as inconsistent with being “only involved” as a provider of access to the Internet, as evidence that computer users are not beyond the “effective control” of service providers, or even that service providers exercise editorial control over the messages posted by their users. On the other hand, a laissez faire approach could be interpreted as a lack of reasonable care, particularly when alternatives are available that conceivably could reduce, or limit access to, abusive messages on the Internet.⁴⁰²

267 In Godfrey v Demon Internet Ltd, the judge found that the ISP was not a “publisher” for the purposes of section 1(2) of the United Kingdom statute; accordingly, subsection (a) of the section 1(1) defence was satisfied as Demon was not an author, editor or publisher of the statement complained of. But, the judge struck out the defence because Demon had been asked to remove the offending material and had failed to do so and therefore it could not meet the requirements of section 1(c) of the (UK) Defamation Act 1996.

268 Technological responses will block access to websites with obvious examples of defamatory statements (ie obscene, indecent, abusive or racist content). Software currently used for such purpose include Cyber Patrol, CYBERsitter, Net Nanny and Surfwatch. It is not however feasible, nor desirable, to carry out extensive blocking or monitoring (refer to para 250). Indeed, an ISP could be courting liability if it exercises control over the material accessed by its subscribers. The case of Stratton illustrates that point.⁴⁰³

269 In our view, there is a need for ISPs to be protected through the innocent dissemination defence provided by section 21 of the Defamation Act 1992. While, in ECom 1,⁴⁰⁴ we indicated that an ISP would probably fall within the definition of “processor” and “distributor”, on reflection we tend to the view that the law should be amended to remove any residual doubt. It is not inconceivable that a judge, interpreting those definitions, could come to the view that they did not include an ISP. Accordingly, we recommend that the problem be solved by including in the definition of “distributor” reference to an ISP. Internet Service Providers should then be defined in a separate definition to include providers of the services discussed in para 242.

270 This would be consistent with the approach which we have recommended in relation to ISP liability generally. We recommend an amendment to the Defamation Act 1992 accordingly.