© 2001 Jeremy Malcolm
The title of this presentation is "Ten things ISPs don't know about the law". That might be a somewhat patronising title, since I have no doubt that most of you will know at least some of these ten things, and some of you may even know all of them. But I've called the paper by that name because when speaking with clients and colleagues of mine in the Internet industry, they will occasionally come out with something that that are totally convinced about, that is totally wrong. Some of these things I hope to clarify this morning.
Giving your customers Web space can be a dangerous thing to do. If they breach someone else's copyright and you know about it, or can be taken to have authorised it, you can be liable for breach of copyright just the same as them. This is not quite as a bad as it was a year ago, because the law has changed in ISPs' favour - they are no longer liable for copyright infringements that they didn't know about - but it's still a significant worry.
Apart from copyright infringements, you can also be found liable for defamation, infringement of securities regulations, racial vilification, publication of restricted material, and a pile of other civil and criminal wrongs, depending on the degree of your knowledge or involvement in the material your customers put up.
There are some things that you can do to manage your potential liability, but using a disclaimer is not usually one of them. The reason is that most people won't visit the ISP's home page before visiting the customer's site, and so they won't even see the disclaimer. And if you can't see a disclaimer, it doesn't affect you. That may be fairly obvious, but it is a mistake that has been made before.
Parenthetically, something else I noticed when looking through the disclaimers on ISPs' Web sites is that most of them have copied their disclaimers word for word from the same source. That is something else you can be liable for; it's a breach of copyright. So the bottom line is, be careful about what you put on the Web, whether it's on your own site or on a customer's Web page.
A domain name isn't an intellectual property right. You can register the domain name bonzaweb.com.au but that isn't to stop one of your competitors from calling themselves Bonzaweb also. Even registering a business name doesn't give you ownership of that name, which is something that not many people realise.
For you to own a domain name or business name, it has to be a trademark. Now if you use a name for a reasonable period of time in a reasonably wide geographical area, you may be able to protect it as a trademark even without registering it. The law does recognise unregistered trade marks and it does provide them with some protection. This might be all you require.
However there is much more security in having a registered trademark. A registered trademark will be examined by a trade mark officer who will be able to tell you for sure whether or not your name is able to be protected against other people using it. If it can, the procedure for responding to infringements of your mark is much simpler than if the mark is unregistered.
When you register a trademark, you won't be granted the right to use the name in every circumstance, only in the area that you are actually using it. So for example, if you sell a brand of powdered milk, you could probably call it Microsoft without being sued. (But don't count on that.)
At the moment there is literally no law against spam. There are laws that may prevent you from saying particular things in spam, for instance last year someone was convicted in Australia for sending spam about investment products which did not comply with securities laws. But the fact that the information was sent in the form of spam was only a side issue there.
From December this year, there will be limited protection against spam originating from businesses that are caught by the provisions of the new Privacy Act amendments. Essentially if you have collected personal information from someone for a legitimate purpose, you are permitted to use that same information to spam them but you have to give them an opportunity to opt out of any future mailings. You may also be limited by the Privacy Act in your ability to harvest email addresses for the primary purpose of sending spam.
Unfortunately these provisions are fairly weak. Speaking for myself, if I had to opt out of every spam email I received, it would hardly make a dent in the constant flow of them that I receive. Even if the Privacy Act amendments were stronger, they will initially only apply to organisations with a turnover of more than $3M. Businesses whose primary purpose is to profit from the handling of personal information are required to comply with the Privacy Act no matter what their turnover is, and this would extend the reach of the amendments to include some direct marketing firms, but even so, there is not much protection against spam here.
The best that can be said is that third party relay probably is against the law, because there is some support for the argument that it is a form of hacking into your mail server. Apart from that, though, spam is unfortunately an area in which the law currently lags behind the expectations of the Internet community.
Why would an ISP in Perth be liable for something that Fred Bloggs in Queensland, or America, says on alt.sex.fetish.custard? Well it could happen, because it did in fact happen in England in a now notorious case. Someone who had noticed a forged article posted in his name contacted his Internet provider and asked them to remove the article. They didn't remove it until it expired automatically about ten days later. The gentleman in question sued them, and he won. This was despite the fact that the article didn't originate on the ISP's server and that thousands of articles passed through their news server every hour.
This is widely regarded as an absurd decision but there is no reason in principle why it would not be the law in Australia as well if similar circumstances applied. An interesting point is that if you don't know about the material you can't generally be held responsible for it, which is why if you have a discussion board on your Web site, it is ironically better for it to be unmoderated rather than moderated, from a liability angle.
The British decision that I mentioned was appealed, but unfortunately the appeal was settled out of court so the law at it stands, at least in England, is that ISPs do have to take down any material hosted by them that is defamatory of a third party. If you receive a request to take down any material from your news server or Web site, take it seriously, and talk to a lawyer if you're in doubt about whether the material could be defamatory or not.
Actually, DoS attacks are not yet illegal, unless they are caused by means of a hacker obtaining unauthorised access to data stored on a computer. However there is an Act of Parliament soon expected to be passed which will also criminalise unauthorised impairment of electronic communications. The purpose of this new statute is to cover a broader range of hacker attacks than are presently recognised by the law, such as Distributed Denial of Service attacks, whereby the hacker doesn't actually break into the computer system or network that is being attacked, but merely intentionaly disrupts it.
There have been some concerns raised by civil libertarians that the effect of the Act will be too broad, especially because the investigation and enforcement powers of the authorities are quite significant. There is the prospect that ISPs themselves could, in some circumstances, accidentally fall foul of the law, although it is questionable whether that would ever result in a prosecution.
All in all though, from an ISP's point of view, these amendments will have the desirable effect that if your network is the subject of a denial of service attack and you or the police can track down who is responsible, the law will soon be able to back you up. So that is at least one good thing that ISPs don't know about the law!
Depending on your point of view, this may be another good thing about the law. I've heard a few ISPs say that they don't accept on-line signups because they are not enforceable in court. That's nonsense, they are enforceable. In fact almost any agreement that is valid in writing with a signature is also valid if it's made over the phone or on-line or on a handshake. So if you don't accept signups online, you can't blame the legal system for that decision!
On the other hand, there are actually some good reasons why you might not want to accept signups online. The main reason is evidence. If is easier to prove that a customer has agreed to your terms and conditions if you have a signed document to prove it. It is also a good idea for both parties to have a written record of exactly what has been agreed to. If you simply have a signup form on your Web site, there is every chance that it has gone through a number of revisions. Having a signed copy is a way of proving which revision applies.
There is no reason in principle however why an electronic solution couldn't be applied to overcome the same problems that we use signed agreements for. Even the Government is accepting electronic forms and digital signatures now, in some circumstances. So you can do without a written signup form if you are aware of the factors involved. The decision is more of a business and a practical one, rather than being something that the law dictates.
Something that surprisingly few people know is that children are legally incapable of entering into contracts, except for contracts for things they need to survive. Or to be more precise, the child can enforce a contract against you, but you can't enforce the contract against the child. And for legal purposes, a child is anyone under 18. So if you have any customers on your system who are under 18 years of age, you are in danger of losing out if the customer doesn't pay, or breaches your acceptable use policy.
The solution, which many but not all ISPs follow, is to make sure a parent or guardian signs off on any Internet account. My advice is that you follow that religiously. It is also a good idea from a liability angle, in case the child stumbles across something online that their parents don't approve of. If you have offered the parents the option of using content filtering software - which is something you have to offer by law - then they can't have any comeback against you.
This is something that all ISPs are supposed to know, because the Australian Communications Authority sent out a letter to all ISPs in Australia telling them about it. If you are not careful with wireless networking, you might find you are required to take out a carrier licence, and carrier licences are quite expensive, as some people in this room will know.
A carrier licence isn't required if you are just connecting a client to your own Internet service (depending on the equipment you use). In general terms a carrier licence is only required when connecting a client and a third party directly, without your Internet service in between the two, or when you are using carrier-class equipment.
An example might be if you had a client that wanted to communicate with one of its own clients or suppliers over a wireless link. Technically, it might just involve sticking an antenna in two office windows, but as easy as that is, you're not allowed to do it. What you can do is connect them via wireless with your network, and connect your network via wireless with the other party. That might work fine, or it might completely defeat the purpose, depending on what the topology of the networks is like.
If you do need to connect two third parties directly, and you don't want to shell out for the cost of a carrier licence, there is the prospect of subcontracting out that part of the work to someone who does have a carrier licence. That's probably easy enough in the circumstances, as long as you're aware of the necessity to do so.
With the recent terrorist acts in the USA, the liability of ISPs for illegal activity being carried out on their networks has come into the headlines again. Essentially ISPs can be required by law to intercept any communications that take place across their network. Not only do they have to do this, but they have to do it at their own cost. Not knowing how to do it is no excuse, if you don't know, you have to learn.
The kinds of information that you may be required to give to a law enforcement agency include details of the identity of a user of your network, details of their Internet sessions, logs of their activity on the network and in some cases copies of the actual data transmitted. The organisations you can be required to provide it to include ASIO, the ACCC, the TIO, the Australian Communications Authority and the Federal Police.
If you don't want to have to disclose this kind of information about your customers, consider encouraging them to use encryption, because you are only required to provide the information to law enforcement authorities in the form it is in when it reaches your network, and that might be in encrypted form. You can't get around disclosing the information by encrypting it yourself, though.
Indemnity is a word that doesn't mean as much to ISPs as it should. Because ISPs can become liable for so much of what their clients do, including breaches of copyright, defamation, hacking and so on, it's only fair that the customers should have to reimburse the ISP for any of that liability. And not only for the liability itself, but also for any consequential losses or costs, such as legal costs, that the ISP has to incur as a result of the customer's wrongdoing.
You may not be able to recover all those sorts of costs unless you have an agreement by your customers to indemnify you for any losses you suffer arising out of any network abuses they commit. I spent an hour or so looking through the signup agreements of most of the ISPs who are WAIA members, and although some of them do contain an indemnity from the user, a large proportion of them don't.
If you do not have an indemnity from your customer, you can probably still sue them, depending on what it is they have done, but you can't also recover your costs unless this is covered by an agreement they have made with you. Customers can't really complain about being required to indemnify their ISP for their own actions, and it might give them another reason to act responsibly online. So I would recommend any ISP that doesn't have an indemnity clause in its signup agreement to add one.
Hopefully one or more of the ten points I've made have been helpful to some of those in attendance today. Compared to many other industries, the law that affects ISPs is not especially complicated, but it does cover a range of different areas and it hard for people in business to keep a handle on all of them. If you have any important questions that I haven't covered, or if there are any questions on what I have, I would be very happy to try to answer them.