Security Basics mailing list archives
RE: Defamation and the diffculties of law on the Internet.
From: "dave kleiman" <dave () davekleiman com>
Date: Wed, 12 Mar 2008 03:25:13 -0400
Hats off to you Craig, Sometimes you amaze me....I literally today just took on a case today dealing exactly with this, you are making my life easy as I am gathering (with your permission) this information you have provided for my client's review. When this becomes public record, I will post-up the results. I will take any more information on this subject with great enthusiasm and appreciation, as always!!! By the way, for those of you who have never asked for Craig's help, you do not know what you are missing. I have asked his research assistance more than once. One particular time it was dealing with abilities of cookies on the server side, when I awoke the next morning, I had 100's of pages and links of information on that subject, and variations and ideas I had not even or forgotten to consider (e.g. web bugs). Why did he help, for no other than reason than he just likes to research information, and possibly considers me a friend from afar. He probably had as much fun reading up on the subject as did. And along with all the technical details he included this: Cookie Recipe Ingredients: 125 grams butter 50 grams caster sugar 60 grams brown sugar 1 large egg 1 teaspoon vanilla essence/extract 125 grams of plain flour 1/2 teaspoon salt 1/2 teaspoon bicarbonate of soda 250 grams of chocolate (Dark is best for this) 1/2 cup coarsely chopped almonds Method: Turn your oven on to preheat at 180 degrees Celsius (about 350 degrees Fahrenheit, gas mark 4). Remember to take your grill pan out first. Now get some baking trays ready (if they're not non-stick then you better line them or grease them)......................Hey Presto! The world's BEST cookies, in the comfort of your own home. In the midst of this data exchange I casually mentioned that one day, when I was in the position to not have to work so much, I would return to school and my dream degrees in Cosmology and Astrophysics. Of course, the next day I had links to every online study available for those degrees, with a "why wait wink." Further, it amazes me how Craig has a Blog helping to understand the rights of US based Digital Forensic Examiners: http://gse-compliance.blogspot.com/2008/01/texas-pi-fud.html And he is based in AU. He simply cares enough about the cause and the industry to help, it has no direct affect on him if US DFEs are required to have PI licenses!! People of the past considered "Loons": (Feynman, Hawking, Sagan, da Vinci, Einstein, Columbus, everyone associated with Monty Python and the Holy Grail: Black Knight: Right, I'll do you for that! King Arthur: You'll what? Black Knight: Come here! King Arthur: What are you gonna do, bleed on me? Black Knight: I'm invincible! King Arthur: ...You're a loony. .......you get the picture) Yep Craig is a Junkie; a Knowledge Junkie!!!! For those of you who have nothing good to say; why say anything? Dave Respectfully, Dave Kleiman - http://www.davekleiman.com 4371 Northlake Blvd #314 Palm Beach Gardens, FL 33410 561.310.8801 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Wright Sent: Tuesday, March 11, 2008 17:15 To: 'Simphiwe Mngadi'; security-basics () securityfocus com Subject: RE: Defamation and the diffculties of law on the Internet. SANS had "Police Decline to Intervene in Libellous Bebo Page Case (March 7 & 8, 2008" in Newsbytes Vol 10.20. This refers to: http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/ar ticle3498888.ece http://www.dailyrecord.co.uk/news/newsfeed/2008/03/07/web-of-lies- 86908-20342677/ http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2008/03/07/nbeb o107.xml Actually, content control IS an aspect of security and compliance. I may have been a little angry when writing, but I am far from perfect. I have taken and updated a little something for the list based on responses I have received over the years. Liability against an Intermediary, whether in the traditional view of ISP and ICP as well as that of employers and other parties remains a risk. Extrusion filters seem to be something that is not considered, not by most organisations and not unfortunately by many of the list. There is more than filtering for attacks. This is surprising as many standards and regulations require that specific information is filtered. PCI-DSS, HIPAA and a raft of legislation specifies that organisation setup the capability to monitor both incoming and outgoing traffic. This is not port based, but rather a capability to monitor and filter (or at the least act on) content. I oversee the information gathering for many more companies than I actually audit myself (being an audit manager for an external audit firm). In 1,412 firms I have been to or reviewed information for, I have collected a number of statistics over the years. 231 (or 16.4%) have some content management 184 (13.0%) have NO egress filters - Nothing at all. No ports Nothing. 734 (52.0% have a disclaimer on email that is barely adequate legally) 210 (14.8% have a legally valid privacy policy/disclaimer on their web sites) 15 (1.06% check Google or other places for information on their references) In Scheff v Bock (Susan Scheff and Parents Universal Experts, Inc. v. Carey Bock - Florida USA, 2006, Case No. CACE03022837) a Florida jury awarded Sue Scheff US$11.3 million costs and damages over recurrent blog postings. A former acquaintance accused her of being a crook, a con artist and a fraudster (as a side note the same laws apply in Au). See http://www.citmedialaw.org/threats/scheff-v-bock In principle, defamation consists of a false and unprivileged statement of fact that is harmful to the reputation o f another person which is published "with fault". That is means that it is published as a result of negligence or malice. Different laws define defamation in specific ways that differ slightly, but the gist of the matter is the same. Libel is a written defamation; slander is a verbal defamation. Some examples: Libellous (when false): Charging someone with being a communist (in 1959) Calling an attorney a "crook" Describing a woman as a call girl Accusing a minister of unethical conduct Accusing a father of violating the confidence of son Not-libellous: Calling a political foe a "thief" and "liar" in chance encounter (because hyperbole in context) Calling a TV show participant a "local loser," "chicken butt" and "big skank" Calling someone a "bitch" or a "son of a bitch" Changing product code name from "Carl Sagan" to "Butt Head Astronomer" See http://w2.eff.org/bloggers/lg/faq-defamation.php for details. So let us do the Math. Let us take a case of 0.1% (or 1 in a thousand) employees (and the number is in reality higher then this) posting from their place of work a defamatory post. 83.6% of companies (based on figures above) will not detect or stop anything. Less check at all. Let us take an average US litigation cost for defamation of $182,500 (taking cases won from 96 to current in Au, UK and US) Also see "Rethinking Defamation" by DAVID A. ANDERSON of the University of Texas at Austin - School of Law. (http://papers.ssrn.com/sol3/papers.cfm?abstract_id=976116#PaperDown load). So if we take a decent sized company of 5,000 employees, we have an expectation of 4 incidents per annum that in coming years would be expected to make it to court. Employers are vicariously liable for many of these actions. In the past, employers and ICP's have not been targeted, but this is changing. The person doing the act is generally not one with the funds to pay out the losses. The employer is. Thus the ability to co-join employers will increase these types of actions. Facebook, blogs and other accesses will only make this worse in coming years. So what does this mean? Well in the case of our hypothetical employer, there is an expected annualised loss of $788,400 US in coming years. The maximum expected payout would be $50,000,000 US. It is unlikely that the individual making the claim will be able to pay the cost of losing, so the employer will more and more be added to be suit. Now, I am in no way affiliated with ANY content management software, but I see this as a necessary evil. This would could as an effective corporate governance strategy, lowering the potential liability of the employer. In my experience, the costs of the software and the management are going to add to less then the potential. With the recent win in Scheff v Bock, this is only going to increase. Civil Liability The conduct of both agents and employees can result in situations where liability is imposed vicariously on an organisation through both the common law[i] and by statute.[ii] The benchmark used to test for vicarious liability for an employee requires that the deed of the employee must have been committed during the course and capacity of their employment under the doctrine respondeat superior. Principals' liability will transpire when a `principal-agent' relationship exists. Dal Pont[iii] recognises three possible categories of agents: (a) those that can create legal relations on behalf of a principal with a third party; (b) those that can affect legal relations on behalf of a principal with a third party; and (c) a person who has authority to act on behalf of a principal. Despite the fact that a party is in an agency relationship, the principal is liable directly as principal as contrasting to vicariously, "this distinction has been treated as of little practical significance by the case law, being evident from judges' reference to principals as vicariously liable for their agents' acts"[iv]. The consequence being that an agency arrangement will leave the principle directly liable rather then liable vicariously. The requirement for employees of "within the scope of employment" is a broad term without a definitive definition in the law, but whose principles have been set through case law and include: where an employer authorises an act but it is performed using an inappropriate or unauthorised approach, the employer shall remain liable[v]; the fact that an employee is not permitted to execute an action is not applicable or a defence[vi]; and the mere reality that a deed is illegal does not exclude it from the scope of employment[vii]. Unauthorised access violations or computer fraud by an employee or agent would be deemed remote from the employee's scope of employment or the agent's duty. This alone does not respectively absolve the employer or agent from the effects of vicarious liability[viii]. Similarly, it remains unnecessary to respond to a claim against an employer through asserting that the wrong committed by the employee was for their own benefit. This matter was authoritatively settled in the Lloyd v Grace, Smith and Co.[ix], in which a solicitor was held liable for the fraud of his clerk, albeit the fraud was exclusively for the clerk's individual advantage. It was declared that "the loss occasioned by the fault of a third person in such circumstances ought to fall upon the one of the two parties who clothed that third person as agent with the authority by which he was enabled to commit the fraud"[x]. Lloyd v Grace, Smith and Co.[xi] was also referred to by Dixon J in the leading Australian High Court case, Deatons Pty Ltd v Flew[xii]. The case concerned an assault by the appellant's barmaid who hurled a beer glass at a patron. Dixon J stated that a servant's deliberate unlawful act may invite liability for their master in situations where "they are acts to which the ostensible performance of his master's work gives occasion or which are committed under cover of the authority the servant is held out as possessing or of the position in which he is placed as a representative of his master"[xiii]. Through this authority, it is generally accepted that if an employee commits fraud or misuses a computer system to conduct an illicit action that results in damage being caused to a third party, the employer may be supposed liable for their conduct. In the case of the principles agent, the principle is deemed to be directly liable. In the context of the Internet, the scope in which a party may be liable is wide indeed. A staff member or even a consultant (as an agent) who publishes prohibited or proscribed material on websites and blogs, changes systems or even data and attacks the site of another party and many other actions could leave an organisation liable. Stevenson Jordan Harrison v McDonnell Evans (1952)[xiv] provides an example of this type of action. This case hinged on whether the defendant (the employer) was able to be held liable under the principles of vicarious liability for the publication of assorted "trade secrets" by one of its employees which was an infringement of copyright. The employee did not work solely for the employer. Consequently, the question arose as to sufficiency of the "master-servant" affiliation between the parties for the conditions of be vicarious liability to be met. The issue in the conventional "control test" as to whether the employee was engaged under a "contract for services", against a "contract of service" was substituted in these circumstances with a test of whether the tort- feasor was executing functions that were an "integral part of the business" or "merely ancillary to the business". In the former circumstances, vicarious liability would extend to the employer. Similarly, a contract worker acting as web master for an organisation who loads trade protected material onto their own blog without authority is likely to leave the organisation they work for liable for their actions. In Meridian Global Funds Management Asia Limited v Securities Commission[xv], a pair of employees of MGFMA acted without the knowledge of the company directors but within the extent of their authority and purchased shares with company funds. The issue lay on the qualification of whether the company knew, or should have known that it had purchased the shares. The Privy Council held that whether by virtue of the employees' tangible or professed authority as an agent performing within their authority[xvi] or alternatively as employees performing in the course of their employment[xvii], both the actions, oversight and knowledge of the employees may well be ascribed to the company. Consequently, this can introduce the possibility of liability as joint tort-feasors in the instance where directors have, on their own behalf, also accepted a level of responsibility[xviii] meaning that if a director or officer is explicitly authorised to issue particular classes of representations for their company, and deceptively issues a representation of that class to another resulting in a loss, the company will be liable even if the particular representation was done in an inappropriate manner to achieve what was in effect authorised. The degree of authority is an issue of fact and relies appreciably on more than the fact of employment providing the occasion for the employee to accomplish the fraud. Panorama Developments (Guildford) Limited v Fidelis Furnishing Fabrics Limited[xix] involved a company secretary deceitfully hiring vehicles for personal use without the managing director's knowledge. As the company secretary will customarily authorise contracts for the company and would seem to have the perceptible authority to hire a vehicle, the company was held to be liable for the employee's actions. Criminal Liability Employers can be held to be either directly or vicariously liable for the criminal behaviour of their employees. Direct liability for organisations or companies refers to the class of liability that occurs when it permits the employee's action. Lord Reid in Tesco Supermarkets Limited v Nattrass[xx] formulated that this transpires when someone is "not acting as a servant, representative, agent or delegate" of the company, but as "an embodiment of the company"[xxi]. When a company is involved in an action, this principle usually relates to the conduct of directors and company officers when those individuals are acting for or "as the company". Being that directors can assign their responsibilities, direct liability may encompass those employees who act under that delegated authority. The employer may be directly liable for the crime in cases where it may be demonstrated that a direct act or oversight of the company caused or accepted the employee's perpetration of the crime. Where the prosecution of the crime involves substantiation of mens rea[xxii], the company cannot be found to be vicariously liable for the act of an employee. The company may still be found vicariously liable for an offence committed by an employee if the offence does not need mens rea[xxiii] for its prosecution, or where either express or implied vicarious liability is produced as a consequence of statute. Strict liability offences are such actions. In strict liability offences and those that are established through statute to apply to companies, the conduct or mental state of an employee is ascribed to the company while it remains that the employee is performing within their authority. The readiness on the part of courts to attribute criminal liability to a company for the actions of its employees seems to be escalating. This is demonstrated by the Privy Council decision of Meridian Global Funds Management Asia Ltd v Securities Commission[xxiv] mentioned above. This type of fraudulent activity is only expected to become simpler through the implementation of new technologies by companies. Further, the attribution of criminal liability to an organisation in this manner may broaden to include those actions of employees concerning the abuse of new technologies. It is worth noting that both the Data Protection Act 1998[xxv] and the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000[xxvi] make it illegal to use equipment connected to a telecommunications network for the commission of an offence. The Protection of Children Act 1978[xxvii] and Criminal Justice Act 1988[xxviii] make it a criminal offence to distribute or possess scanned, digital or computer-generated facsimile photographs of a child under 16 that are indecent. Further, the Obscene Publications Act 1959[xxix] subjects all computer material making it a criminal offence to publish an article whose effect, taken as a whole, would tend to deprave and corrupt those likely to read, see or hear it. While these Acts do not of themselves create liability, they increase the penalties that a company can be exposed to if liable for the acts of an employee committing offences using the Internet. [i] Broom v Morgan [1953] 1 QB 597. [ii] Employees Liability Act 1991 (NSW). [iii] G E Dal Pont, Law of Agency (Butterworths, 2001) [1.2]. [iv] Ibid [22.4]. [v] Singapore Broadcasting Association, SBA's Approach to the Internet, See Century Insurance Co Limited v Northern Ireland Road Transport Board [1942] 1 All ER 491; and Tiger Nominees Pty Limited v State Pollution Control Commission (1992) 25 NSWLR 715, at 721 per Gleeson CJ. [vi] Tiger Nominees Pty Limited v State Pollution Control Commission (1992) 25 NSWLR 715. [vii] Bugge v Brown (1919) 26 CLR 110, at 117 per Isaacs J. [viii] unreported decision in Warne and Others v Genex Corporation Pty Ltd and Others -- BC9603040 -- 4 July 1996. [ix] [1912] AC 716 [x] [1912] AC 716, Lord Shaw of Dunfermline at 739 [xi] [1912] AC 716 [xii] (1949) 79 CLR 370 at 381 [xiii] Ibid. [xiv] [1952] 1 TLR 101 (CA). [xv] [1995] 2 AC 500 [xvi] see Lloyd v Grace, Smith & Co. [1912] AC 716 [xvii] see Armagas Limited v Mundogas S.A. [1986] 1 AC 717 [xviii] Demott, Deborah A. (2003) "When is a Principal Charged with an Agent's Knowledge?" 13 Duke Journal of Comparative & International Law. 291 [xix] [1971] 2 QB 711 [xx] [1972] AC 153 [xxi] ibid, at 170 per Lord Reid [xxii] See Pearks, Gunston & Tee Limited v Ward [1902] 2 KB 1, at 11 per Channell J, and Mousell Bros Limited v London and North- Western Railway Company [1917] 2 KB 836, at 843 per Viscount Reading CJ. [xxiii] See Mousell Bros Limited v London and North-Western Railway Company [1917] 2 KB 836, at 845 per Atkin J. [xxiv] [1995] 2 AC 500. [xxv] Data Protection Act 1998 [UK] [xxvi] Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 [UK] [xxvii] Protection of Children Act 1978 [UK] [xxviii] Protection of Children Act 1978 and Criminal Justice Act 1988 [UK] [xxix] Obscene Publications Act 1959 [UK] Regards, Craig Wright (GSE-Compliance) Craig Wright Manager of Information Systems Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/
Current thread:
- Defamation and the diffculties of law on the Internet. Craig Wright (Mar 05)
- RE: Defamation and the diffculties of law on the Internet. David Harley (Mar 05)
- Re: Defamation and the diffculties of law on the Internet. infolookup (Mar 05)
- RE: Defamation and the diffculties of law on the Internet. Bob Emerson (Mar 06)
- Re: Defamation and the diffculties of law on the Internet. Al MailingList (Mar 10)
- RE: Defamation and the diffculties of law on the Internet. Bob Emerson (Mar 06)
- Message not available
- RE: Defamation and the diffculties of law on the Internet. Craig Wright (Mar 11)
- RE: Defamation and the diffculties of law on the Internet. dave kleiman (Mar 12)
- RE: Defamation and the diffculties of law on the Internet. Craig Wright (Mar 11)