Lies, damned lies and statistics of defamation

[Craig Wright <Craig.Wright () bdo com au>]

Hello All,
I responded separately to a number of people yesterday, but due to volume and having to move office at work I will send 
a generalised response. I apologise to all those people who REALLY deserve an individual response for their heart felt 
replies.

First the statistics - I know stats junkie.
            [1] 65% of responses where positive
            [2] 23% wanted to know what this was about
                        (I will add some detail subsequently)
            [3] 8% Thought me a loon and a nut and told me where to go
                        (to some extent true)
            [4] 4% Were of the "what the hell" variety

First section [1], here I have to say that a few of you manage to bring a tear to the eyes of a grumpy old cynic. I can 
not thank you enough and will not attempt to do more than this (which is not to say that I am avoiding it - just that 
anything I state will undermine your replies).

Section [2]. I was alerted to a number of posts on blogs and peering websites. All of these posts have been removed. 
Here I have to thank the webmasters and others who manage these. I am extremely impressed by the speed these are taken 
down. I give a special thanks to the owner of a site: http://beifo.blogspot.com/. I also offer to him an apology - he 
has taken down his site. He is a masters student at one of my Universities and felt that he could not manage to stop 
people posting things on his site whilst studying. I am REALLY sorry that you decided you had remove your site because 
of others.

In stating that my credentials are not in order, this is an attack against not only myself, but SANS, the Universities 
I am with and my employer. So when people start to post that my qualifications are "proven to have inconsistencies" or 
that I have "lied and conned my way to those I seem to have" it is an attack against not only myself, but also others.

Section [3]. Well I am a loon a nut and many other things. I will respond to these replies in more detail (which is not 
to detract from [1]). I have not placed responses that are from section [1] but still state I am a loon in this part ;)
. I believe in god, I do not believe in imaginary beings. There is a difference and a belief in god does not detract 
from technical qualifications. I do not evangelise and I respect the rights of others to have their belief.
. Not watching TV does not make me a crack-pot. I am a crack-pot independent of TV. Also TV does not equal being able 
to follow news. I subscribe to ISN (http://www.isn.ethz.ch/news/) and read news online. I would state that not watching 
TV means that I am actually possessed of more knowledge not less of the state of world affairs. What I do not get is 
the latest news of Paris Hilton, Sports based intercessions etc.
. All the info I posted is already available and if I am going to be the victim of identity theft it will not be a 
result of the former post alone.
. A qualification in one subject does not mean that I am incapable of others.
. Yes I am a pompous arrogant a'hole. Thanks you for caring. This being truth I will not defend.

Section [4]. If you do not like my posts - set up a filter and delete them. I am sending unsolicited email to a couple 
of you ALL the time as this is the purpose of an email list.

A generalised response to those who think (see [3]) that defamation has nothing to do with security.

In the US, Congress has endorsed legislative protections for intermediaries from liability through defamation with the 
introduction of the Communications Decency Act[1].  In 47 U.S.C. §230, it is unambiguously positioned as regarding 
internet regulation[2] that the act introduced a series of "Good Samaritan provisions" as a part of the 
Telecommunications Act of 1996. This was tested in DiMeo v Max (2007),[3] in which the court found the defendant not 
liable for comments left by third parties on a blog. The plaintiff alleged that the defendant was a publisher of the 
comments hosted on the website but did not allege that the defendant authored the comments on the website or that the 
defendant was an information content provider. Under 47 U.S.C. § 230 (f)(3), the court determined  "the website posts 
alleged in the complaint must constitute information furnished by third party information content providers" and as a 
consequence immunity applied to the forum board operator. The Court upheld the dismissal of the suit.

The act, first passed in 1996[4] and subsequently amended in 1998,[5] has the apparent rationale of minimising Internet 
regulations in order to promote the development of the Internet and safeguard the market for Internet service.  The 
internet has consequently become so essential to daily life that it is improbable that the addition of extra 
legislation would intimidate service providers away from the provision of services at a competitive rate.[6]

In the US, 47 U.S.C. § 230(c)(1) provides a defence for ISPs stating that, "No provider or user of an interactive 
computer service shall be treated as the publisher or speaker of any information provided by another information 
content provider."  This statute would seem[7] to afford absolute immunity from any responsibility. Contrasting the 
DMCA, the ISP or ICP could chose not to do away with material in the event that the ISP or ICP has tangible awareness 
of the defamatory nature of material it is in fact hosting.[8]  Notwithstanding the focal point of this legislation 
having been towards liability for defamation, it has pertained to seemingly unrelated auction intermediaries, including 
eBay.[9]

Inside the European Union, judgments obtained in the courts of one state are enforceable in any other state included 
within the Brussels Convention. If not, a judgment in one state will be enforceable in another only where there is a 
bilateral treaty creating the provision for such reciprocal enforcement between them. Frequently, these treaties add 
formalities surrounding the enforcement process that offer the courts of the jurisdiction in which the defendant is 
situated prudence both as to a decision to enforce, or to what degree. It is consequently vital when deciding on a 
jurisdiction to bring suit to decide if any judgment obtained is enforceable against a defendant who may in effect be 
judgement proof.

Defamation
The first claims in the UK of defamation using e-mail as a means of distribution occurred in the mid 1990's. In one, 
the Plaintiff alleged that the Defendant published a message using a computer system asserting that the Plaintiff had 
been sacked for incompetence. The case did not include the service provider as a defendant. In another case and more 
widely publicised case[10], a police officer on complaining to his local branch of a national supermarket chain about 
an allegedly bad joint of meat was dismayed to discover that the store had distributed an e-mail communication to other 
branches of the chain. The subject of the e-mail stated; "Refund fraud -- urgent, urgent urgent". He settled with the 
chain for a substantial sum as damages and an apology in open court from the supermarket management.

This issue has also occurred in the US. Litigation was started against CompuServe[11], an intermediary, as a result of 
assertions made in an electronic newsletter[12].  CompuServe successfully argued that its responsibility was comparable 
to that of a library or a book seller. In Stratton-Oakmont, Inc. v Prodigy Service Co.[13], the plaintiff asserted that 
a communication distributed by an unidentified third party on Prodigy's "Money Talk" anonymous feedback site damaged 
the plaintiff's IPO due to the libellous nature of the message. It was asserted that this resulted in a substantial 
loss.

Prodigy filed a motion for summary judgment. It asserted that the decision in CompuServe[14] applied making them the 
simple distributor of the communication and hence not liable for the substance of the message. The court determined 
that Prodigy was a publisher as they implemented editorial control over the contents of the "Money Talk" site. As the 
editors used screening software to eliminate offensive and obscene postings and used a moderator to manage the site, 
they could be held accountable for the posting of a defamatory statement. Prodigy settled but subsequently 
unsuccessfully attempted to vacate the judgment. The Communications Decency Act (CDA)[15] was subsequently enacted in 
the US to present a defence to intermediaries that that screen or block offensive matter instigated by another. The CDA 
presents, inter alia, that the intermediary may not be determined to be the publisher of any matter presented by 
another. Further, an intermediary shall be liable for any deed engaged in "good faith" to limit the spread of "obscene, 
lewd, lascivious, filthy, excessively violent, harassing or otherwise objectionable" materials[16].

Users view the Internet as if it was a telephone service with no enduring record.  E-mails frequently contain imprudent 
declarations and japes.  These communications offer an evidential confirmation absent in a telephone exchange.  Deleted 
e-mail can persist in a variety of locations and forms, including back-up tape or disk, on the ISP and may have been 
forwarded to any number of other people. Any of these are subject to disclosure in litigation[17].

Western Provident v Norwich Union[18] concerned a libel by e-mail. Communications exchanged within Norwich Union by its 
staff libellously concerned Western Provident's financial strength. The case settled at a cost of £450,000 in damages 
and costs. For electronic distributions, the moderators of bulletin boards and Internet service providers are 
implicated only if they exercise editorial control or otherwise know directly of a libellous communication. In Godfrey 
v. Demon Internet[19], Godfrey informed the ISP of the existence of a libellous communication on a site managed by 
Demon. Demon did not act to remove the communication for the period of two weeks that such communications were made 
available on the site. The court asserted that as soon as Demon was alerted to the communication they ought to have 
acted. It was held that:
"The transmission of a defamatory posting from the storage of a news server constituted a publication of that posting 
to any subscriber who accessed the newsgroup containing that posting. Such a situation was analogous to that of a 
bookseller who sold a book defamatory of a plaintiff, to that of a circulating library which provided books to 
subscribers and to that of distributors. Thus in the instant case D Ltd was not merely the owner of an electronic 
device through which postings had been transmitted, but rather had published the posting whenever one of its 
subscribers accessed the newsgroup and saw that posting".[20]

Shevill v Presse Alliance[21] established that in the European Union where an international libel is committed, an 
action for libel may be initiated against the publisher. This may be commenced either in the country that the publisher 
is based or in any other country where the publication was disseminated and where the Plaintiff had experienced damaged 
reputation.  There is little reason to doubt that principles applicable to libel through the press will apply equally 
to computer libel.

Australian defamation laws are complicated by a state based nature in that they differ across each jurisdiction in 
content and available defences. Various Australian state laws include offence provisions for both civil defamation and 
criminal defamation. Civil liability transpires as a consequence of publications that are expected to harm a person's 
reputation and the penalties are monetary. Criminal liability transpires as a consequence of publications that concern 
society, including those with a propensity to imperil the public peace, and penalties in the majority of jurisdictions 
incorporate incarceration. Significant distinctions exist between civil and criminal defamation law in relation to both 
liability and defences.

The Western Australian Supreme Court decided in Rindos v. Hardwick[22] that statements distributed in a discussion list 
can be defamatory and lead to an action. The court thought that it was inappropriate to apply the rules differently to 
the Internet from other means of communications. The court acknowledged the instigator's accountability for defamatory 
proclamations broadcast across a discussion group[23]. The matter of the liability of other participants on the list 
was not considered during the trial.


It is considered unlikely that an ISP would scrutinize all material presented across its network[24] and this may not 
be economically feasible[25]. Mann & Belzley address this through "targeting specific types of misconduct with tailored 
legal regimes"[26]. These regimes would leave the ISP responsible for the defamatory publications of its users where 
they have failed to take reasonable action to mitigate these infringements. The existing law in Australia leaves all 
parties considered to be a "publisher" liable[27]. Cases do exist[28] where ISPs have removed content proactively.

The common law defence of innocent dissemination exists in Australia. Thompson v Australian Capital Television[29] 
demonstrated this when Channel 7 asserted that transmission of a "live" show to the ACT retransmitted from Channel 9 
NSW in effect placed it as a subordinate publisher that disseminated the material of the real publisher devoid of any 
material awareness or influence over the content of the show. They argued that this was analogous to a printer or 
newspaper vendor.

The High Court held that the defence of innocent dissemination is available to television broadcasts as well as printed 
works. In this instance it was held that the facts demonstrated Channel 7 maintained the capacity to direct and oversee 
the material it simulcasts. The show was broadcast as a live program through Channel 7's choice. They chose this format 
in full knowledge that a diffusion of the show would be next to instantaneous. The where further conscious of the 
nature of the show, a "live-to-air current affairs programme"[30] and understood that this program conceded an elevated 
risk of transmitting defamatory material. It was decided by the facts that Channel 7 was not a subordinate publisher on 
this occasion.
The Federal Broadcasting Services Act 1992[31] affords a legislative defence to an ISP or Internet Content Host (ICH) 
that transmits or hosts Internet based content in Australia if they can demonstrate that they were reasonably unaware 
of the defamatory publication. s.91(1) of Schedule 5 to the Broadcasting Services Act[32] grants that a law of a State 
or Territory, or a rule of common law or equity, has no effect to the extent to which the ISP "was not aware of the 
nature of the internet content".

The BSA[33]  defines "internet content" to exclude "ordinary electronic mail". This is a communication conveyed using a 
broadcasting service where the communication is not "kept on a data storage device". Consequently, the s.91 defence 
will not be offered in cases concerning such material. In such cases, an ISP or ICH may be still attempt to rely on the 
defence of innocent dissemination. The applicability of the common law defence of innocent dissemination remains to be 
determined by the Australian courts.[34] As a consequence, any reliance on these provisions by an ISP or ICHs carries a 
measure of risk.

Harassment
Harassment may occur through all forms of media, the Internet is no exception. Junk mail, sexually offensive e-mails 
and threats delivered through online means (including both e-mail and instant messaging) are all forms of harassment. 
The inappropriate accessing of sexually explicit, racist or otherwise offensive material at the workplace is another 
form of harassment. This includes the sending of unwelcome messages that may contain offensive material to another 
co-worker.

E-mail Crimes and Violations
In reality, e-mail crime is not new. Instead, the Internet has enabled many old crimes to be reborn. Many morally 
violating acts such as child pornography have become far more widespread and simpler due to the ease and reach of 
e-mail. Many traditional crimes such as threats and harassment, blackmail, fraud and criminal defamation have not 
changed in essence, but the ease of e-mail has made them more prevalent.

Chain letter
Chain letters are another form of abuse that are seamlessly migrated from the physical world to cyberspace. A chain 
letter is an e-mail that was sent progressively from e-mail user to e-mail user. It will generally instruct the 
recipient to circulate further copies of the e-mail and usually to multiple recipients. These chain letters often 
promise rewards or spiritual gain if the e-mail was sent and may also threaten loss or harm if the recipient does not 
forward it. Often the authenticity of a chain letter cannot be verified as the header information from the original 
sender has been lost in retransmission.

Mail bombing
Mail bombing is a simple attack that has been around for a long time.  It involves the intentional sending of multiple 
copies of an e-mail to a recipient. The objective is simply to overload the e-mail server. This is achieved by either 
filling the user's inbox so that they cannot access any more mail or flooding the server connections. Flooding server 
connection would be aimed at the general infrastructure whereas flooding an inbox is aimed at an individual. Mail 
bombing is malicious and abusive. Even when aimed at an individual to prevent other users from accessing the mail 
server.

Mail storm
A mail storm is a condition that occurs when computers start communicating autonomously. This process results in a 
large volume of junk mail. This may happen innocently through the auto forwarding of e-mails when configured to a large 
number of mailing lists, through automated responses and by using multiple e-mail addresses. Additionally, malicious 
software including the Melissa and IloveYou viruses can result in mail storms. Mail storms interfere with the usual 
communication of e-mail systems.

Identity Fraud
Identity theft is becoming more widespread due to the ease and profitability. This action involves the stealing of 
someone's identity for fraudulent financial gain. It is in effect a larceny. The sending of offers e-mails that are too 
good to be true, fake websites and other forms of phishing are all used to capture an identity. Many groups specialize 
in the capture of information and make financial games by selling this information to groups who will make illegitimate 
purchases or financial transactions.

Regards,
Dr Craig Wright (GSE-Compliance)

[1] The Communications Decency Act of 1996 (CDA)
[2].47 U.S.C. § 230(b) (2004) (emphasis added)
"It is the policy of the United States-
(1) to promote the continued development of the Internet and other interactive computer services and other interactive 
media;
(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive 
computer services, unfettered by Federal or State regulation;
(3) to encourage the development of technologies which maximize user control over what information is received by 
individuals, families, and schools who use the Internet and other interactive computer services;
(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower 
parents to restrict their children's access to objectionable or inappropriate online material; and
(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and 
harassment by means of computer".
[3] WL 2717865 (3rd Cir. Sept. 19, 2007); See also Fair Housing Council of San Fernando Valley v. Roommates.com, LLC , 
CV-03-09386-PA (9th Cir. May 15, 2007); and Universal Communication Systems, Inc. v. Lycos, Inc. , 2007 WL 549111 (1st 
Cir. Feb. 23, 2007)
[4].1996, Pub. L. 104-104, Title I, § 509.
[5].1998, Pub. L. 105-277, Div. C, Title XIV, § 1404(a).
[6].There remains, however, the fear that additional regulation will stifle innovation in the industry.  Would, for 
instance, eBay enter the market as a new company today if it were liable for trademark infringement it facilitated?  
Such liability adds new start-up and ongoing costs that may make some new ventures unprofitable (or even more 
unprofitable).  For an article addressing regulation in this way, see Lemley & Reese.
[7].There is at least the possibility that the statute would permit a State to require intermediaries to act.  See Doe 
v. GTE Corp. 347 F.3d 655 (7th Cir. 2003) (per Easterbrook, J.) (suggesting that Section 230(e)(3) "would not pre-empt 
state laws or common-law doctrines that induce or require ISPs to protect the interests of third parties").
[8].Thus minimising the likelihood of a decision such as Godfrey in the United States.  See supra note 102.
[9].Gentry v. eBay, Inc., 121 Cal. Rptr. 2d 703 (Ct. App. 2002)
[10] As reported in the UK Telegraph by Kathy Marks on the 20th Apr 95. The policeman is quoted: "...If this had got 
out unchecked it could have done me serious professional harm.  I am in a position of extreme trust and there has got 
to be no doubt...that I am 100 percent trustworthy".
[11] Cubby v CompuServe, 776 F.Supp.135 (S.D.N.Y. 1991). Another case, this time involving AOL was that of Kenneth 
Zeran v America On-line Incorporated heard by the United States Court of Appeals for the 4th Circuit (No. 97-1523 which 
was decided in November 1997).  This was a case against AOL for unreasonably delaying in removing defamatory messages.  
The Court in 1st Instance and the Court of Appeal found for AOL.
[12] Compuserve offered an electronic news service named "Rumorville". This was prepared and published by a third party 
and distributed over the CompuServe network.
[13] (NY Sup Ct May 24,1995)
[14] Ibid
[15] Communications Decency Act
[16] The was first made to include those postings even when that material is protected under the US Constitution. This 
has been subsequently amended.
[17] The EU Electronic Commerce Directive (No. 2000/31/EC) has now specifically limited the liability of an ISP to 
where it has been informed of a defamatory posting and has failed to remove it promptly as was the situation in Demon 
Internet. Lawrence Godfrey v Demon Internet Limited (unreported Queens Bench Division - 26th March, 1999)
[18] Western Provident v. Norwich Union (The Times Law Report, 1997).
[19] Godfrey v Demon Internet Ltd, QBD, [1999] 4 All ER 342, [2000] 3 WLR 1020; [2001] QB 201; Byrne v Deane [1937] 2 
All ER 204 was stated to apply.
[20] Godfrey v Demon Internet Limited [1999] 4 All.E.R.342
[21] C.68/93
[22] Rindos v. Hardwicke No. 940164, March 25, 1994 (Supreme Ct. of West Australia) (Unreported); See also Gareth 
Sansom, Illegal and Offensive Content on the Information Highway (Ottawa: Industry Canada, 1995) 
<http://www.ic.gc.ca/info-highway/offensive/offens_e.rtf>.
[23] Ibid, it was the decision of the court that no difference in the context of the Internet News groups and bulletin 
boards should be held to exist when compared to conventional media. Thus, any action against a publisher is valid in 
the context of the Internet to the same extent as it would be should the defamatory remark been published in say a 
newspaper.
[24] RECORDING INDUSTRY ASSOCIATION OF AMERICA, INC., (RIAA) v. Verizon Internet Services, 351 F.3d 1229 (DC Cir. 
2003); See also Godfrey v Demon Internet
[25] ; Further, in the US, the Digital Millennium Copyright Act's (DMCA's) "good faith" requirement may not require 
"due diligence" or affirmative considerations of whether the activity is protected under the fair-use doctrine.  In 
contrast, FRCP 11 requires "best of the signer's knowledge, information and belief formed after reasonable inquiry, it 
is well grounded in fact and is warranted by existing law.". Additionally, with the DMCA, penalties attach only if the 
copyright owner "knowingly, materially" misrepresents an infringement, so the copyright owner is motivated to not 
carefully investigate a claim before seeking to enforce a DMCA right.
[26] Brown & Lehman (1995) (The paper considers the arguments to creating an exception to the general rule of vicarious 
liability in copyright infringement for ISPs and those that reject this approach), available at 
http://www.uspto.gov/web/offices/com/doc/ipnii/ipnii.pdf.
[27] Thompson v Australian Capital Television, (1996) 71 ALJR 131
[28] See also "Google pulls anti-scientology links", March 21, 2002, Matt Loney & Evan Hansen , www.News.com, Cnet, 
http://news.com.com/2100-1023-865936.html; "Google Yanks Anti-Church Site", March 21, 2002, Declan McCullagh, Wired 
News, http://wired.com/news/politics/0,1283,51233,00.html; "Church v. Google How the Church of Scientology is forcing 
Google to censor its critics", John Hiler, Microcontent News, March 21, 2002, 
http://www.microcontentnews.com/articles/googlechurch.htm; Lawyers Keep Barney Pure, July 4, 2001, Declan McCullagh, 
Wired News, http://www.wired.com/news/digiwood/0,1412,44998,00.html.
[29] See Reidenberg, J (2004) "States and Internet Enforcement", 1 UNIV. OTTAWA L. & TECH. J. 1
[30] Ibid.
[31] <http://scaleplus.law.gov.au/html/pasteact/0/136/top.htm>
[32] s.91(1) of Schedule 5 to the Broadcasting Services Act states:
(i) subjects, or would have the effect (whether direct or indirect) of subjecting, an internet content host/internet 
service provider to liability (whether criminal or civil) in respect of hosting/carrying particular internet content in 
a case where the host/provider was not aware of the nature of the internet content; or
(ii) requires, or would have the effect (whether direct or indirect) of requiring, an internet content host/internet 
service provider to monitor, make inquiries about, or keep records of, internet content hosted/carried by the 
host/provider.
[33] The Broadcasting Services Act specifically excludes e-mail, certain video and radio streaming, voice telephony and 
discourages ISP's and ICH's from monitoring content by the nature of the defense. See also, Eisenberg J, 'Safely out of 
site: the impact of the new online content legislation on defamation law' (2000) 23 UNSW Law Journal; Collins M, 
'Liability of internet intermediaries in Australian defamation law' (2000) Media & Arts Law Review 209.
[34] See also EFA, Defamation Laws & the Internet <http://www.efa.org.au/Issues/Censor/defamation.html>



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.