Thursday, November 25, 2010

Cybertort Law and Liability of Internet Service Providers

first (only) desk at XO/concentricImage by wjr via Flickr

Cyberspace provides a favourable legal environment for tort feasors because Internet Service Providers (ISPs) have not always a duty to mitigate harms caused by ongoing torts and infringing acts. Courts have stretched legislators's express language in some laws from the narrow purpose of immunizing ISPs as publishers to the expanded purpose of shielding them from all tort liability. Examine whether the ISPs have duty of care to remove or block ongoing tortious activities on their srvices when they have been given actual notice in India and also analyse the liability rules best suited in the matters of cybertorts.

In the Cubby Inc. v. CompuServe Inc.  776 F. 1991 USA. It is the first case of Cybertort in which the CompuServe was held not liable for a third party’s publication of defamatory statements on its services. Court considered whether an ISP was a publisher or distributor for purposes of defamation law.
In this action, Cubby charged CompuServe and Don Fitzpatrick with libel, business disparagement and unfair competition. These claims arose out of a series of allegedly defamatory statements made in a publication titled Rumorville, a daily newsletter published by Don Fitzpatrick Associates of San Fransico ("DFA") and available to subscribers of CompuServe.
Cubby published a competing publication titled Skuttlebut. CompuServe offered CompuServe Information Services ("CIS") to subscribers for membership and online time usage fees. In return for these fees, the user is given access to "an on-line general information service or 'electronic library'" which includes thousands of information sources, and special interest forums, which consist of electronic bulletin boards, interactive online conferences and topical databases.
CompuServe moved for summary judgment. In granting the motion, the District Court held that the appropriate standard to be applied in judging CompuServe's conduct is that of a distributor, such as a public library, newsstand or bookstore, rather than a publisher. In so holding, the court stated: " CompuServe's CIS product is in essence an electronic, for profit library that carries a vast number of publications and collects usage and membership fees from its subscribers in return for access to the publications. ... CompuServe has no more editorial control over [Rumorville] than does a public library, book store or newsstand, and it would be no more feasible for CompuServe to examine every publication it carries for potentially defamatory statements than it would be for any other distributor to do so. ...
In 1996 , Congress, through the CDA  ( Communication Decency Act 1996), expressly overruled  Prodigy by immunizing all online intermediaries from publishers liability.  Congress enacted the CDA to prevent the newborn industry of ISPs from drowning in a sea of litigation. Sec. 230 of The CDA was dreams come true for ISPs: Congress made it clear that no interactive computer service would be classified as a publisher or speaker so long as third parties had provided the content. Every other jurisdiction addressing Section 230 has given effect to Congress' broad protections and Internet speech has flourished as a result.
Section 230 protects the ordinary people who use the Internet and email to pass on items of interest written by others, free from the fear of potentially ruinous lawsuits filed by those who don't like what was said about them. The vitality of the Internet would quickly dissipate if the posting of content written by others created liability. The impulse to self-censor would be unavoidable."
Internet Service Providers Liability is also not well defined in India. Sec. 79 of IT Act 2000 Says that ISPs are not liable in ceratin cases if the ISP has the information of misuse of its network. In case the defendant got benefit due non clarity in Law
Now the question is whether downsizing of Sec 230 of CDA is required because Downsizing will open the door to a greatly needed radical reconsideration of the duty of care in cyberspace.
Interactive computer services should not be absolved of all responsibility when they have actual knowledge of defamatory postings or e-mails.
Similarly, when a website operator has knowledge that a posting overrules the privacy or tarnishes the reputation of a computer user, it should have a duty to retract the deprecating publication or prevent further tortuous or criminal activity.
Limited liability will induce ISPs to expand system –wide products to protect all users from viruses, spyware, spam, and security holes.
Online intermediaries are in the best position to calibrate Internet Security to the radius of the risk and in proportion to the peril because they are generally the first to detect the problem.
The overall rate of tort injuries to consumers will be diminished if ISPs have an inducement to implement security solutions to detect and thwart cybercriminals
For example, the computer industry already developed systems of deception, such as decoys, “fly traps” , and “honeypots”  in order to trap unwary computer intruders.
The imposition of greater duty of care will rekindle research into how to plug security holes , trap cybercriminal, block spam, disable pornographic pop-ups, and stifle the growth of website creepy crawlers.
There are questions of liability in Cyber-invasions of public information resources, such as the sending of spam email. Another set of cases are those in which plaintiffs assert indirect liability claims against operating system sellers, internet service providers, or software developers for the harms caused by some cyberspace actors (e.g., virus writers, copyright violators). Theories suggest that the basis for strict indirect liability is weak. There are theories  suggesting  that immunity rules should play a role in this area, though in a much smaller set of instances than in existing law. Of course, information technology is constantly evolving, so a description of previous cases may not tell us much about the problems that will arise in the future. Still, the previous cases have set out several issues that courts are still grappling with in their efforts to apply tort law to a new realm.
In Intel Corp. v. Hamidi, the plaintiff Intel Corporation maintained an electronic mail system accessible by the internet. A former employee of Intel sent thousands of emails (up to 35,000 at a time) criticizing the company’s employment practices to Intel employees. Intel filed suit, claiming that the emails distributed without the company’s consent constituted trespass to chattels. Reversing an injunction issued by the lower court, the California Supreme Court held that in order to prevail on a trespass-to-chattels
theory the plaintiff had to prove some actual injury resulting from the defendant’s conduct. Intel had not presented evidence of an actual injury to the functioning of their electronic mail system. Consider a virus disseminated by electronic mail that injures thousands of computer users by destroying files or damaging hard drives. In every such instance there is usually some step that an operating system seller or internet service provider could have taken to prevent the spread of the virus. Some commentators have argued that operating system sellers should be held strictly liable for viruses, since the expected liability would cause the price of the relatively insecure operating system to rise in comparison to the relatively secure system. However, strict liability is not the rule, and there have been no reported cases of third-party (or indirect) liability for viruses.
There are three general issues raised by cyberspace torts. The first is whether and specifically where property rules or liability rules should apply in this area of torts. Property rules are exemplified by trespass doctrine. A property rule, such as trespass, permits the party protected by the rule to enjoin the injuring party and to collect damages for any violations that occur. Property rule protection forces the potential injurer or invader to bargain with the protected party in order to gain access to the protected party’s property. In order to gain access under the property rule, the invader will have to meet the demand price of the protected party, which will be set high enough to cover the protected party for all the injuries that party perceives to be associated with giving access to the invader. If, for example, the invader is incapable of doing any harm to the protected party’s property, but the protected party still wants to be compensated for the mere thought that someone else will have access to his property,  that perceived harm will be part of the demand price the protected party communicates to the potential invader.
Liability rules, in contrast, do not permit the protected party to enjoin the injuring party. For example, a negligence lawsuit brought against a careless driver is an instance in which a victim asserts liability rule protection. There is no background assumption that the careless driver should have obtained permission from the victim to impose the risk of an injury. The liability rule seeks simply to reallocate to the injurer some objective estimate of the victim’s loss after it has occurred.
The second general issue raised by cyberspace torts is, assuming liability rules apply, what type of liability rule should apply and specifically where? Tort law provides two general types of liability rule: strict liability and negligence. The key difference between the two is that under negligence, courts inquire into the care that the injurer took in his conduct, while under strict liability there is no inquiry into the injurer’s level of care. Strict liability sounds like “absolute liability”, in the sense of imposing liability
simply for acting. But there are few if any examples of absolute liability in the law.
Most cases of strict liability involve some point at which the injurer made a choice to impose harms on the victim; for example, by choosing to locate his smoke-belching factory next door to the victim’s house. And it is this choice that the law aims to control through strict liability.

The third general issue raised by cyberspace torts is whether there should be any liability at all. The issue is actually more complicated. Perhaps the better way to state the issue is the degree to which some liability rule weaker or more lenient than negligence should apply. “Weak negligence” rules would couple the negligence rule’s general inquiry into fault with a set of broad defenses that would often permit the injurer to avoid liability altogether. Should there be absolute immunity or “weak negligence” in the field of cyberspace, and specifically where should immunity or weak negligence rules apply?
There are other cases in which the trespass-to-chattels theory has been accepted, leading to an injunction. For example in eBay v. Bidder’s Edge the court held that the plaintiff, eBay, could enjoin Bidder’s Edge from sending electronic spiders to its web site because those spiders were thought to be capable of impairing the functioning of eBay’s website

The second question raised by Hamidi is whether property rule protection is appropriate in the circumstances. This depends on several factors. First  transaction costs: the case for property rule protection becomes stronger as transaction costs fall. Second, the direction of property rule protection has to be determined. Property rule protection can protect either the victim or the invader. This requires a comparison of the externalized costs and benefits of the injurer’s activity.

As it becomes easier for a cyberspace user to gain permission before sending an email or accessing a website (that is, as transaction costs fall), the case for protecting someone with a property rule becomes stronger. A property rule protecting the potential victim would be equivalent to the familiar trespass law. A property rule protecting the invader (e.g., the email sender) would be equivalent to one of the weak negligence rules described earlier.

This analysis applies as well to eBay. In general, if a programmer sends spiders through the internet to gather information and relay them to another source, say another website, that activity merely enhances the dissemination of information. Enhanced information dissemination allows markets to work more efficiently in allocating resources. For this reason, the externalized benefits of the programmer’s conduct probably exceed the externalized costs. In addition, because of the large numbers problems encountered in the nuisance and Rylands settings, the transaction costs under a property rule could be quite high.
These arguments suggest that a property rule protecting the victim of spidering would be socially undesirable. For reasons similar to those given in the spammer context, nuisance theory has a better fit to the problem. If spidering occurs on a scale that disrupts the functioning of the victim’s website, as the court believed had occurred in eBay, then the injurer’s activity should be deemed an unreasonable interference under nuisance theory.

An alternative theory of the harm in eBay is that the information dissemination itself may have been harmful to eBay because it might have steered potential users away from the eBay site.This is a doubtful theory on which to award tort damages. Tort law early on took the position that competition itself does not give rise to a claim for damages. If a business sets up close to a rival and charges lower prices, that rival has no claim for damages under tort law. Given this long-standing common law rule, it would seem quite strange for a court to award damages to eBay on the theory that Bidder’s Edge would take business away from it by disseminating information more widely about alternatives available to potential customers.
Enhanced by Zemanta