Security Basics mailing list archives
Lies, damned lies and statistics of defamation
From: Craig Wright <Craig.Wright () bdo com au>
Date: Thu, 6 Mar 2008 08:18:00 +1100
Hello All, I responded separately to a number of people yesterday, but due to volume and having to move office at work I will send a generalised response. I apologise to all those people who REALLY deserve an individual response for their heart felt replies. First the statistics - I know stats junkie. [1] 65% of responses where positive [2] 23% wanted to know what this was about (I will add some detail subsequently) [3] 8% Thought me a loon and a nut and told me where to go (to some extent true) [4] 4% Were of the "what the hell" variety First section [1], here I have to say that a few of you manage to bring a tear to the eyes of a grumpy old cynic. I can not thank you enough and will not attempt to do more than this (which is not to say that I am avoiding it - just that anything I state will undermine your replies). Section [2]. I was alerted to a number of posts on blogs and peering websites. All of these posts have been removed. Here I have to thank the webmasters and others who manage these. I am extremely impressed by the speed these are taken down. I give a special thanks to the owner of a site: http://beifo.blogspot.com/. I also offer to him an apology - he has taken down his site. He is a masters student at one of my Universities and felt that he could not manage to stop people posting things on his site whilst studying. I am REALLY sorry that you decided you had remove your site because of others. In stating that my credentials are not in order, this is an attack against not only myself, but SANS, the Universities I am with and my employer. So when people start to post that my qualifications are "proven to have inconsistencies" or that I have "lied and conned my way to those I seem to have" it is an attack against not only myself, but also others. Section [3]. Well I am a loon a nut and many other things. I will respond to these replies in more detail (which is not to detract from [1]). I have not placed responses that are from section [1] but still state I am a loon in this part ;) . I believe in god, I do not believe in imaginary beings. There is a difference and a belief in god does not detract from technical qualifications. I do not evangelise and I respect the rights of others to have their belief. . Not watching TV does not make me a crack-pot. I am a crack-pot independent of TV. Also TV does not equal being able to follow news. I subscribe to ISN (http://www.isn.ethz.ch/news/) and read news online. I would state that not watching TV means that I am actually possessed of more knowledge not less of the state of world affairs. What I do not get is the latest news of Paris Hilton, Sports based intercessions etc. . All the info I posted is already available and if I am going to be the victim of identity theft it will not be a result of the former post alone. . A qualification in one subject does not mean that I am incapable of others. . Yes I am a pompous arrogant a'hole. Thanks you for caring. This being truth I will not defend. Section [4]. If you do not like my posts - set up a filter and delete them. I am sending unsolicited email to a couple of you ALL the time as this is the purpose of an email list. A generalised response to those who think (see [3]) that defamation has nothing to do with security. In the US, Congress has endorsed legislative protections for intermediaries from liability through defamation with the introduction of the Communications Decency Act[1]. In 47 U.S.C. §230, it is unambiguously positioned as regarding internet regulation[2] that the act introduced a series of "Good Samaritan provisions" as a part of the Telecommunications Act of 1996. This was tested in DiMeo v Max (2007),[3] in which the court found the defendant not liable for comments left by third parties on a blog. The plaintiff alleged that the defendant was a publisher of the comments hosted on the website but did not allege that the defendant authored the comments on the website or that the defendant was an information content provider. Under 47 U.S.C. § 230 (f)(3), the court determined "the website posts alleged in the complaint must constitute information furnished by third party information content providers" and as a consequence immunity applied to the forum board operator. The Court upheld the dismissal of the suit. The act, first passed in 1996[4] and subsequently amended in 1998,[5] has the apparent rationale of minimising Internet regulations in order to promote the development of the Internet and safeguard the market for Internet service. The internet has consequently become so essential to daily life that it is improbable that the addition of extra legislation would intimidate service providers away from the provision of services at a competitive rate.[6] In the US, 47 U.S.C. § 230(c)(1) provides a defence for ISPs stating that, "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." This statute would seem[7] to afford absolute immunity from any responsibility. Contrasting the DMCA, the ISP or ICP could chose not to do away with material in the event that the ISP or ICP has tangible awareness of the defamatory nature of material it is in fact hosting.[8] Notwithstanding the focal point of this legislation having been towards liability for defamation, it has pertained to seemingly unrelated auction intermediaries, including eBay.[9] Inside the European Union, judgments obtained in the courts of one state are enforceable in any other state included within the Brussels Convention. If not, a judgment in one state will be enforceable in another only where there is a bilateral treaty creating the provision for such reciprocal enforcement between them. Frequently, these treaties add formalities surrounding the enforcement process that offer the courts of the jurisdiction in which the defendant is situated prudence both as to a decision to enforce, or to what degree. It is consequently vital when deciding on a jurisdiction to bring suit to decide if any judgment obtained is enforceable against a defendant who may in effect be judgement proof. Defamation The first claims in the UK of defamation using e-mail as a means of distribution occurred in the mid 1990's. In one, the Plaintiff alleged that the Defendant published a message using a computer system asserting that the Plaintiff had been sacked for incompetence. The case did not include the service provider as a defendant. In another case and more widely publicised case[10], a police officer on complaining to his local branch of a national supermarket chain about an allegedly bad joint of meat was dismayed to discover that the store had distributed an e-mail communication to other branches of the chain. The subject of the e-mail stated; "Refund fraud -- urgent, urgent urgent". He settled with the chain for a substantial sum as damages and an apology in open court from the supermarket management. This issue has also occurred in the US. Litigation was started against CompuServe[11], an intermediary, as a result of assertions made in an electronic newsletter[12]. CompuServe successfully argued that its responsibility was comparable to that of a library or a book seller. In Stratton-Oakmont, Inc. v Prodigy Service Co.[13], the plaintiff asserted that a communication distributed by an unidentified third party on Prodigy's "Money Talk" anonymous feedback site damaged the plaintiff's IPO due to the libellous nature of the message. It was asserted that this resulted in a substantial loss. Prodigy filed a motion for summary judgment. It asserted that the decision in CompuServe[14] applied making them the simple distributor of the communication and hence not liable for the substance of the message. The court determined that Prodigy was a publisher as they implemented editorial control over the contents of the "Money Talk" site. As the editors used screening software to eliminate offensive and obscene postings and used a moderator to manage the site, they could be held accountable for the posting of a defamatory statement. Prodigy settled but subsequently unsuccessfully attempted to vacate the judgment. The Communications Decency Act (CDA)[15] was subsequently enacted in the US to present a defence to intermediaries that that screen or block offensive matter instigated by another. The CDA presents, inter alia, that the intermediary may not be determined to be the publisher of any matter presented by another. Further, an intermediary shall be liable for any deed engaged in "good faith" to limit the spread of "obscene, lewd, lascivious, filthy, excessively violent, harassing or otherwise objectionable" materials[16]. Users view the Internet as if it was a telephone service with no enduring record. E-mails frequently contain imprudent declarations and japes. These communications offer an evidential confirmation absent in a telephone exchange. Deleted e-mail can persist in a variety of locations and forms, including back-up tape or disk, on the ISP and may have been forwarded to any number of other people. Any of these are subject to disclosure in litigation[17]. Western Provident v Norwich Union[18] concerned a libel by e-mail. Communications exchanged within Norwich Union by its staff libellously concerned Western Provident's financial strength. The case settled at a cost of £450,000 in damages and costs. For electronic distributions, the moderators of bulletin boards and Internet service providers are implicated only if they exercise editorial control or otherwise know directly of a libellous communication. In Godfrey v. Demon Internet[19], Godfrey informed the ISP of the existence of a libellous communication on a site managed by Demon. Demon did not act to remove the communication for the period of two weeks that such communications were made available on the site. The court asserted that as soon as Demon was alerted to the communication they ought to have acted. It was held that: "The transmission of a defamatory posting from the storage of a news server constituted a publication of that posting to any subscriber who accessed the newsgroup containing that posting. Such a situation was analogous to that of a bookseller who sold a book defamatory of a plaintiff, to that of a circulating library which provided books to subscribers and to that of distributors. Thus in the instant case D Ltd was not merely the owner of an electronic device through which postings had been transmitted, but rather had published the posting whenever one of its subscribers accessed the newsgroup and saw that posting".[20] Shevill v Presse Alliance[21] established that in the European Union where an international libel is committed, an action for libel may be initiated against the publisher. This may be commenced either in the country that the publisher is based or in any other country where the publication was disseminated and where the Plaintiff had experienced damaged reputation. There is little reason to doubt that principles applicable to libel through the press will apply equally to computer libel. Australian defamation laws are complicated by a state based nature in that they differ across each jurisdiction in content and available defences. Various Australian state laws include offence provisions for both civil defamation and criminal defamation. Civil liability transpires as a consequence of publications that are expected to harm a person's reputation and the penalties are monetary. Criminal liability transpires as a consequence of publications that concern society, including those with a propensity to imperil the public peace, and penalties in the majority of jurisdictions incorporate incarceration. Significant distinctions exist between civil and criminal defamation law in relation to both liability and defences. The Western Australian Supreme Court decided in Rindos v. Hardwick[22] that statements distributed in a discussion list can be defamatory and lead to an action. The court thought that it was inappropriate to apply the rules differently to the Internet from other means of communications. The court acknowledged the instigator's accountability for defamatory proclamations broadcast across a discussion group[23]. The matter of the liability of other participants on the list was not considered during the trial. It is considered unlikely that an ISP would scrutinize all material presented across its network[24] and this may not be economically feasible[25]. Mann & Belzley address this through "targeting specific types of misconduct with tailored legal regimes"[26]. These regimes would leave the ISP responsible for the defamatory publications of its users where they have failed to take reasonable action to mitigate these infringements. The existing law in Australia leaves all parties considered to be a "publisher" liable[27]. Cases do exist[28] where ISPs have removed content proactively. The common law defence of innocent dissemination exists in Australia. Thompson v Australian Capital Television[29] demonstrated this when Channel 7 asserted that transmission of a "live" show to the ACT retransmitted from Channel 9 NSW in effect placed it as a subordinate publisher that disseminated the material of the real publisher devoid of any material awareness or influence over the content of the show. They argued that this was analogous to a printer or newspaper vendor. The High Court held that the defence of innocent dissemination is available to television broadcasts as well as printed works. In this instance it was held that the facts demonstrated Channel 7 maintained the capacity to direct and oversee the material it simulcasts. The show was broadcast as a live program through Channel 7's choice. They chose this format in full knowledge that a diffusion of the show would be next to instantaneous. The where further conscious of the nature of the show, a "live-to-air current affairs programme"[30] and understood that this program conceded an elevated risk of transmitting defamatory material. It was decided by the facts that Channel 7 was not a subordinate publisher on this occasion. The Federal Broadcasting Services Act 1992[31] affords a legislative defence to an ISP or Internet Content Host (ICH) that transmits or hosts Internet based content in Australia if they can demonstrate that they were reasonably unaware of the defamatory publication. s.91(1) of Schedule 5 to the Broadcasting Services Act[32] grants that a law of a State or Territory, or a rule of common law or equity, has no effect to the extent to which the ISP "was not aware of the nature of the internet content". The BSA[33] defines "internet content" to exclude "ordinary electronic mail". This is a communication conveyed using a broadcasting service where the communication is not "kept on a data storage device". Consequently, the s.91 defence will not be offered in cases concerning such material. In such cases, an ISP or ICH may be still attempt to rely on the defence of innocent dissemination. The applicability of the common law defence of innocent dissemination remains to be determined by the Australian courts.[34] As a consequence, any reliance on these provisions by an ISP or ICHs carries a measure of risk. Harassment Harassment may occur through all forms of media, the Internet is no exception. Junk mail, sexually offensive e-mails and threats delivered through online means (including both e-mail and instant messaging) are all forms of harassment. The inappropriate accessing of sexually explicit, racist or otherwise offensive material at the workplace is another form of harassment. This includes the sending of unwelcome messages that may contain offensive material to another co-worker. E-mail Crimes and Violations In reality, e-mail crime is not new. Instead, the Internet has enabled many old crimes to be reborn. Many morally violating acts such as child pornography have become far more widespread and simpler due to the ease and reach of e-mail. Many traditional crimes such as threats and harassment, blackmail, fraud and criminal defamation have not changed in essence, but the ease of e-mail has made them more prevalent. Chain letter Chain letters are another form of abuse that are seamlessly migrated from the physical world to cyberspace. A chain letter is an e-mail that was sent progressively from e-mail user to e-mail user. It will generally instruct the recipient to circulate further copies of the e-mail and usually to multiple recipients. These chain letters often promise rewards or spiritual gain if the e-mail was sent and may also threaten loss or harm if the recipient does not forward it. Often the authenticity of a chain letter cannot be verified as the header information from the original sender has been lost in retransmission. Mail bombing Mail bombing is a simple attack that has been around for a long time. It involves the intentional sending of multiple copies of an e-mail to a recipient. The objective is simply to overload the e-mail server. This is achieved by either filling the user's inbox so that they cannot access any more mail or flooding the server connections. Flooding server connection would be aimed at the general infrastructure whereas flooding an inbox is aimed at an individual. Mail bombing is malicious and abusive. Even when aimed at an individual to prevent other users from accessing the mail server. Mail storm A mail storm is a condition that occurs when computers start communicating autonomously. This process results in a large volume of junk mail. This may happen innocently through the auto forwarding of e-mails when configured to a large number of mailing lists, through automated responses and by using multiple e-mail addresses. Additionally, malicious software including the Melissa and IloveYou viruses can result in mail storms. Mail storms interfere with the usual communication of e-mail systems. Identity Fraud Identity theft is becoming more widespread due to the ease and profitability. This action involves the stealing of someone's identity for fraudulent financial gain. It is in effect a larceny. The sending of offers e-mails that are too good to be true, fake websites and other forms of phishing are all used to capture an identity. Many groups specialize in the capture of information and make financial games by selling this information to groups who will make illegitimate purchases or financial transactions. Regards, Dr Craig Wright (GSE-Compliance) [1] The Communications Decency Act of 1996 (CDA) [2].47 U.S.C. § 230(b) (2004) (emphasis added) "It is the policy of the United States- (1) to promote the continued development of the Internet and other interactive computer services and other interactive media; (2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation; (3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services; (4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children's access to objectionable or inappropriate online material; and (5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer". [3] WL 2717865 (3rd Cir. Sept. 19, 2007); See also Fair Housing Council of San Fernando Valley v. Roommates.com, LLC , CV-03-09386-PA (9th Cir. May 15, 2007); and Universal Communication Systems, Inc. v. Lycos, Inc. , 2007 WL 549111 (1st Cir. Feb. 23, 2007) [4].1996, Pub. L. 104-104, Title I, § 509. [5].1998, Pub. L. 105-277, Div. C, Title XIV, § 1404(a). [6].There remains, however, the fear that additional regulation will stifle innovation in the industry. Would, for instance, eBay enter the market as a new company today if it were liable for trademark infringement it facilitated? Such liability adds new start-up and ongoing costs that may make some new ventures unprofitable (or even more unprofitable). For an article addressing regulation in this way, see Lemley & Reese. [7].There is at least the possibility that the statute would permit a State to require intermediaries to act. See Doe v. GTE Corp. 347 F.3d 655 (7th Cir. 2003) (per Easterbrook, J.) (suggesting that Section 230(e)(3) "would not pre-empt state laws or common-law doctrines that induce or require ISPs to protect the interests of third parties"). [8].Thus minimising the likelihood of a decision such as Godfrey in the United States. See supra note 102. [9].Gentry v. eBay, Inc., 121 Cal. Rptr. 2d 703 (Ct. App. 2002) [10] As reported in the UK Telegraph by Kathy Marks on the 20th Apr 95. The policeman is quoted: "...If this had got out unchecked it could have done me serious professional harm. I am in a position of extreme trust and there has got to be no doubt...that I am 100 percent trustworthy". [11] Cubby v CompuServe, 776 F.Supp.135 (S.D.N.Y. 1991). Another case, this time involving AOL was that of Kenneth Zeran v America On-line Incorporated heard by the United States Court of Appeals for the 4th Circuit (No. 97-1523 which was decided in November 1997). This was a case against AOL for unreasonably delaying in removing defamatory messages. The Court in 1st Instance and the Court of Appeal found for AOL. [12] Compuserve offered an electronic news service named "Rumorville". This was prepared and published by a third party and distributed over the CompuServe network. [13] (NY Sup Ct May 24,1995) [14] Ibid [15] Communications Decency Act [16] The was first made to include those postings even when that material is protected under the US Constitution. This has been subsequently amended. [17] The EU Electronic Commerce Directive (No. 2000/31/EC) has now specifically limited the liability of an ISP to where it has been informed of a defamatory posting and has failed to remove it promptly as was the situation in Demon Internet. Lawrence Godfrey v Demon Internet Limited (unreported Queens Bench Division - 26th March, 1999) [18] Western Provident v. Norwich Union (The Times Law Report, 1997). [19] Godfrey v Demon Internet Ltd, QBD, [1999] 4 All ER 342, [2000] 3 WLR 1020; [2001] QB 201; Byrne v Deane [1937] 2 All ER 204 was stated to apply. [20] Godfrey v Demon Internet Limited [1999] 4 All.E.R.342 [21] C.68/93 [22] Rindos v. Hardwicke No. 940164, March 25, 1994 (Supreme Ct. of West Australia) (Unreported); See also Gareth Sansom, Illegal and Offensive Content on the Information Highway (Ottawa: Industry Canada, 1995) <http://www.ic.gc.ca/info-highway/offensive/offens_e.rtf>. [23] Ibid, it was the decision of the court that no difference in the context of the Internet News groups and bulletin boards should be held to exist when compared to conventional media. Thus, any action against a publisher is valid in the context of the Internet to the same extent as it would be should the defamatory remark been published in say a newspaper. [24] RECORDING INDUSTRY ASSOCIATION OF AMERICA, INC., (RIAA) v. Verizon Internet Services, 351 F.3d 1229 (DC Cir. 2003); See also Godfrey v Demon Internet [25] ; Further, in the US, the Digital Millennium Copyright Act's (DMCA's) "good faith" requirement may not require "due diligence" or affirmative considerations of whether the activity is protected under the fair-use doctrine. In contrast, FRCP 11 requires "best of the signer's knowledge, information and belief formed after reasonable inquiry, it is well grounded in fact and is warranted by existing law.". Additionally, with the DMCA, penalties attach only if the copyright owner "knowingly, materially" misrepresents an infringement, so the copyright owner is motivated to not carefully investigate a claim before seeking to enforce a DMCA right. [26] Brown & Lehman (1995) (The paper considers the arguments to creating an exception to the general rule of vicarious liability in copyright infringement for ISPs and those that reject this approach), available at http://www.uspto.gov/web/offices/com/doc/ipnii/ipnii.pdf. [27] Thompson v Australian Capital Television, (1996) 71 ALJR 131 [28] See also "Google pulls anti-scientology links", March 21, 2002, Matt Loney & Evan Hansen , www.News.com, Cnet, http://news.com.com/2100-1023-865936.html; "Google Yanks Anti-Church Site", March 21, 2002, Declan McCullagh, Wired News, http://wired.com/news/politics/0,1283,51233,00.html; "Church v. Google How the Church of Scientology is forcing Google to censor its critics", John Hiler, Microcontent News, March 21, 2002, http://www.microcontentnews.com/articles/googlechurch.htm; Lawyers Keep Barney Pure, July 4, 2001, Declan McCullagh, Wired News, http://www.wired.com/news/digiwood/0,1412,44998,00.html. [29] See Reidenberg, J (2004) "States and Internet Enforcement", 1 UNIV. OTTAWA L. & TECH. J. 1 [30] Ibid. [31] <http://scaleplus.law.gov.au/html/pasteact/0/136/top.htm> [32] s.91(1) of Schedule 5 to the Broadcasting Services Act states: (i) subjects, or would have the effect (whether direct or indirect) of subjecting, an internet content host/internet service provider to liability (whether criminal or civil) in respect of hosting/carrying particular internet content in a case where the host/provider was not aware of the nature of the internet content; or (ii) requires, or would have the effect (whether direct or indirect) of requiring, an internet content host/internet service provider to monitor, make inquiries about, or keep records of, internet content hosted/carried by the host/provider. [33] The Broadcasting Services Act specifically excludes e-mail, certain video and radio streaming, voice telephony and discourages ISP's and ICH's from monitoring content by the nature of the defense. See also, Eisenberg J, 'Safely out of site: the impact of the new online content legislation on defamation law' (2000) 23 UNSW Law Journal; Collins M, 'Liability of internet intermediaries in Australian defamation law' (2000) Media & Arts Law Review 209. [34] See also EFA, Defamation Laws & the Internet <http://www.efa.org.au/Issues/Censor/defamation.html> Craig Wright Manager of Information Systems Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities.
Current thread:
- Lies, damned lies and statistics of defamation Craig Wright (Mar 05)