Tuesday, May 26, 2009

Mulvaney v. Betfair - High Court holds that hosting defence is available to chatroom operators

Can a chatroom operator rely on the hosting defence under the E-Commerce Directive? In the first Irish case to consider the scope of the Directive and the Irish implementing Regulations the High Court has held that the answer is yes - an answer which may have significant implications for Irish sites hosting other types of user generated content.

The case - Mulvaney v. The Sporting Exchange (trading as Betfair) - involved plaintiffs who claimed to have been defamed by material posted on a Betfair chatroom by Betfair clients. The plaintiffs brought proceedings against the posters themselves and also against Betfair as the operator of the chatroom, claiming that Betfair was therefore liable as a publisher of the defamatory statements.

Betfair sought to rely on the hosting defence in Article 14 of the E-Commerce Directive as implemented by Regulation 18 of the implementing Regulations. Two issues therefore arose: whether Betfair could rely on this defence notwithstanding the gambling exclusion in the Directive / Regulations, and whether in relation to the chatroom Betfair could be said to be a host.

As regards the gambling issue, the court took the view that whether or not Betfair's main function (as a betting exchange) was covered by the exclusion, the chatroom was not directly connected with that activity and as such it could be treated as a distinct activity for the purposes of the Directive.

The court then considered whether Betfair could be considered to be a host in respect of the chatroom, or more precisely whether it was an "intermediary service provider who provides a relevant service consisting of the storage of information provided by a recipient of the service". Here the court relied on Bunt v. Tilley to hold that Betfair was an "intermediary service provider" and, in a remarkably short ruling, held that it fell within the hosting defence:
5.10 Betfair submitted that, in the present case, it is the third parties who provided the information in question, i.e. the allegedly defamatory comments, and that Betfair stored this information on its servers that hosted the Chatroom. Betfair submitted that this service was provided at a distance by electronic means and at the individual request of the recipient of the service. It is submitted by Betfair that it, therefore, acted as "hosts" of that information for the purposes of Regulation 18 of the 2003 Regulations.

5.11 At Recital 20, the E-Commerce Directive states that:-
“The definition of 'recipient of a service' covers all types of usage of information society services, both by persons who provide information to open networks such as the Internet and by persons who seek information on the Internet for private of professional reasons.”

5.12 It seems to me that this provision clearly covers such use of the services provided by the defendant as was made by the third parties in these proceedings. Furthermore, at Recital 18 of the E-Commerce Directive, it is provided, inter alia, that:-
"Information society services span a wide range of economic activities which take place on-line; these activities can, in particular, consists of selling goods on-line; activities such as the delivery of goods as such or the provision of service off-line are not covered; information society services are not solely restricted to services giving rise to on-line contracting but also, in so far as they represent an economic activity , extend to services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data; information society services also include services consisting of the transmission of information via a communication network, in providing access to a communication network or in hosting information provided by a recipient of the service."
5.13 There is no case law dealing directly with the question of whether Regulation 18 covers the provision of Chatroom facilities. However the E-Commerce Directive appears to apply to chatrooms if they are hosting information provided by a recipient of the service and available to other users of the service. In addition, the corresponding Article to Regulation 18 (i.e. Article 14), has been recognised in the Report from the Commission to the European Parliament on the application of the E-Commerce Directive, where at page 12 , it states:-
"In particular, the limitation on liability for hosting in Article 14 covered different scenarios in which third party content is stored apart from the hosting of websites, for example, also bulletin boards or 'chatrooms'."
5.14 As the service provided by Betfair, through its Chatroom, clearly falls within the meaning of "relevant service" as defined by the 2003 Regulations, it follows that Betfair, in providing this service, is a "relevant service provider" and so an "intermediary service provider" within the meaning of the 2003 Regulations. Betfair is, therefore, entitled to the benefits of Regulations 15 and 18 of the 2003 Regulations.

6. Conclusions

6.1 ... For the reasons which I have just sought to analyse, I am also satisfied that the provision of a chatroom service comes within the definition of an intermediary service provider contained in the 2003 Regulations, and that the provision of that service to its subscribers by Betfair constitutes the provision of a relevant service consisting of the storage of information provided by a recipient of the service within the meaning of the same Regulations.

6.2 If follows that Betfair are, in principle, entitled to the protection of the E-Commerce Directive in these proceedings. In order to be able, successfully, to defend the proceedings on that basis it is, of course, also necessary that Betfair be able to establish, as a matter of fact, in each individual case, that the conditions concerning knowledge and expeditious action set out in subparas (a) and (b) of Article 14 of the E-Commerce Directive are met. Whether that can be established on the facts of this case is a matter which did not arise on this preliminary hearing and will fall to be determined at the trial.
This conclusion - that chatroom operators are hosts as regards user comments - appears to me to be correct, but the underlying reasoning is rather scanty. (I should say that this is not a criticism of the judge, who can only decide on the arguments raised by the parties.)

There's no discussion, for example, of the fact that the chatroom was subject to terms of use and was (apparently) moderated by Betfair - a surprising oversight, considering that it might have been the basis for an argument that the posters were acting under the control of Betfair which, if successful, would have ruled out the hosting defence. (See e.g. the analysis of Lilian Edwards in respect of eBay's "control" over its users.)

Equally, there's no reference to the related argument that the hosting defence is intended to cover purely technical (and essentially passive) storage of information, and is lost when a provider exercises a greater degree of control over the information which users provide. Goldstone and Gill, for example, suggest that:
The recitals to the Directive are narrow in scope and state, for example, that the activities to which the exemptions apply are 'limited to the technical process of operating and giving access to a communication network' and are of a 'mere technical, automatic and passive nature'. The recitals do not suggest that the Directive intended the hosting defence also to apply to storage of information by Web site operators such as UGC Web sites.
Whether correct or not, it is remarkable that this argument doesn't appear to have been made in this case.

Finally, there's no reference to the cases in other jurisdictions which have challenged the scope of the Article 14 hosting immunity. (Lilian Edwards has some examples here and more recently here.)

Consequently, although this decision will give some comfort to Irish chatroom operators, it shouldn't be given too much weight and is unlikely to be the last word on the scope of the hosting defence in Ireland. We may have to wait for a more fully reasoned judgment (or guidance from the ECJ) before we can definitively say what rules apply to Irish sites which host user generated content.

For more on this decision see A&L Goodbody | Olswang | Sunday Business Post.

Friday, May 15, 2009

Transparency in overseeing state surveillance: How not to do it

Under Irish law a designated High Court judge (currently Mr. Justice Iarfhlaith O'Neill) is assigned to oversee the operation of telephone tapping and data retention. Unfortunately, the annual reports of the designated judges are not exactly models of transparency. Here's the most recent example - all three paragraphs of it:

I'll be writing more about Irish law in this area shortly: stay tuned. (Or should I say "keep listening"?)

Edited to add: The Sunday Times has now picked up on this issue.

Tuesday, May 05, 2009

UCD Launches MSc In Digital Investigation

Shameless plug ahead - I'm happy to say that I will be teaching next year on a new course offered by the UCD School of Computer Science and Informatics, the MSc in Digital Investigation. This is essentially a civilian counterpart to the successful MSc in Forensic Computing and Cybercrime which is restricted to police officers. Full details on the course site, but here's a brief outline:
This programme is aimed at information security professionals who need to acquire skills for investigation of computer-related incidents. It introduces the concepts, principles, and professional practice in digital investigation. The programme is delivered in cooperation with the leading Irish experts in the field.

Programme Structure

This is a two-year part-time course. The first three semesters of the course, are made up of six examinable modules, which cover all areas of investigative expertise from legislation and forensic analysis techniques to presentation of investigation results in the court of law:

* Computer Forensics Foundations
* Law for IT Investigators
* Application Forensics
* Investigative Techniques
* Corporate Investigations
* Information Security

The fourth semester of the course comprises an individual research project on a real-world topic in digital investigation.

Friday, May 01, 2009

IWF Annual Report: Wikipedia blocking and more

The Internet Watch Foundation has just issued its 2008 Annual Report (PDF) where it offers this defence of its role in the Wikipedia blocking saga, along with an indication that it will review its procedures in light of this case:
Wikipedia on the IWF list

In December our hotline received a report regarding an indecent image of a pre-pubescent girl on a Wikipedia page. The image was assessed according to current UK legislation, in accordance with the UK Sentencing Guidelines Council thresholds (see page 8, Figure 5) and was considered to be potentially illegal.

Our procedures require us to pass details of every URL considered to be in breach of UK legislation to law enforcement and hotline associates around the world for further investigation, in accordance with the laws in the hosting country. If the URL is hosted outside the UK, it is also added to our URL list which is provided to companies in the online sector that have voluntarily committed to blocking access to these URLs to help protect their customers from inadvertent exposure to indecent images of children online.

These procedures and policies are approved by our Board of Trustees and Funding Council, and our hotline systems, security and processes, including the handling of the URL list, are periodically audited by external independent inspectors, including forensic, academic and law enforcement professionals identified by our Board.

In this particular case there was an unforeseen technical side-effect of blocking access to the Wikipedia page in question. Due to the way some ISPs block, users accessing Wikipedia from these ISPs appeared to be using the same IP address. This undermined the way Wikipedia controls vandalism therefore anonymous UK Wikipedia users were blocked from editing.

Following representations from Wikipedia the IWF invoked its Appeals Procedure. This entails a review of the original decision with law enforcement officers. They confirmed the original assessment and this information was conveyed to Wikipedia. Due to the public interest in this matter our Board closely monitored the situation and, once the appeals process was complete, they convened to consider the contextual issues involved in this specific case. IWF’s overriding objective is to minimise the availability of indecent images of children on the internet, however, on this occasion our efforts had the opposite effect so the Board decided that the webpage should be removed from the URL list.

As a learning organisation we are committed to improving our services so issues raised by this incident will be addressed, in collaboration with our industry partners, in the year ahead. (p.9)
My take? The Wikipedia debacle created a number of fundamental challenges for the IWF in relation to its reputation, procedures and legitimacy, as well as undermining the technical claims for the efficacy of internet filtering. This IWF response offers the possibility that they will address these issues - but it remains to be seen whether the outcome will be (possibly modified) business as usual or whether there will be a fundamental rethink of the IWF's role in internet filtering.

Incidentally, the annual report is also interesting in that it signals a move towards tackling child pornography by targeting a new type of intermediaries - by seeking to have domain name registries delist domain names involved in the sale of child pornography. This follows a trend I've noted before - towards domain name registrars / registries becoming the new points of control for regulators.