[The views expressed in this document are Mr Auer's personal opinions and do not necessarily represent the opinions of any other person or organisation.]
The volume of information handled by the global online community is enormous. The amount handled by just a single system is too large to be effectively inspected. Even if the volume permitted inspection of all items, privacy issues and commercial interests would pose major obstacles to actually doing so.
Powerful encryption technology, available on the cheapest of small computers, can render any communication impervious to inspection. Encrypted messages can be embedded in other messages easily, so that even the fact of encryption may be hidden.
For these reasons, it is not feasible to demand of online service providers that they take responsibility for the content of material passing through their systems. If protection for carriers is not embodied in any regulatory scheme, many online service providers will cease trading for fear of prosecution, knowing that they cannot protect themselves. By analogy, imagine making service station proprietors responsible for the content of customers' vehicles.
However, people who originate material (either by creating the material in the first place or by deliberately disseminating it) can be held responsible. Many service providers are both carriers and originators, in which case their responsibility should extend only to material they originate.
Self-regulation, and especially a legislatively condoned code of practice, is unlikely to work. Firstly, the industry is eclectic. Secondly, the resources that service providers can commit to mandated procedures will vary widely. Thirdly, there are very few measures that service providers can reasonably take to prevent the existence of restricted or objectionable material. The few avenues open for limiting access can easily be legislated for.
Recommendations
Define and protect carriage of information as distinct from the
deliberate and knowing dissemination of information. If this is
done, the proposed legislation will be adequate to achieve its
objectives without complex and contentious codes of practice.
Suggested phrasing is provided in this document.
The distinction between originator and carrier
[back to Contents]
A clear distinction must be drawn between the originator
of material and a carrier of material.
A carrier forwards material without specific awareness of its nature or content, much as a Post Office forwards postal items.
An originator has a specific awareness of the nature and content of an item, and transmits it knowingly either to another person or to a place or system from which others can obtain it.
Many of the services provided by online service providers are highly automated, the operator having little or no knowledge about individual items processed. A case in point is electronic mail; this service is typically completely automated and the operator has no specific knowledge of the content of the messages being carried from one user to another. In the case of electronic mail and similar automated services, the service provider is a carrier.
Many online service providers also provide some information themselves - "content". They may provide files for users to download, or they may run a World Wide Web server for example. In these cases, although the mechanisms for providing the information are automated, the service provider is clearly specifically aware of the nature and content of the information he or she is making available and therefore is the originator of the information.
The term "originator" should not be taken to mean necessarily
the creator of information.
Volume of material
[back to Contents]
The volume of information currently available via the various
global networks is enormous.
The static information on the Internet, for example, consists of files available for download and information such as databases and World Wide Web pages. The transient information consists of material such as electronic mail and newsgroup articles. However, even the static information changes often; as Web pages are updated, for example.
Internet newsgroups generate between 400 and 1000 megabytes of new material per week (it is very difficult to estimate accurately as the volume fluctuates wildly). This represents many hundreds of thousands of separate news articles. This information is copied and recopied worldwide until all Internet systems have copies of the subsets they "subscribe" to.
Even on a standalone system (such as a BBS not connected to any other) the volume of electronic mail messages between users could easily amount to many hundreds of separate items per day.
Quite apart from the privacy issues, clearly the volume of information is far too great to permit inspection by service providers of even a significant sample.
Even were it physically possible to inspect every item passing through an online system, the existence of powerful encryption techniques allows any originator to unbreakably mask any desired item.
For these reasons it is not appropriate to impose responsibility
on a carrier for the content of what is carried, because no carrier
can in practice comply. However, it is entirely possible and practical
for an originator to be required to take responsibility
for the information that he or she transmits. It is here that
legislators should concentrate their efforts.
Encryption
[back to Contents]
Powerful encryption technology is available to anyone with a cheap
personal computer. The required software is available in any number
of free packages and many commercial ones. This combination can
swiftly and simply render any communication unreadable by any
person without the key to decrypt it.
There are also several techniques for embedding a message (possibly also encrypted) into another, innocent message. Thus encrypted messages may be made impossible to detect if sent and they may be made impossible to decrypt if detected. Any criminal who was serious about concealment would certainly use both techniques.
Most use of encryption is for perfectly legitimate purposes. Encryption is routinely used in business to protect confidential information passing over unsecure networks. Military information is commonly encrypted. Ordinary citizens concerned about privacy also routinely encrypt electronic mail and other personal communications.
Any law requiring a service provider to be responsible for the content of material stored on his or her systems (however briefly, as in email) would by extension require the service provider to inspect all (or a significant number) of items. He or she would have to be able to detect and to decrypt encrypted messages in order to determine their acceptability. The technology is such that this would not be possible.
At some point - the point where a message or other item is encrypted
and the point at which it is decrypted - encrypted items are available
"in clear". It is at these points that legislative effort
should be brought to bear. Again, neither of these points involves
the carrier (unless the carrier happens to also be the originator
or final recipient of the item).
The global nature of the Internet
[back to Contents]
The Internet is the world's largest online system and the archetypal
global network. There are nodes of the Internet in virtually every
country in the world - a total of about 4 million connected systems.
The information flowing between those systems and in and out of Australia is voluminous and widely varied. Certainly some of the material is by our standards objectionable and some is illegal by Australian law.
Much of the material arriving from overseas is in Usenet newsgroups. While these are to some extent classified by subject matter, there is nothing to prevent a person from placing an article about one subject in a newsgroup devoted to another subject. In fact, "raids" by the online equivalent of hecklers are quite common, taking the form of inappropriate postings to newsgroups. Nor are the classifications particularly indicative of the actual nature of the articles within them.
Once material has arrived, there is no way to prevent possible further dissemination of objectionable material without inspecting all the material - which for reasons already given is not a practical approach.
To take another example, many online service providers run a World Wide Web server. While some material may be stored on the provider's system with the explicit knowledge of the provider, a large part of a Web server's function is to form links across the Internet to other Web sites. The information from these other Web sites is then retrieved at the users' request. To conserve bandwidth, many providers cache (store) retrieved pages on their own disks in order to avoid having to transfer them repeatedly, since many different users may request the same Web page. This process is completely automatic - the provider has no knowledge of what pages may be stored, and the set of stored pages changes every second.
In short, there is no way to absolutely preclude the arrival of
objectionable material without rejecting all of it. Since the
material includes great quantities of valuable cultural and technical
information, this is hardly acceptable.
Issues with "code of practice"
[back to Contents]
If the changes suggested elsewhere in this document are made to
the proposed legislation, there will be no need for self regulation
and no need for a code of practice. However, for the sake of completeness
several difficulties with the idea of a "code of practice"
for online service providers should be pointed out:
The resources available to a large online service provider are very different to the resources available to a small, possibly amateur online service provider. The concept of a "reasonable step" is thus fraught with difficulty - something "reasonable" for a large operator might be completely beyond the ability of a smaller provider.
Whether for a large or a small online service provider, inspection of all or even a significant subset of items being carried is not possible. There simply are no reasonable steps that it is possible to take to detect the presence of objectionable material in a systematic way.
In terms of achieving the stated objectives of the regulatory regime, a code of practice would have limited powers. The few steps that can be taken by an online service provider towards those objectives can be simply and effectively legislated for.
The creation of a code of practice, given the vigorous and eclectic nature of the online community, is likely to be a major and time consuming operation. Because larger operators are in general better organised and more structured, there is a very serious risk that the wishes of the larger service providers will take precedence over the wishes of the smaller service providers, resulting in a code of practice that disadvantages smaller operators.
If the offence provisions are enacted prior to the code of practice being completed there is a risk that the offence provisions might be used prematurely.
The definition does not include the provision of network access, where there is no stored information. This leaves the possibility open that a service provider providing network access may be accused of "transmitting" material simply because it passed through the service provider's systems, even though it was not stored there.
The definition of "online information service" does not cover the provision of network access. In such a case, the access provider is providing only the connection to the network - all information is coming from a storage site not owned or operated by the access provider.
There appears to be a risk with the proposed definitions and provisions that information coming from the storage site via the provider's site might be seen as being transmitted from the access provider's site.
A similar interpretation might be possible with the very common practice of "caching" information coming from remote sites (storing it temporarily). If these interpretations are possible, they should be specifically negated in the legislation, as the access provider cannot reasonably exercise control in these situations.
Commentary
The Commentary mentions that breaches by users of undertakings not to post certain types of material or to post material inappropriately might form a defence for the operator of a service if the breaches resulted in charges against the operator. It would be good to see that specific defence embodied in the legislation.
Section 1
Section 1 is acceptable, because it focuses on the originator.
Section 2
It would seem in Section 2(2)(a) that any breach, however small, of the currently applicable code of practice would remove the defence sought! Also, it is not clear whether (a) AND (b) are required to form a defence or if EITHER (a) OR (b) is required.
Section 2 makes no distinction between carrying material and originating material. Such a distinction is crucial, because there is no practical way (ie., no "reasonable steps") that can prevent the carriage of objectionable material other than disconnection from most network services. Originating material is however a conscious and deliberate act and thus should attract responsibility. The addition of a fourth defence along the following lines would make the distinction clear and make this section acceptable:
"(d) the material was made available by the defendant in the course of normal activity such that the material in question was made available without the defendant being aware of its objectionable nature."
Note that the addition of (d) makes (a) redundant and removes the need for a code of practice.
Sections 3, 4 and 5
As for sections 1 and 2, there needs to be specific protection in Section 5 for carriers to cover the situation where a normally acceptable information source being made available (possibly by automated systems) proves unexpectedly to contain restricted or objectionable material. Perhaps a Section 5(3)(c) along the following lines:
"(c) the material was made available by the defendant in the course of normal activity such that the material in question was made available without the defendant being aware of its objectionable nature."
There should also be a defence that the defendant was unaware that the recipient was under age for the information being transmitted or made available. A defence might be that the defendant had believed in good faith (or perhaps had made a good faith effort to establish) that the person was an appropriate person to receive the restricted material. It is unclear whether Section 5(3)(b) already supplies that defence.
Mr Auer also holds the voluntary position of Project Manager for the Internet Project, an online information service set up by the PC Users Group (ACT) Incorporated and the Australian Unix Users Group (Canberra Chapter) to provide Internet access to their members.
Mr Auer is the Immediate Past President of the PC Users Group (ACT) Incorporated, and recently presented on their behalf a submission to the Senate Select Committee on community standards relevant to the supply of services utilising electronic technologies.
Mr Auer can be reached at kauer@biplane.com.au.