E LAW - MURDOCH UNIVERSITY ELECTRONIC JOURNAL OF LAW ISSN 1321-9147 Volume 9 Number 1 (March 2002) Copyright E Law and author File: mcdonald91.txt ftp://law.murdoch.edu.au/pub/elaw-issues/v9n1/mcdonald91.txt http://www.murdoch.edu.au/elaw/issues/v9n1/mcdonald91.html ________________________________________________________________________ ISP Liability in Singapore: Lessons For Canada? Dan McDonald Contents * Singapore's Electronic Transactions Act 1998 * Possible Prosecution under Singapore's Computer Misuse Act Before 1998 * Tort Liability in Common Law Jurisdictions * The Effect of the Electronic Transactions Act 1998 * Lessons for Canada * Notes 1. There has been much discussion in Canada over the past few years concerning the liability of Internet Service Providers ("ISP's") for the transmissions of their subscribers, and much of it has highlighted the generally opaque state of the law on this point, often citing the lack of both domestic and otherwise consistent case law. To this end, a relatively recent event in Singapore is instructive. 2. It was almost two years ago that Mr. K.T. Cheng Kang of Singapore decided to express his disappointment with the pace of Singapore's public housing authority in approving his proposed housing-purchase transaction by sending the authority some 7,500 e-mail "reminders." The volume of messages interfered with the authority's mail servers and put it at risk of total collapse. Mr. Kang was eventually convicted and fined under Singapore's Computer Misuse Act 1993, c.50A,[1] which then precipitated much talk of the possibility of an action against the emailbomber's ISP. Fortunately for the emailbomber's ISP, Singapore is one of the few jurisdictions that affords ISP's clear protection, but it was not always this way. Singapore's Electronic Transactions Act 1998 3. In 1998 the Singapore Parliament adopted very clear measures aimed at insulating ISP's from both civil and criminal liability under section 10 of the Electronic Transactions Act 1998, c.88: 10. --(1) A network service provider shall not be subject to any civil or criminal liability under any rule of law in respect of third-party material in the form of electronic records to which he merely provides access if such liability is founded on - (a) the making, publication, dissemination or distribution of such materials or any statement made in such material; or (b) the infringement of any rights subsisting in or in relation to such material. Nothing in this section shall affect - (a) any obligation founded on contract; (b) the obligation of a network service provider as such under a licensing or other regulatory regime established under any written law; or (c) any obligation imposed under any written law or by a court to remove, block or deny access to any material. For the purposes of this section - "provides access" , in relation to third-party material, means the provision of the necessary technical means by which third-party material may be accessed and includes the automatic and temporary storage of the third-party material for the purpose of providing access; "third-party" , in relation to a network service provider, means a person over whom the provider has no effective control. 4. A fair reading of this section appears not only to cover acts of defamation and intellectual property infringement, but also the activities of the emailbomber's ISP in providing the emailbomber access to an e-mail account, which the emailbomber then used for his own purposes. There was no indication that the emailbomber's ISP's terms of use obligated the emailbomber's ISP in any way to monitor user traffic, nor that it either did so or held itself out to do so. 5. The importance of this piece of legislation cannot be overstated, because prior to 1998 the prospect of ISP liability under the laws of Singapore was a real one, even for those ISP's that took no measures at all to patrol traffic on their systems. It is illustrative, therefore, to consider the emailbomber's case at Singapore law had the emailbomber's activities occurred prior to the enactment of the Electronic Transactions Act 1998. Possible Prosecution under Singapore's Computer Misuse Act Before 1998 6. Since the early Nineties, Singapore has had computer malfeasance legislation on the books in the form of the Computer Misuse Act 1993. The Act is a quasi-criminal instrument, attracting fines, imprisonment, or both. Although the Act appears to have been originally aimed at computer hacking,[2] it was amended so as to include an offence under section 7 specifically directed at activities like spamming and mail bombing: 7.-(1) Any person who, knowingly and without authority or lawful excuse- (a) interferes with, or interrupts or obstructs the lawful use of, a computer; or (b) impedes or prevents access to, or impairs the usefulness or effectiveness of, any program or data stored in a computer....[3] 7. Even before 1998, however, the mens rea aspect of section 7 would have presented an immediate problem in these circumstances: it was not at clear that the emailbomber's ISP knowingly prevented the authority from accessing some of its computer resources in forwarding the emailbomber's messages. Quite the contrary: all evidence to date has indicated that the emailbomber's ISP took no measures at all to monitor its e-mail traffic. 8. Still, knowingly or not, the emailbomber's ISP did facilitate the delivery of the messages, and abetment of any offence under the Act is proscribed by section 10: 10.-(1) Any person who abets the commission of or who attempts to commit or does any act preparatory to or in furtherance of the commission of any offence under this Act shall be guilty of that offence and shall be liable on conviction to the punishment provided for that offence. 9. Unlike section 7, the offence outlined in section 10 is silent on the requisite intent, if any. While it is a generally accepted principle at common law that intent is an element of every malum in se offence unless there are clear words to the contrary,[4] the problem here is the absence of the word "knowingly" in s.10; the offences listed in sections 6, 7, and 8 all specifically require that the offender commit the offence knowingly. The natural question, then, was whether the emailbomber's ISP must have transferred the emailbomber's messages with the knowledge that the messages were intended to interfere in some way with the authority's access to its computers, or whether the emailbomber's ISP was strictly or absolutely liable for sending the messages voluntarily, in any event. 10. Singapore Parliamentary Debates concerning the Act and its amendments do not discuss the required elements under section 10. Reference is made, however, to ISP's in discussions concerning the introduction of the offence under section 7.[5] While addressing the then existing lacuna in the law with respect to e-mail bombing, it was suggested that victims "have to seek help from other organizations such as the Internet Service Providers (ISPs) in order to seek civil recourse."[6] 11. There is no suggestion anywhere that the operation of section 10 in conjunction with section 7 was intended so as to provide an avenue of attack against ignorant ISP's under section 10. Further, in addressing the apparent lack of general awareness of the Act and of the offences thereunder, it was submitted that "those who use the computer...will be able to understand the implications of their misdeeds,"[7] indicating that the sanctions are available to address only those actions intended to bring about a proscribed result. 12. At bottom, reading intention out of s.10 so as to catch entities such as ignorant ISP's acting as mere conduits does not appear to be in line with the purpose of the Act. Leaving aside "opening of the floodgates" problems, an interpretation in this vein seems also to run counter to common sense. But despite this, and the ostensibly perverse result that ISP's wishing to avoid attracting sanction under the Computer Misuse Act 1993 prior to 1998 might have been well advised to be and to remain ignorant of the activities of their subscribers, the Computer Misuse Act 1993, and section 10 in particular, speaks to ISP's in no clear way. Absent the protection of the Electronic Transactions Act 1998, the bottom line for all ISP's in Singapore was that prosecution for the acts of their subscribers was a palpable threat. Tort Liability in Common Law Jurisdictions 13. Quasi-criminal concerns aside, the possibility of a successful and costly tort action also loomed large, there being no legislation preventing such a suit prior to 1998. One concern was so-called "cyber-trespass." While common law authority on this point is wanting at best in most jurisdictions, in the United States, "[e]lectronic signals generated and sent by a computer have been held to be sufficiently physically tangible to constitute a trespass cause of action."[8] According to Compuserve, "[a]n unprivileged use or other intermeddling with a chattel which results in actual impairment of its physical condition, quality or value to the possessor makes the actor liable for the loss thus caused."[9] "Intermeddling" was defined as '"intentionally bringing about a physical contact with the chattel. The actor may commit a trespass by an act which brings him into intended physical contact with the chattel in the possession of another[.]"'[10] 14. At once, two problems present themselves to persons concerned with the Singapore situation: the authority's implied privilege of consent to the receipt of electronic messages and, again, whether the emailbomber's ISP "intended" the wrong. 15. First, the problem of consent. It is reasonable to assume that by having a connection to the Internet, by engaging in business, and by having an e-mail address, the authority clearly consented to the receipt of electronic messages. At the same time, though, there is little doubt that any implied or express consent extended by a plaintiff may be exceeded by a defendant, thereby constituting trespass.[11] In Compuserve the ISP was suing the defendants for "spamming" its subscribers.[12] On the issue of consent, the court found that the plaintiff notified the defendants that their conduct was not acceptable.[13] Therefore, it is can reasonably be said as likely that any implied consent of the authority to receive electronic messages did not encompass the e-mail bombing. 16. The question of intent ties in with consent here. Trespass in these circumstances requires some knowledge that the sent messages exceeded the consent given or implied on the part of the recipient to receive electronic messages.[14] Accordingly, while there is no question that the emailbomber's ISP affirmatively directed the messages to the authority's computer, what needs to be discovered is whether the emailbomber's ISP was aware that it was sending such a large quantity of the same messages (enough that the emailbomber's ISP could be said to have reasonably known that it was exceeding the authority's consent to receive electronic messages), from the same subscriber, to the authority. Given the nature of an ISP's business, it is unlikely that the emailbomber's ISP could be found to have had the requisite intent for trespass unless it was somehow privy to the emailbomber's intentions. Even the most diligent and civic-minded ISP would have a very difficult time sifting through hundreds of thousands, if not millions, of messages and detecting an intention to trespass by one of its subscribers. 17. If not trespass, what about an action for nuisance? Even the apparent flexibility of the law of torts with respect to trespass, at least in the United States, has not yet surfaced with respect to nuisance. As recently as 1997 the House of Lords in Hunter v. Canary Wharf Ltd.[15] reaffirmed the long-standing principle that the essence of a private nuisance action is an interference, generally emanating from a defendant's land, with the use or enjoyment of a plaintiff's land.[16] To be certain, it was noted that '"any...departure from the established law on this subject" would cause uncertainty due to "the problem of defining the category of persons who would have the right to sue."'[17] Together with an action based on negligence, prior to 1998, Rylands v. Fletcher[18] was said to have received significant attention as a possible theory of liability, given its often-cited lack of clearly defined boundaries. Inventive lawyering notwithstanding, an action against the emailbomber's ISP based on Rylands v. Fletcher strict liability runs into the same problem as a suit in nuisance: lack of any land to speak of. In Cambridge Water Co. Ltd. v. Eastern Countries Leather plc.,[19] the House of Lords made it clear that there can be no liability under this doctrine without some escape from land under the control of a Defendant. In at least these instances, the emailbomber's ISP and others in like circumstances were secure, there being reason to suspect that the law would veer from this course into cyberspace.[20] 18. In fact, an action based broadly on negligence principles is generally considered the most favourable route to liability absent legislative constraints, the prickly question in these circumstances then being whether the emailbomber's ISP was negligent in facilitating delivery of the emailbomber's messages. On this point there is much relevant case law that is instructive, though the cases tend to arise mostly in the context of defamation actions. In Zeran v. America Online Inc.,[21] the plaintiff brought an action against the defendant AOL because it "unreasonably delayed in removing defamatory messages posted by an unidentified third party...and failed to screen for similar postings thereafter."[22] Apparently an unidentified person placed several messages defamatory of the plaintiff on a bulletin board via AOL. The plaintiff did notify AOL of the existence of these messages, but the messages remained for some time. It was the plaintiff's position that upon notification, AOL had a duty to the plaintiff to remove the messages as soon as possible. 19. The court found against the plaintiff on all grounds, ruling that the recently enacted Communications Decency Act [23] created a "federal immunity to any cause of action that would make service providers liable for information originating with a third-party user of the service."[24] Although the actual language of the CDA does not confer such broad protection, the court was of the mind that the purpose and the spirit of the CDA is in synch with such protection: 20. Congress made a policy choice, however, not to deter harmful online speech through the separate route of imposing tort liability on companies that serve as intermediaries for other parties' potentially injurious messages. Congess' purpose in providing the s.230 immunity was thus evident....The amount of information communicated via interactive computer services is herefore staggering. The specter of tort liability in an area would have an obvious chilling effect. It would be impossible for service providers to screen each of their millions of postings for possible problems. Faced with potential liability for each message republished by their services, interactive computer service providers might choose to severely [sic] restrict the number and type of messages posted . Congress considered the weight of speech interests implicated and chose to immunize service providers to avoid any such restrictive effect.[25] 21. Indeed, in the United States innocent ISP's are even allowed a clear defense to claims of negligence at common law. The Court of Appeals of New York in Lunney v. Prodigy Services Co. dismissed a case with very similar facts to Zeran.[26] There, however, the court ruled out negligence while refusing to apply the CDA. The defendant had opened several bogus accounts with Prodigy, and then posted several defamatory messages on one of the Prodigy's bulletin boards. The court ruled that the same privilege afforded to a telephone company concerning the content of its subscribers' communications applies to ISP's, and that although Prodigy exercised some editorial power, "this did not alter its passive character in the 'millions of other messages in whose transmission it did not participate,'...nor [does] this...compel it to guarantee the content of those myriad of messages."[27] 22. As for Prodigy's supposed negligence in permitting the defendant to use a phony account and to post the defamatory messages, the court found no duty at common law on Prodigy's part "to perform investigations on millions of potential subscribers, so as to be guarantors against harmful transmissions." There was, in the court's view, "no justification for such a limitless field of liability."[28] 23. However, a duty may arise where an ISP knows of some harmful activity by one of its subscribers. At least this much is suggested by several defamation and copyright infringement decisions. 24. The American position on ISP liability for subscriber defamation prior to the enactment of the CDA was, generally speaking, that ISP's are akin to bookstores, libraries, and network affiliates: they are treated as mere distributors of information and are not liable for content unless they knew of or should have been aware of harmful content.[29] And the exception proved the rule: in Stratton Oakmont, Inc. v. Prodigy Services Co. the ISP was held to have been a publisher of the defamatory material because the ISP held itself out as having some sort of editorial control, despite the fact that the ISP did not really exercise such control.[30] 25. By contrast, The English and Canadian position with respect to ISP liability for defamation is significantly less clear than the American position and even places the burden on the defendant: an ISP must show that it is merely a distributor, that it took reasonable care, and that it did not know, nor had reason to know that what it did caused or contributed to the defamation.[31] Under this analysis, it is not fathomable how an ISP can be sure to take reasonable care, which can only be understood as taking active measures unbefitting a mere distributor, and yet remain merely a distributor. With respect to case law concerning violations of intellectual property rights facilitated by ISP's, ISP liability for copyright infringement in the United States is a non-starter where the ISP acts '"more like a conduit."'[32] An ISP must have actual notice of some harmful activity to ground liability. This is significant given that infringers of copyright are usually held strictly liable.[33] 26. As is the pattern, however, this approach is not uniform throughout common law jurisdictions. In Telstra Corp. v. Australasian Performing Right Association[34] the High Court of Australia held a telecommunications service provider for copyright infringement because its business customers in turn provided their own customers with unlicensed music while on hold.[35] It did not matter that the provider had no knowledge of the infringement. The Effect of the Electronic Transactions Act 1998 27. In the final analysis, were the Electronic Transactions Act 1998 never adopted, it simply could not be known whether a Singapore court would require the emailbomber's ISP to have had knowledge of the emailbomber's activities, either in a negligence suit or under the Computer Misuse Act 1993. What relevant case law is available provides no clear answer. The introduction of the Electronic Transactions Act 1998 brought not only immunity for innocent ISP's such as the emailbomber's ISP, but also legal certainty for all ISP's in Singapore. What is more, it is a solution that best accorded with common sense and reason. Where an ISP remains a passive conduit for thousands, perhaps millions, of subscribers a day, it is unrealistic at best to suppose that a duty to search for and to remove possibly harmful, illegal, or otherwise offensive content ought to be cast upon ISP's who exercise minimal editorial control over their bulletin boards and the like; actual knowledge should be required. Where an ISP acts as a mere conduit for e-mail messages, duty without actual knowledge seems impossible to justify. Lessons for Canada 28. Singapore, like Canada, is a nation whose economy increasingly depends upon an expanding technological infrastructure, an expansion that demands legal certainty to sustain itself. The confusing state of the law in Singapore concerning ISP liability prior to the enactment of the Electronic Transactions Act 1998 should serve as a warning for Canada and its common law jurisdictions: unless clear and precise legislation is introduced with respect to the exact parameters of ISP liability, every ISP risks possible exposure to liability no matter the nature and the extent of its monitoring activities. Notes [1] Mr. Kang received fines totaling 30, 000 Singapore dollars. [2] Singapore Debates, Parliament No. 8, session 1, v.61, sitting No.3, 1993-05-28. [3] Singapore Debates, Parliament No. 9, session 1, v.69, sitting No.3, 1998-06-30 per Mr. Wong Kan Seng (Minister for Home Affairs). [4] Sherras v. DeRutzen, [1895] 1 Q.B. 918, 921. [5] Supra note 3. [6] Supra note 3. [7] Supra note 7. [8] Compuserve, Inc. v. Cyber Promotions, Inc. and Sanford Wallace, http://www.jmls.edu/cyber/cases/cs-cp2.html (SD Ohio 1997) [hereinafter Compuserve] at para. 22. [9] Ibid. at para. 24. [10] Ibid. at para. 21. [11] Ibid. at para. 28. [12] Defendants were in the business of sending unsolicited advertisements; in sending voluminous e-mail messages to thousands of CompuServe subscribers, the defendants slowed the ISP's systems to a considerable extent, resulting in long delays for CompuServe subscribers who wanted to access their accounts. [13] CompuServe, supra note 8 at para. 28. [14] CompuServe, supra note 8 at para. 29. See also S. Macpherson, "Spam, Spamming and the Law" http://www.mcgrigors.com/publications/technology/pub_01.html. [15] 2 All ER 426. [16] See J. Clerk & W. Lindsell, Clerk & Lindsell on Torts, 3rd Cumulative Supplement, 17th ed. (London: Sweet & Maxwell, 1998) at 107, 110. [17] Ibid. at 110, quoting from Lord Goff of Chieveley. [18] (1866), LR 1 Ex 265, LR HL 330. [19] [1994] 1 All ER 53. [20] See C. Gringras, The Laws of the Internet (London: Butterworths, 1997) at 81. [21] 129 F.3d 327 (4th Cir. 1997) [hereinafter Zeran] http://laws.lp.findlaw.com/4th/971523P.html. [22] Ibid. at para. 1. [23] 47 U.S.C. § 230 [hereinafter CDA]. [24] Zeran, supra note 21 at para. 3, 4. [25] Zeran, supra note 21 at para. 5. [26] 99 NY Int. 0165 http://legal.web.aol.com/decisions/dldefam/lunneyappeal.html. [27] Ibid. at para. 15. [28] Ibid. at para. 16. [29] See Cubby, Inc. v. CompuServe, Inc., 776 F.Supp. 135 (S.D.N.Y. 1991) http://www.epic.org/free_speech/cubby_v_compuserve.html and Stratton Oakmont, Inc. v. Prodigy Services Co., 1995 WL 805178 (N.Y. Sup. Ct.) http://www.jmls.edu/cyber/cases/strat1.html. [30] Ibid. [31] Godfrey v. Demon Internet Ltd., [1999] EWJ No. 1226 (Q.B.) considering the English Defamation Act 1996 http://www.cyber-rights.org/documents/godfrey_decision.htm. Note that this position has been essentially adopted in Canada: Hill v. Church of Scientology, [1995] 2 S.C.R. 1130. [32] See K. Epstein and B. Tancer, "Enforcement of Use Limitations by Internet Service Providers: 'How to Stop that Hacker, Cracker, Spammer, Spoofer, Lamer, Emailbomber,'" (1997) 19 COMM-ENT 661 at 673. Note that this is essentially the basis for ISP liability under the recently passed Digital Millennium Copyright Act, Pub. L. No. 105-304, 112 Stat. 2860, 2887 (title IV amending §§108, §§112, §§114, chapter 7 and chapter 8, title 17, United States Code), enacted October 28, 1998. [33] Ibid. [34] (1997), 146 ALR 649 http://www.austlii.edu.au/au/cases/cth/high_ct/unrep338.html. [35] See generally D. Asmus, "Service Provider Liability: Australian High Court Gives the World a First-Should the United States Follow Suit?" (1998) 17 Dickinson Journal of Int'l Law 189.