Computers & the Law Conference
IIR Conferences, Melbourne 17 June 1996, Sydney 24 June 1996

An Emerging Law of Cyberspace?

Graham Greenleaf[*]
Version of 5 July 1996[**]

Contents

  1. 1.Introduction
  2. 2.Censorship - is everyone liable for everything (I)?
    1. 2.1.The draft Australian internet censorship Bill
    2. 2.2.Defeat of the USA's net censorship law - implications for Australia
  3. 3.Copyright - is everyone liable for everything (II)?
    1. 3.1.Transmissions - who's liable?
      1. Carrier liability for services provided by others
      2. Are ISPs liable for transmission? - the APRA claim
    2. 3.2.The broadcast right - are ISPs liable?
    3. 3.3.Authorisations - who's liable?
      1. Example - inline images
  4. 4.Defamation - is everyone liable for everything (III)?
  5. 5.`Interception' - is anyone liable for anything (I)?
      1. Prohibited interceptions
      2. Exceptions to interception
      3. Conclusions and consequences
  6. 6.Privacy - is anyone liable for anything (II)?
    1. 6.1.What privacy laws will apply in cyberspace?
    2. 6.2.New privacy issues in cyberspace
      1. Search engines and robot exclusion standards
      2. Between you and your browser
    3. 6.3.New Privacy Principles for cyberspace?
  7. 7.Encryption - our cryptic policy
    1. 7.1.Cryptography changes everything
    2. 7.2.The international debate
      1. Australia moves centre-stage in encryption debates
      2. OECD forging crypto consensus?
      3. Australian Government policy
      4. The USA holds out
    3. 7.3.Public key infrastructure

1. Introduction

Some of the key elements of an emerging law of cyberspace are the following:

(i) Developing the legal framework for encryption-based technologies

(ii) Distributing liabilities fairly among ISPs and others

(iii) Defining rules for access, not reproduction

(iv) Accepting limits of national laws, and finding roles for international agreements

This paper concentrates on the liabilities of internet service providers, but touches on the other elements during its course.

2. Censorship - is everyone liable for everything (I)?

2.1. The draft Australian internet censorship Bill

The New South Wales Parliamentary Counsel's Office has prepared a draft internet censorship Bill based on the recommendations of the 1995 DoCA Consultation Paper and taking into account the provisions in the Victorian Act and the WA Bill, and intended as a possible model for all States and Territories[1]. It is to be considered by a meeting of the Standing Committee of Attorneys-General (SCAG) in July.

The draft Bill has attracted a great deal of criticism, and there is developing a great deal of discussion, at least on the internet, about the extent to which a combination of technology and parent/teacher self-help can provide a better solution to any problems of minors accessing unsuitable material.

The comments in this paper are largely directed to the draft Bill's treatment of the providers of `on-line services' (as the Bill calls them). The Bill is fundamentally ambiguous in its definitions of 'on-line service' and `on-line service provider'[2]. Prima facie, it imposes the same liabilities equally on everyone from Telstra (as carrier) to access providers, to content hosts, and to content creators, irrespective of their roles in relation to particular content. That is one of its main flaws. It then attempts to ameliorate this by providing two main defences (complying with an `industry code' or taking `reasonable steps'), which may differentiate in their operation between different types of `on-line service providers' - but how, no one yet knows.

The Bill's real content is unknown because all offences by `on-line service providers' are subject to a defence of compliance with a (misnamed) 'industry code of practice' (cl 5). Such 'codes' are really just regulations issued by 'participating Ministers', and need have no connection with any 'industry' views. The nature of the offences are unknown while the content of the defences remain unknown. Honest legislation would at least include an 'Interim Code' which would operate until replaced by a negotiated Code - disallowable by Parliament. The draft Bill is a licence to create serious criminal offences by regulation, and is inappropriate in a society governed by the rule of law. Parliament should define criminal offences, not 'participating Ministers', or (just as bad) 'industry' representatives.

The alternative defence available to providers of 'on-line services', that of taking 'reasonable steps' (cl 4), encourages by the matters that it says a Court may take into account, a range of practices which in many contexts will be undesirable, particularly in relation to privacy:

(a) Undertakings by users can only be obtained where identifiable details of users are obtained;

(b) Random monitoring of material transmitted, including e-mail, encourages disdain for the privacy of employees, students and others[3];

(c) Requiring identification and age verification by those accessing age-restricted material, as well as being unreasonable in many contexts, will encourage the commercial re-use of such identification details collected at considerable expense (and with no privacy laws applying to the private sector to stop this);

(d) Encouraging server operators to delete content following complaints (irrespective of whose content it is) encourages arbitrary and unchallengeable censorship by those who control the most resources, to the detriment of content providers.

In the absence of an easy-to-comply with, liberal, and guaranteed watertight Code of Practice, any on-line service provider providing access to content that they do not create will inevitably 'play safe' and take the maximum steps available to it to ensure that a 'reasonable steps' defence would be upheld. This will hasten the demise of both freedom of expression on the net, and what remains of any anonymity there is in using the net. It will increase the extent of surveillance in cyberspace, and the commercial use of such surveillance.

In relation to material which might be 'refused classification' (RC), the draft Bill criminalises genuinely 'private' (person to person) communications in a way which is not done for voice telephony or the post (snail mail). There is no 'RC' classification for what consenting adults say or write to each other, nor should there be.

The Bill's existence as a draft to be considered for uniform national implementation by SCAG undercuts what might otherwise be the development of a rational national debate following the release of the Australian Broadcasting Authority's report, also scheduled for July. SCAG would be better off waiting for the ABA report, and then asking for a draft Bill to be drawn up on more considered foundations.


2.2. Defeat of the USA's net censorship law - implications for Australia

In ACLU v Reno[4], decided 12 June 1996, the American Civil Liberties Union (ACLU) and a coalition of other plaintiffs succeeded in obtaining from the Court of Appeals for the Third Circuit a preliminary injunction against enforcement of the US Communications Decency Act (CDA) (1996). The Court declared it unconstitutional principally on the grounds of its inconsistency with the First Amendment to the US Constitution protecting freedom of speech, and also Fifth Amendment claims concerning lack of due process. The matter will now be appealed to the Supreme Court.

The US Constitution does not protect `obscene' speech, but does require any limitations on `indecent' speech to be supported by compelling government interests and must be `narrowly tailored' or `use the least restrictive means' to achieve such objectives. The government asserted that shielding minors from access to indecent materials is the compelling interest supporting the CDA, but (even accepting this) the Court concluded that the means employed were not appropriately narrow.

What is most significant is that the members of the Court described the nature of the internet or cyberspace in such a way that (if adopted by the Supreme Court) it may make it virtually impossible for any revised legislation to achieve the aim of shielding minors by limiting the distribution of content. The following quotations indicate the Court's approach:

Sloviter, Chief Judge:

* Whatever the strength of the interest the government has demonstrated in preventing minors

from accessing "indecent" and "patently offensive" material online, if the means it

has chosen sweeps more broadly than necessary and thereby chills the expression of

adults, it has overstepped onto rights protected by the First Amendment.

* Thus one of the factual issues before us was the likely effect of the CDA on the free

availability of constitutionally protected material. A wealth of persuasive evidence, referred

to in detail in the Findings of Fact, proved that it is either technologically impossible or

economically prohibitive for many of the plaintiffs to comply with the CDA without

seriously impeding their posting of online material which adults have a constitutional right

to access.

* We have also found that there is no effective way for many Internet content providers to

limit the effective reach of the CDA to adults because there is no realistic way for many

providers to ascertain the age of those accessing their materials.

* I do not believe a statute is narrowly tailored when it subjects to potential criminal penalties

those who must depend upon third parties for the effective operation of a statutory defense.

* [Congress] could have chosen to assist and support the development of technology that

would enable parents, schools, and libraries to screen such material from their end. It did not

do so, and thus did not follow the example available in the print media where non-obscene but

indecent and patently offensive books and magazines abound. . . . Instead, in the CDA

Congress chose to place on the speakers the obligation of screening the material ...

Buckwalter, District Judge:

* This conflict [about the meaning of `indecent'] will undoubtedly cause Internet users to

"steer far wider of the unlawful zone" than if the community standard to be applied were

clearly defined. The chilling effect on the Internet users' exercise of free speech is obvious.

* Thus, individuals attempting to comply with the statute presently have no clear indication

of what actions will ensure that they will be insulated from criminal sanctions under the

CDA.

Dalzell, District Judge

* These Findings lead to the conclusion that Congress may not regulate indecency on the

Internet at all.

* Four related characteristics of Internet communication have a transcendent importance to

our shared holding that the CDA is unconstitutional on its face.

(1) the Internet presents very low barriers to entry.

(2) these barriers to entry are identical for both speakers and listeners.

(3) as a result of these low barriers, astoundingly diverse content is available on the

Internet.

(4) the Internet provides significant access to all who wish to speak in the medium, and

even creates a relative parity among speakers.

* The CDA will, without doubt, undermine the substantive, speech-enhancing benefits that

have flowed from the Internet. . . . Barriers to entry to those speakers affected by the Act

would skyrocket, especially for non-commercial and not-for-profit information providers.

. . . The diversity of the content will necessarily diminish as a result. . . .The CDA will

also skew the relative parity among speakers that currently exists on the Internet . . . This

change would result in an Internet that mirrors broadcasting and print, where economic

power has become relatively coterminous with influence.

* Perversely, commercial pornographers would remain relatively unaffected by the Act,

since we learned that most of them already use credit card or adult verification anyway.

* ... the Internet deserves the broadest possible protection from government-imposed,

content-based regulation.

* Any content-based regulation of the Internet, no matter how benign the purpose, could

burn the global village to roast the pig.

* The Internet is a far more speech-enhancing medium than print, the village green, or the

mails. Because it would necessarily affect the Internet itself, the CDA would necessarily

reduce the speech available for adults on the medium. This is a constitutionally intolerable

result.

* Parents, too, have options available to them. As we learned at the hearing, parents can

install blocking software on their home computers, or they can subscribe to commercial

online services that provide parental controls.

* Cutting through the acronyms and argot that littered the hearing testimony, the Internet

may fairly be regarded as a never-ending worldwide conversation. The Government may

not, through the CDA, interrupt that conversation. As the most participatory form of mass

speech yet developed, the Internet deserves the highest protection from governmental

intrusion.

In the absence in Australia of a constitutional provision similar to the First Amendment, the relevance of ACLU v Reno to Australia is mainly indirect:

* If the Supreme Court takes the view that `Congress may not regulate indecency on the Internet at all' (Dalzell DJ), then the United States, the current home of by far the bulk of internet content, will not be able to criminalise the provision of content to minors, lending powerful support to the development of technologies to assist parents and teachers to block content. Attempts to criminalise access and content providers in relation to access by minors is far less likely to become an international standard, whereas international standards to filter content, such as PICS (Platform for Internet Content Selection), will develop.

* The language of the Court adds a powerful argument to those who argue on policy grounds that legislation like the draft Australian internet censorship law will cause enormous and undesirable distortions to the desirable development of the internet.

* The general thrust of the judgments that such over-broad laws as the CDA carry the danger of an unconstitutional `chilling effect on the Internet users' exercise of free speech' (Buckwalter DJ) may be relevant to Australian constitutional considerations. Any legislation which requires - or perhaps even encourages by way of defences - extensive monitoring of internet communications (with a 'chilling effect'), or blocking of communications ('refused access lists'), in such a way that political speech is caught up by over-broad restrictions, may have constitutional implications. It could be argued that such legislation interferes with the implied constitutional freedom of political speech[5], if it is done in a way which is disproportionate to any 'legitimate' censorship goals to be achieved.

3. Copyright - is everyone liable for everything (II)?

3.1. Transmissions - who's liable?

In APRA v Telstra (1995) 131 ALR 14, a majority in the Federal Court (Black CJ and Burchett J) held that Telstra had caused musical works to be transmitted to subscribers to a diffusion service in three situations where music could be heard on the Telecom network by users `on hold': (i) where provided by a third party to the caller; (ii) provided by a Telecom service centre; and (iii) provided by Telstra as part of its `Customnet' service. Leave to appeal to the High Court has been granted.

The court interpreted the very complex provisions of s26 of the Copyright Act 1968 (Cth). Black CJ considered that the appeal turned on s26(5), via these steps:

(i) `Service' is a broad term, and includes where provided directly by a trader or indirectly (as here, via Telstra); and whether or not all customers appreciate it;

(ii) A service of `distributing' matter (musical works in this case) does not require all recipients to receive same content at same time;

(iii) `Subscribers to the service' are provided by s26(5)[6]: subscribers to Telstra's telecommunications service are deemed to be subscribers to the service of distributing musical works, because it is provided incidentally to the telecommunications service;

(iv) Section 26(4)[7] then provides that Telstra, the person undertaking with subscribers to provide a distribution service (ie the telecommunications service plus the incidental provision of music on hold via s26(5)), is deemed to the person operating the distribution service. Section 26(2)(a)[8] then deems that person (Telstra) to be the person transmitting the musical works.

Burchett J agreed, stating that Telstra does agree to provide music on hold, just as much as it agrees to provide an operator's voice. Sheppard J (dissenting), took a similar approach to Gummow J at first instance, holding that there is no agreement or undertaking by Telstra to provide the service, as required by s26(4), and that s26(5) does not deem such an undertaking to exist.

Carrier liability for services provided by others

In APRA v Telstra, none of the judges make any distinction between where Telstra provides the music on hold service, and where it is provided by some third party (such as the party called, or by some independent `muzak' provider). Burchett J equates Telstra's agreement to play music on hold in all cases where it is played (ie incl. via third parties) with its agreement to provide reception of the operator's voice. Black CJ doesn't discuss the distinction. Sheppard J (dissenting) doesn't make a distinction, as he finds no deemed agreement in any situation. However, he points out the difficulty and cost of Telstra paying royalties to APRA (if it can reach agreement) concerning all music on hold, and in Telstra reaching (compensatory) agreements with those third parties who provide music on hold).

Watts and Gilchrist[9] conclude '[t]he decision appears to impose strict liability on a telecommunications carrier for the transmission of copyright material over their networks as part of a service, regardless of whether the carrier actually supplies, operates or consents to the use of the equipment, from which the material originates, such as a computer bulletin board, a WWW site, or a CD player.' The implications of the decision do seem to be as brad as this, but only of course for those copyright subject matters that have a diffusion right (literary, dramatic and musical works, and films).

Watts and Gilchrist question the sense of imposing such liability on carriers, stressing the limits on control of content that carriers can exercise. Carrier powers to monitor communications are very limited under the Telecommunications Act and Telecommunications (Interception) Act, they have limited powers of disconnection, and obligations to provide services. To impose such content-oriented burdens on telecommunications carriers seems inconsistent with their role, and Parliament may need to review Act to protect them unless the High Court takes a different view of APRA v Telstra on appeal.

Are ISPs liable for transmission? - the APRA claim

The potential scope of carrier's liability is surprising enough, but Watts and Gilchrist also assert, without further argument, that '[t]he principles .. can possibly be extended ... to resellers of telecommunications services, online service providers ... and to the Pay Television networks'.

The same view is apparently taken by APRA, which in June 1996 is reported to have sent letters[10] to a number of internet service providers stating in part:

APRA is aware that transmissions of its copyright music are occuring on the Internet. At present

this use is unlicensed and therefore constitutes an infringement of APRA's copyright.

Consequently, APRA has formulated a licence scheme to authorise this music use.

As the law presently stands, it is the Internet Service Provider (the "ISP"), and not the content

provider, who causes transmissions of APRA's music on the internet to ISPs subscribers.

...

By virtue of subsections 26(2) and (4) the person operating such a service is also the person

causing the matter to be transmitted whether or not that person actually transmits the matter.

Consequently, it makes no difference that the matter delivered does not originate with the ISP

nor that the ISP does not own or control the pathways of that delivery. It is the ISP

who is causing the transmission of music to subscribers to a diffusion service, and is therefore

responsible for any infringements of copyright which occur by reason of the transmission.

On its face, APRA's claim seems to be supported by APRA v Telstra. Although in that case the circumstances of the infringement of the musical work (playing on hold) meant that the work could be heard at the time of infringement, that should not be necessary, as a musical work can be transmitted in a number of forms, and whether transmitted as a downloadable copy of a sound recording, or as sheet music, or as `real audio', this should make no difference to the transmission right. APRA v Telstra also illustrates that multiple locations of reception, and non-concurrent reception by different subscribers don't seem to matter either.

The aspect of the APRA claim against ISPs that makes it quite extraordinary is that one transmission of a musical work could make numerous ISPs, from content providers to various access providers, liable if they `handle' the transmission in any way in the course of its delivery, plus of course the telecommunications carrier (assuming that such a service is also `incidentally' provided with a telecommunications service: APRA v Telstra). Everyone may be liable for everything.

This may be a weakness in the argument, because s26(2)(b)[11] could be read to mean that only one party (`no person other than ...') is to be regarded as operating a diffusion service, although if this was the case then it would presumably have been considered in APRA v Telstra.

The High Court may succeed in removing some of the obscurity from s26, or it may be made largely irrelevant by the introduction of legislation for a new broad form of transmission right, to implement the `Convergence' committee's recommendations. It is unlikely that the problem will be resolved finally until there is a legislative framework that allows the different functions of different types of internet service providers to be more reflected more fairly in their liabilities.

3.2. The broadcast right - are ISPs liable?

Where the music on hold was heard via mobile phones, all three judges in APRA v Telstra agreed that it was an infringement of the broadcast right. Sheppard J held that the `broadcast' did involve transmission to the `public', following case-law in holding that `the provision of music on hold could not be regarded as "domestic or quasi-domestic" in character', but rather, it is `a use which the copyright owner may reasonably regard as his or hers to control'. Burchett J added that the Explanatory Memorandum makes it clear that it is still a transmission even though it is not to the `general public' (ie one caller on hold on one musical item is enough). Arguments based on confidentiality of phone calls wrongly assume that `broadcast' has same meaning as in broadcasting law.

In relation to any internet services distributed via mobile telecommunications networks, we could expect that carrier liability would apply in relation to any copyright subject matter which has a broadcast right (ie all subject matter except artistic works).

In relation to the liability of internet service providers, the question is whether the Court would find that anyone other than the mobile carrier 'broadcasts'?

3.3. Authorisations - who's liable?

A key question for ISPs is under what circumstances they may be liable for authorising some infringements of copyright that take place using the facilities they provide. In APRA v Telstra the Federal Court did not need to consider the question of authorisation, because it found Telstra directly liable for transmission by means of a diffusion service, and broadcasting via mobiles.

There is as yet no substantial Australian authority directly on the position of ISPs, with the most useful criteria probably still those set out in UNSW v Moorhouse (1975) 133 CLR 1 by Gibbs CJ as a set of four sufficient conditions for authorisation: `It seems to me ... that a person [i] who has under his control the means[12] by which an infringement of (c) may be committed - such as a photocopying machine - and [ii] who makes it available to other persons [iii] knowing or having reason to suspect that it is likely to be used for the purposes of committing an infringement and [iv] omitting to take reasonable steps to limit its use to legitimate purposes would authorise any infringement that resulted from its use' (emphasis and numbering added). He later adds `.. it is clearly sufficient if there is knowledge or reason to suspect that any one of a number of particular acts is likely to be done...' . Moorhouse was a very strong case because UNSW (i) owned and could control the copying equipment (photocopier); (ii) provided the copyright material to be copied; (iii) supplied the copying medium (paper), and (iv) could even control the copying location (ie who used the library).

Similar `control' elements would need to be considered in many situations where the liability of ISPs. In the recent United States decision on the issue Religious Technology Centre v Netcom (1995) 33 IPR 131 (US District Court - N Dist. Calif.), Whyte DJ held that Netcom's automatically retransmitting Usenet posting to 'neighbouring' Usenet computers was not a direct infringement (ie primary infringer by reproduction). While it was undisputed that a copy of the message was made on Netcom computer and held for 11 days, he considered that the question was who made or caused the copying, and concluded that 'Netcom's act of designing or implementing a system that automatically and uniformly creates temporary copies of all data sent through it is not unlike the owner of a copying machine who lets the public make copies with it.'

However, on the question of contributory infringement (closest to our 'authorisation') Whyte DJ held there was a genuine issue to be tried, as two necessary elements were present. 'Knowledge of infringing activity' was present once RTC warned Netcom about the alleged infringing postings[13], and 'substantial participation' was arguable from the automatic repositing facility[14]. It was a genuine issue whether Netcom should be liable for not taking simple measures to prevent damage once it had notice.

This approach taken in Netcom seems similar to Australian law on authorisation, and can give little comfort to Australian internet service providers.

Example - inline images

An interesting example of unique authorisation issues that can arise in cyberspace is the inclusion of an in-line image link in the HTML for a web page, where the image referred to is an image created by someone else and the image file is located on their server in a public_html directory[15].

There are commercial issues: people can view your images without seeing the surrounding advertisements. There are moral rights issues: your image can be displayed in an unintended and possibly offensive context. But are there any real copyright issues?

There must be a primary infringement before there can be authorisation. Providing an inline image link in your HTML does not constitute reproduction of the image, and it is likely that a URL will not itself be protected by copyright[16]. Only the user of your page (arguably) reproduces the image when loading your page by use of their browser software.

Normally, placement of image in a public_html directory by the owner of the copyright work will constitute an implied licence to users to copy that work (why put it there otherwise?). The real issue this raises is the scope of an implied licence: is it only a licence to users to download the image in its intended context (ie on your page, with advertisements)? If so, the person providing the 'unauthorised link' may be authorising copying outside the scope of the implied licence. However, it seems very unlikely that this 'express' authorisation would be sufficient to overcome the lack of most of the control elements in Moorhouse.

This example typifies those cyberspace issues that arise because access, not reproduction, is the substance of the issue.

4. Defamation - is everyone liable for everything (III)?

United States courts have taken a fairly robust approach to protecting internet service providers from liability for defamatory material that passes through their servers. In Cubby v Compuserve (1991) 776 F Supp 135, Compuserve carried a 'Journalism Forum' in which the Plaintiff's electronic newsletter was defamed. An independent contractor, Cameron Communications, had contracted to run the Forum according to Compuserve's guidelines, and loaded content without further Compuserve intervention. It was held that Compuserve was in the same category as a news vendor or library, which under US law is the category of innocent dissemination by a secondary publisher, not a common carrier, so Compuserve was not liable.

In the more recent case of Stratton Oakmont, Inc v Prodigy Services Company (1995) Supreme Court, State of New York[17], the ISP (Prodigy) was held liable for published defamations of Stratton Oakmont by Epstein, who it had contracted to be Board Leader for a 'Money Talk' discussion list. Ain J found Prodigy liable principally on the ground that it 'exercised sufficient editorial control ... to render it a publisher with the same responsibilities as a newspaper' (ie not an innocent disseminator like a newsagent). Actions by Prodigy taken into account included (i) it issued content guidelines; (ii) it used a screening program for offensive language; (iii) it used Board Leaders as discussion moderators; and (iv) it had technical means to delete after posting. Prodigy also held itself out to the public as a 'family network' that screened content. Ain J distinguished Cubby on the basis that (a) Prodigy held itself out as exercising control and (b) it did so - but he affirmed that the Cubby rule was generally the correct one.

In Australian defamation law, all ISPs 'handle' a defamatory message by passing it on will be at risk of being liable for `republishing' the defamation, unless the defence of innocent dissemination applies. The defence requires that the defendant had (i) no actual knowledge of the defamation; (ii) no reason to believe the material carried was defamatory; and (iii) no negligent in that lack of knowledge. The defence has usually applied to newsagents, booksellers, libraries and similar 'retail' distributors, but wholesalers or printers have not traditionally been able to rely on the defence.

The only fully argued Australian case to consider the innocent dissemination defence as yet, Thompson v Australian Capital Television (1994) 127 ALR 317, signals dangers for internet service providers. At first instance Gallop J held that the defence was available to a TV station republishing live by relay an interview originally broadcast on another TV station. However a full bench of the Federal Court (Burchett and Ryan JJ, Miles J dissenting) held that the TV station was an original publisher, not a republisher, of a programme that may never have been published in that area before. Policy factors were also in favour of limiting the defence, because of the possibility that overseas originators of defamatory material might be insolvent or could not be sued readily. Even if the defence did apply, the majority was of the view that it had not been made out because it was known that the programme was a current affairs programme, but no precautions were taken to guard against possible defamatory content.

Any ISPs carrying newsgroups or mailing lists dealing with `current affairs' would have to assume there is a risk that no innocent dissemination defence will be available, even in the absence of a reputation for carrying defamations (eg alt.flame newsgroup) or (ii) there is actual knowledge (.: failure to remove from archive after notice).

A more unusual cyberspace defamation issue has arisen recently, with solicitors for the University of Western Australia claiming that web sites and others who had published the URL of a web site in the USA which contained allegedly defamatory content were themselves liable for republishing that content.

5. `Interception' - is anyone liable for anything (I)?

The implications of the Telecommunications (Interception) Act 1979 (Cth) (the `T(I) Act') have received little attention from those interested in cyberspace. It poses unexpected potential dangers for ISPs, employers and others who may (intentionally or otherwise) monitor, copy or otherwise deal with communications passing through their facilities.

The types of questions that need to be asked include whether any of the following could constitute illegal interception: (i) monitoring or recording any aspects of content of employees' or clients' e-mail, whether sent or received; or (ii) monitoring or recording the caches of pages browsed by any identifiable individuals, whether on a user's PC, or on any intermediate server.

Frances Wood of AUSTEL has argued recently[18] that the whole area of 'participant recording and monitoring' is unclear and based on outdated assumptions, even in relation to telephone monitoring. The same legislation is even murkier when dealing with cyberspace, and it will only be possible to raise some of the issues here.

Prohibited interceptions

The Telecommunications (Interception) Act 1979 prohibits interception of 'a communication passing over a telecommunications system' ( s7 ) with certain exceptions. A `communication' includes 'a message' in 'any ... form or combination of forms' ( s5 ), so data can be intercepted, as can any form of multimedia.

'Interception' of 'a communication passing over a telecommunications system' can be by 'listening to or recording[19] by any means' of the communication 'in its passage over[20] that telecommunications system' ( s6(1) ). The definition of 'telecommunications system' is therefore crucial, as is the question of when has the message finished its `passage over' the system. 'Telecommunications system' is given a very broad definition, to include a `telecommunications network'[21], and specifically 'includes equipment, a line or other facility that is connected to such a network and is within Australia' (all defined as in the Telecommunications Act 1991 (Cth)[22]).

Some implications of these provisions seem to be:

(i) a `telecommunications system' will include all networks irrespective of whether they are within any part of a carrier's network, or even connected to a carrier's network, so LANs and WANs are included;

(ii) `connected' equipment will be part of such a network, certainly including any servers that store e-mail, modems, and arguably even a user's PC[23];

(iii) communications are prohibited from being `intercepted' at any point (until the users PC at least) unless an exception applies.

Exceptions to interception

Exceptions or defences to otherwise prohibited interception may arise because of consent, because of the Telecommunications (Interception) Act 1979 s6(2), because of s7(2), or because of the existence of a warrant (not discussed here).

Interception is only an offence where it is `without the knowledge of the person making the communication' ( s6(1) ). With a telephone conversation, both parties are `making the communication', so the consent of both is required. However, with asynchronous e-mail, http and similar internet facilities, who is `making' the communication at any given time? Perhaps only the sender of e-mail is so doing, but surely it is both parties when a http request is made and replied to. In either case, the mere consent of an employee or ISP client may be insufficient, so it may be virtually impossible for ISPs, employers etc to protect themselves by obtaining consent. Implied consent by the sender might be present in some cases, but not others.

The s6(2) exceptions to interception only apply where interception is done by equipment which is `part of' a service `provided by a carrier' - and other conditions are satisfied. On its face, this terminology reflects outdated assumptions of carrier monopolies, and seems intended to provide exceptions for, say, PABXs or an extension phone, or possibly various types of `call centre' monitoring[24].

However, in the Telecommunications (Interception) Act 1979 , `carrier' is defined to include `(c) a person who supplies eligible services within the meaning of [the Telecommunications Act 1991] under a class licence issued under section 209 of that Act'. Therefore, the Telecommunications (Interception) Act 1979 s6(2) exceptions would cover those services provided by ISPs or `self provided', if two conditions are met:

(i) The 'service' intercepted has to be an `eligible service'. ISPs will generally have no problem here, but do employers and others who merely provide a mail server or http proxy cache for `themselves' (eg their employees) provide a `service'? Also, this exception will be of no assistance to those such as some employers providing services that only go over a LAN because they are not eligible services[25].

(ii) The equipment used for the monitoring purpose has to be `part of' the `service' provided.

Under s7(2), it is also a defence, relying upon the same extended definition of `carrier', where an interception is (a) an act or thing done by an employee of a carrier in the course of his or her duties for or in connection with: ... (ii) the operation or maintenance of a telecommunications system; ... where it is reasonably necessary for the employee to do that act or thing in order to perform those duties effectively'. This would appear to provide protection in relation to acts done in relation to the `operation or maintenance' of (physical) networks, but whether it provides protection in relation to acts done in relation to the services provided over those networks (such as running http proxy caches) is less certain. Even then, there will be questions of how much monitoring and recording is `reasonably necessary' `for or in connection with ... operation or maintenance' of a service.

Conclusions and consequences

The possible scope of illegal interception is much broader than most ISPs, employers etc would ever imagine, and is ill-defined. It is possible that the s6(2) exceptions may exempt most possible `interceptions' by ISPs, employers etc in relation to e-mail, caches etc, but the application of these defences is likely to prove complex and uncertain.

The dangers to ISPs, employers and others of falling on the wrong side of an interception offence are considerable. Serious criminal offences are involved[26]. Very damaging publicity is likely, as Telstra found to its cost in the `COT Cases'.

However, a more immediate danger is likely to be civil damages claims under the new s107A, which provides that a party to a communication intercepted in contravention of s7 may sue the person who intercepted the communication, or who has communicated or used the information in contravention of s63. A Court can award such relief as it considers appropriate (ss(4), (5)), including awarding damages (ss(7)) and even punitive damages (ss(10))!

6. Privacy - is anyone liable for anything (II)?

It has been well said that `in cyberspace, everyone will be anonymous for 15 minutes'[27]. Most privacy issues that cyberspace will create have probably not been invented yet, but the privacy laws and practices we are now starting to develop will have to deal with them.

6.1. What privacy laws will apply in cyberspace?

At present, the only substantial Australian privacy law is the Privacy Act 1988 (Cth), dealing primarily with the Commonwealth public sector and with credit reporting practices. With no privacy laws to speak of dealing with the private sector, cyberspace is by and large a privacy vacuum in Australia.

The new Federal Coalition government's election policy requires reform of our privacy laws as 'a matter of the utmost priority' and requires 'a consistent Australia-wide approach'[28]. However, it is as vague as the previous Labor policy[29] on how this is to be achieved, simply stating that the Coalition will 'in consultation with the States and Territories, ensure the implementation of a privacy law regime in Australia comparable with best international practice', and that the Federal government will 'work with industry and the states to provide a co-regulatory approach to privacy within the private sector' (Justice Policy). The Online Services Policy says that the Online Government Council will consider 'the merits of a national Privacy Code of Practice, binding both public and private sectors'.

New South Wales Attorney-General, Jeff Shaw, has announced details of a `revolutionary' NSW Privacy and Data Protection Bill 1996 which he says will be soon introduced[30]. If enacted as promised, the NSW move will take the initiative from the Federal Government in setting privacy standards in the private sector in Australia, and will force a reaction from other Australian governments. It will also set the standard for privacy protection in the State and Territory public sectors. The new privacy law will be administered by a new NSW human rights Commission, which will merge the existing NSW Privacy Committee with the Anti-Discrimination Board, and will be headed by Mr Chris Puplick. The Bill has not yet been released, and not all details have yet been finally approved by Cabinet.

Data Protection Principles would apply directly to NSW government agencies, but could be modified for specific public sector bodies by regulations. Insofar as the private sector is concerned, the procedure would be different in that no enforceable principles would apply until the Commissioner drew up Codes of Conduct applying to various parts of the private sector. These Codes would be issued by means of regulations. The Commissioner would normally draw up such Codes in consultation with representative private sector bodies, but a Code could be imposed on a sector that was dragging its feet.

6.2. New privacy issues in cyberspace

The following are just a couple of cyberspace privacy problems that have been topical during the first few months of 1996.

Search engines and robot exclusion standards

One of the most difficult privacy problems of the internet is the power of search engines. One of the main protectors of privacy on the internet, as elsewhere, was inefficiency - that it was very difficult to find anything unless someone told you where it was[31]. This changed somewhat with comprehensive indexes of internet sites like Yahoo[32], but has gone forever with the release in December 1995 of DEC's Alta Vista search engine[33]. John Hilvert explains the travails of one user of the Alta Vista search engine[34]:

When Internet user, Ed Chilton heard about the hot new search engine, Alta Vista, from Digital Equipment Corporation (DEC), he had to try it out. Alta Vista was introduced as a free service back in December last year to show-case DEC's ability to handle the Internet, no matter how it scaled. Using high end DEC Alpha systems and sophisticated software, Alta Vista gobbles and disgorges in a very accessible way, the entire catalogue of some 22 million web pages (11 billion words) and about the last two months of the content of 13,000 news groups. It handles 5 million search requests a day.

Impressed with Alta Vista's remarkable speed, Chilton tried Alta Vista on the news groups and was sickened. ``What I found with the newsgroups, using my name or email address as search parameters, was a copy of almost every post I've made to Usenet newsgroups since the first week in January,'' he wrote on 6 March. ``That includes my posts to these two newsgroups, and all rejoinders from anyone here who included my name in his or her reply. Make out of that what you wish. My reaction to it is somewhere between disgust and fury.''

Chilton said it was an important feature of newsgroups that users get to know each other's themes, axes to grind, and pet peeves. ``What I do not expect is that the newsgroup clubhouse is bugged, and that what is said there, by any of us, will be recorded and made available to any person on the Internet, for whatever reason persons might have.'' Chilton said DEC's Usenet search engine should be banned and its developers publicly brought to their knees.

The irony of all this is: I came across Chilton's privacy lament using the Alta Vista search engine.

Alta Vista uses robots (also known as spiders or webcrawlers)[35] to trawl the internet, creating complete word occurrence indexes of every web page and every item posted to every News group that it is allowed to access. As a result it is now possible to search for any occurrence of a name or phrase occurring anywhere in the text of any web page, or in any News posting.

As Mr Chilton lamented, the privacy issue here is that, although you must technically make such information available to all on the internet (either by posting it to a newsgroup or putting it in a public_html directory) before robots can index it, you do not necessarily expect that it will be read by anyone outside those with whom you have some common experience, or the information used for purposes completely outside the intended purposes for which it was provided. For example, those involved in creating web pages, or involved in newsgroup discussions, concerning (say) gay and lesbian issues or issues relating to minority religious groups, could find that information about them was being systematically compiled and disseminated so as to harm them. Those who once valued the net as an escape from the values of small communities may find there is no longer any escape except behind barricades of secret communications.

Should there be some privacy right not to be indexed? It is a difficult issue which involves freedom of speech and freedom of the press considerations in a new context, and any legislative intervention could be dangerous indeed.

There is a very significant customary limitation on the operation of robots, which at present provides part of the answer to privacy problems here. The Robot Exclusion Standard[36], which is not any official internet standard but rather `a common facility the majority of robot authors offer the WWW community to protect WWW server against unwanted accesses by their robots'. The Standard allows a server administrator to define which parts of a web site are allowed to be indexed by robots[37], but the designers recognise that this has its limitations for privacy protection:

A possible drawback of this single-file approach is that only a server administrator can maintain

such a list, not the individual document maintainers on the server. This can be resolved by a local

process to construct the single file from a number of others, but if, or how, this is done is outside

of the scope of this document.

If there was a change to the html mark-up standard so that pages could contain information in their header that excluded robot indexing on a page-by-page basis, then such a technical solution would largely solve the problem - provided all robots obeyed the Robot Exclusion Standard. This would in effect be an `opt out' solution to the problem.

Between you and your browser

Users of the world-wide-web sometimes thought that the fact that they did not have to enter the names or other details in order to access web pages meant that there was a high degree of privacy in the use of the web - that it was virtually anonymous. Few people who read newspapers would be likely to believe that any longer, but it is still worth cataloguing some of the information that your browser typically reveals about you.

With most web browsing software, such as Netscape or Microsoft Explorer, any request to a web sit discloses to the web server accessed[38]:

* the network identity of the machine you use to access the web (both its IP address and, if desired, a domain name look-up), thereby identifying geographically where the user has come from and (for single user machines) what is effectively the identity of the browser;

* the browser software used by you, and the operating system of the browser's host;

* the URL of the web page you immediately previously accessed (or other resource such as an ftp site) - the `HTTP_REFERER';

* `cookies' - information stored by the server on the host[39] used by you, such as a list of previously accessed web pages, or transactional information generated while accessing those web pages (eg what you bought on all the web pages for one store); however, the web site accessed can only retrieve such information from your host as it knows the storage format within the `cookie'[40].

Current browsers don't allow these disclosure mechanisms to be turned off, although it is not obvious why users could not be given the option to turn off any other than the first one listed. Commenting on cookies, but with comments equally applicable to other forms of disclosure, Marc Rotenberg identifies the privacy issue as `data collection practices should be fully visible to the individual ... Any feature which results in the collection of personally identifiable information should be made known prior to operation and ... the individual should retain the ability to disengage the feature if he or she so chooses.'[41]

Another area where web users may have little awareness of who is capable of finding out details of their browsing habits, is caused by the use of proxy servers and proxy caches, where an internet service provider (ISP), in order to preserve bandwidth and costs, caches all pages accessed by users of the ISP, so that subsequent users access copies of the page in the ISP's cache, rather than on the `original' site. However, this means that an ISP who is potentially local to the user - and with whom the user is a client - can record information about the user's browsing habits which the user would rather have known only by a server on the other side of the world. There are many other aspects of monitoring of network usage that also raise privacy issues.

6.3. New Privacy Principles for cyberspace?

John Perry Barlow once described what he regarded as a European predilection for relying on governments to protect privacy by laws and codes as `like having a peeping Tom install your window blinds'[42]. I will nevertheless suggest a brief shopping list of some candidates as potential Privacy Principles (or elaborations of existing Principles) which may be needed in cyberspace and the future. It would take a lot more than this paper to examine or justify these possibilities.

A right not to be indexed? - Technical extensions to the Robot Exclusion Standard might make this customary `right' able to be exercised by individuals, not just server administrators, but if a `rogue' robot indexer ignored the standard[43], should there be any legal right not to be indexed?

A right to effectively encrypt communications - This right is not included in existing Privacy Principles, but various privacy rights relating to communications now need to be included.

A right to fair treatment in Public Key Infrastructures - Unfair exclusion from PKIs will prejudice a person's ability to protect their privacy.

A right to anonymous and pseudonymous transactions - Physical and virtual transaction structures should be required to give the option of anonymous transactions, wherever reasonable.

A right to human checking of adverse automated decisions, and to understand them - These rights are already present in the EU Directive, deriving largely from French law.

A right not to be disadvantaged by exercise of basic privacy principles

Exercise of privacy rights is part of ordinary organisational running costs.

7. Encryption - our cryptic policy

Cyberspace is a virtual place littered with `Superhighway - under construction' signs, large holes, and people with hard hats carrying plans marked `Standards', `Public Key Infrastructure', `key escrow' and the like. Meanwhile, many of the natives have been building increasingly elaborate shanties out of stuff called encryption. The planners like the local materials, but have other ideas for the site ...

7.1. Cryptography changes everything

The importance of public key (or asynchronous) encryption to the construction of cyberspace can scarcely be overstated. The discovery that different keys (numbers) could be used to encrypt and decrypt a message, and that one key could not be derived from the other even if the encryption algorithm was known, may be one of the most significant developments in the history of communications.

The technologies that public key cryptography has made possible are essential for the confidentiality and privacy of internet communications; for the guaranteed authenticity of messages through digital signatures; for the `crypto bottling' of intellectual property `super-distribution' systems[44]; for secure credit card transactions; and for the additional privacy advantages of electronic cash. Cryptography has long been described as the walls and ceilings out of which cyberspace is being built[45], and now it is often said that `cryptography changes everything'.

It is rare that a single technology plays such a major role in the development of public policy in so many areas. A great deal of the attention of government officials and official standards bodies is being turned to getting the policy and legal settings right for encryption technologies, mainly because they are the perceived to be, at the same time, the key to competitive advantage in electronic commerce, and a threat to law enforcement and revenue collection. Privacy advocates, on the other hand, see the general availability of 'strong' encryption (ie in practice uncrackable by governments or anyone else) as offering the essential 'privacy enhancing technology' (PET) in relation to telecommunications and the internet.

The legal framework within which encryption technologies will operate is perhaps the single most important privacy issue of the moment[46].

7.2. The international debate

Australia moves centre-stage in encryption debates

In February 1996 Australia and the OECD jointly hosted a Conference on Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure. The Conference was notable not so much for the written papers[47] as for the preoccupation of attendees with the development of encryption policies, and increasingly lively debates on the Conference floor[48].

Norman Raeburn, Deputy Secretary of Australia's Attorney-General's Department, was elected as the Chairman of the OECD's Group of Experts on Security, Privacy and Intellectual Property on the GII. It was previously an ad hoc committee when chaired by Justice Michael Kirby to produce the OECD's privacy and security Guidelines, but it has now been given 'permanent' status. The Group of Experts reports to the Committee for Information, Computing and Communications Policy (ICCP) of the OECD. This OECD structure seems to be emerging as the main forum for international negotiation of cryptography policy (at least outside Europe), so Australia has obtained an influential position in the developing international debate.

OECD forging crypto consensus?

In relation to crypto policy, the main action is occurring at the meetings of the Ad Hoc Group of Experts on Cryptography Policy Guidelines (the `Crypto-Experts Group'), which is supposed to report to the broader Group of Experts mentioned above. The most recent meeting was in Washington on 8 May, and the next is in Paris on 26-27 June. At the 8 May meeting, a number of sets of draft Guidelines were discussed, including one deriving from a December 1995 meeting of the Crypto-Experts Group, and one prepared jointly by the ICC (International Chamber of Commerce) and BIAC (the OECD's Business and Industry Advisory Council). The ICC/BIAC draft was the subject of considerable discussion.

Some of the issues under discussion by the Crypto-Experts Group include whether there should be any national limitations on the export of products that are in fact widely available internationally; whether governments should insist that any keys be held within their borders; whether there should be any requirements at all that private keys be held in escrow by any third parties; and whether it is sufficient to protect governmental interests that governments be able to obtain warrants to obtain private keys in order to decrypt texts. The breadth of the issues under discussion indicates that no one view yet predominates.

The Electronic Privacy Information Centre (EPIC), analysing the OECD developments, concludes that it is unlikely that the Expert Group will agree in the near future to an international encryption policy based on key escrow. However, the US Government is continuing to push such an approach, as noted below.

Australian Government policy

The Coalition parties election policy, On-line Services Policy 49 concludes that: `Heavy-handed attempts to ban strong encryption techniques will compromise commercial security, discouraging online service industries (particularly in the financial sector) from adopting Australia as a domicile. This would result in a substantial economic loss to the country'. It says that `the onus is on security agencies to demonstrate that the benefits of mandating "crackable" codes (as has been attempted in the USA with the "Clipper" chip technology) outweigh the social and economic consequences of the loss of personal privacy and commercial security that this would entail.' This is a strong pro-privacy election statement, but it remains to be seen how it translates into policies now that the Coalition is in government. It shouldn't be forgotten that Federal Cabinet's 1990 decision that `all public telecommunications services should be capable of being intercepted for law enforcement and national security purposes'[50] still stands.

The issue of the unconstrained availability of strong encryption has been the issue which has attracted most public attention, particularly in the USA. It seems far less an issue in countries like Australia, or in Canada[51].

The USA holds out

The US administration, despite abandoning its `Clipper chip' proposal, is still maintaining its export ban on strong cryptography, and is actively developing new proposals which use export prohibitions as the stick with which to force US companies to only release software which requires private keys to be placed in approved escrow arrangements, both internationally and within the USA, as a condition of obtaining export permissions.

The new Key Management Infrastructure (KMI) proposals[52] - also dubbed `Clipper III' - have a vital bearing on international developments, because the US proposal is that US software exports with strong encryption would only be permitted to countries which have government-to-government key escrow arrangements with the USA. As EPIC puts it, KMI is proposed as `a worldwide standard for network communication'. Whether Australia, New Zealand and Canada hold out against US pressures to introduce key escrow schemes is likely to be significant.

7.3. Public key infrastructure

The availability of strong encryption only one important encryption issue. Public key encryption is not effective unless there is a ready means for anyone to obtain the public key of any other person from whom they may receive a message (or alternatively, for the sender to readily obtain the public key of anyone to whom they wish to send a confidential message). As a result, various types of structures are being proposed for the certification and distribution of public keys, to be used either for the purpose of encryption/decryption or for authentication of digital signatures, or both. `Public key infrastructure' (PKI) or `certification authority' proposals can cover an enormous range of possibilities, from the most centralised government-controlled registers to very decentralised approaches.

Standards Australia has released a new draft standard for a `public key authentication framework' for Australia (DR 96078).

The bottom-line privacy issue in all of these proposals is that they will create identification registers which will play an important role in our future society. Certification authorities will have to hold acceptably strong evidence of identification, so as to certify that a particular physical/legal person is to be identified with a particular public key. Any methods of excluding a person from such registers could prejudice their participation in cyberspace, and therefore have significant privacy implications. Issues relating to the extent of central control of such registers, and any potential for abuse, are likely to be important.