Response to the Attorney-General's
Consultation Paper on the
Regulation of Online Information Systems
7 July 1995

by Karl Auer 1 September 1995

[The views expressed in this document are Mr Auer's personal opinions and do not necessarily represent the opinions of any other person or organisation.]

© Copyright 1995 Karl Auer. All rights reserved.


Executive Summary

[back to Contents]
This document outlines some of the basic problems that the online community poses for regulation and law enforcement. It also describes the effect that some approaches to regulation might have on the emerging Australian information industry.

The volume of information handled by the global online community is enormous. The amount handled by just a single system is too large to be effectively inspected. Even if the volume permitted inspection of all items, privacy issues and commercial interests would pose major obstacles to actually doing so.

Powerful encryption technology, available on the cheapest of small computers, can render any communication impervious to inspection. Encrypted messages can be embedded in other messages easily, so that even the fact of encryption may be hidden.

For these reasons, it is not feasible to demand of online service providers that they take responsibility for the content of material passing through their systems. If protection for carriers is not embodied in any regulatory scheme, many online service providers will cease trading for fear of prosecution, knowing that they cannot protect themselves. By analogy, imagine making service station proprietors responsible for the content of customers' vehicles.

However, people who originate material (either by creating the material in the first place or by deliberately disseminating it) can be held responsible. Many service providers are both carriers and originators, in which case their responsibility should extend only to material they originate.

Self-regulation, and especially a legislatively condoned code of practice, is unlikely to work. Firstly, the industry is eclectic. Secondly, the resources that service providers can commit to mandated procedures will vary widely. Thirdly, there are very few measures that service providers can reasonably take to prevent the existence of restricted or objectionable material. The few avenues open for limiting access can easily be legislated for.


Define and protect carriage of information as distinct from the deliberate and knowing dissemination of information. If this is done, the proposed legislation will be adequate to achieve its objectives without complex and contentious codes of practice. Suggested phrasing is provided in this document.

The distinction between originator and carrier

[back to Contents]
A clear distinction must be drawn between the originator of material and a carrier of material.

A carrier forwards material without specific awareness of its nature or content, much as a Post Office forwards postal items.

An originator has a specific awareness of the nature and content of an item, and transmits it knowingly either to another person or to a place or system from which others can obtain it.

Many of the services provided by online service providers are highly automated, the operator having little or no knowledge about individual items processed. A case in point is electronic mail; this service is typically completely automated and the operator has no specific knowledge of the content of the messages being carried from one user to another. In the case of electronic mail and similar automated services, the service provider is a carrier.

Many online service providers also provide some information themselves - "content". They may provide files for users to download, or they may run a World Wide Web server for example. In these cases, although the mechanisms for providing the information are automated, the service provider is clearly specifically aware of the nature and content of the information he or she is making available and therefore is the originator of the information.

The term "originator" should not be taken to mean necessarily the creator of information.

Volume of material

[back to Contents]
The volume of information currently available via the various global networks is enormous.

The static information on the Internet, for example, consists of files available for download and information such as databases and World Wide Web pages. The transient information consists of material such as electronic mail and newsgroup articles. However, even the static information changes often; as Web pages are updated, for example.

Internet newsgroups generate between 400 and 1000 megabytes of new material per week (it is very difficult to estimate accurately as the volume fluctuates wildly). This represents many hundreds of thousands of separate news articles. This information is copied and recopied worldwide until all Internet systems have copies of the subsets they "subscribe" to.

Even on a standalone system (such as a BBS not connected to any other) the volume of electronic mail messages between users could easily amount to many hundreds of separate items per day.

Quite apart from the privacy issues, clearly the volume of information is far too great to permit inspection by service providers of even a significant sample.

Even were it physically possible to inspect every item passing through an online system, the existence of powerful encryption techniques allows any originator to unbreakably mask any desired item.

For these reasons it is not appropriate to impose responsibility on a carrier for the content of what is carried, because no carrier can in practice comply. However, it is entirely possible and practical for an originator to be required to take responsibility for the information that he or she transmits. It is here that legislators should concentrate their efforts.


[back to Contents]
Powerful encryption technology is available to anyone with a cheap personal computer. The required software is available in any number of free packages and many commercial ones. This combination can swiftly and simply render any communication unreadable by any person without the key to decrypt it.

There are also several techniques for embedding a message (possibly also encrypted) into another, innocent message. Thus encrypted messages may be made impossible to detect if sent and they may be made impossible to decrypt if detected. Any criminal who was serious about concealment would certainly use both techniques.

Most use of encryption is for perfectly legitimate purposes. Encryption is routinely used in business to protect confidential information passing over unsecure networks. Military information is commonly encrypted. Ordinary citizens concerned about privacy also routinely encrypt electronic mail and other personal communications.

Any law requiring a service provider to be responsible for the content of material stored on his or her systems (however briefly, as in email) would by extension require the service provider to inspect all (or a significant number) of items. He or she would have to be able to detect and to decrypt encrypted messages in order to determine their acceptability. The technology is such that this would not be possible.

At some point - the point where a message or other item is encrypted and the point at which it is decrypted - encrypted items are available "in clear". It is at these points that legislative effort should be brought to bear. Again, neither of these points involves the carrier (unless the carrier happens to also be the originator or final recipient of the item).

The global nature of the Internet

[back to Contents]
The Internet is the world's largest online system and the archetypal global network. There are nodes of the Internet in virtually every country in the world - a total of about 4 million connected systems.

The information flowing between those systems and in and out of Australia is voluminous and widely varied. Certainly some of the material is by our standards objectionable and some is illegal by Australian law.

Much of the material arriving from overseas is in Usenet newsgroups. While these are to some extent classified by subject matter, there is nothing to prevent a person from placing an article about one subject in a newsgroup devoted to another subject. In fact, "raids" by the online equivalent of hecklers are quite common, taking the form of inappropriate postings to newsgroups. Nor are the classifications particularly indicative of the actual nature of the articles within them.

Once material has arrived, there is no way to prevent possible further dissemination of objectionable material without inspecting all the material - which for reasons already given is not a practical approach.

To take another example, many online service providers run a World Wide Web server. While some material may be stored on the provider's system with the explicit knowledge of the provider, a large part of a Web server's function is to form links across the Internet to other Web sites. The information from these other Web sites is then retrieved at the users' request. To conserve bandwidth, many providers cache (store) retrieved pages on their own disks in order to avoid having to transfer them repeatedly, since many different users may request the same Web page. This process is completely automatic - the provider has no knowledge of what pages may be stored, and the set of stored pages changes every second.

In short, there is no way to absolutely preclude the arrival of objectionable material without rejecting all of it. Since the material includes great quantities of valuable cultural and technical information, this is hardly acceptable.

Issues with "code of practice"

[back to Contents]
If the changes suggested elsewhere in this document are made to the proposed legislation, there will be no need for self regulation and no need for a code of practice. However, for the sake of completeness several difficulties with the idea of a "code of practice" for online service providers should be pointed out:

Responses to the specific questions raised by the Consultation Paper

[back to Contents]

"Is the overall scheme appropriate for regulating online information?"

"Can you suggest other means for regulation of BBS?"

"Is the definition of 'online information service' too narrow or too broad?"

"Comment on the role of the education strategy in informing parents, teachers and children about online information services and the ways of addressing possible problems."

"What non-criminal sanctions could be applied for non-compliance with a code of practice?"

"Comment on a complaints mechanism and possible establishment of an independent complaints handling body."

"Comment on issues arising from the practical implementation of the proposed offence provisions."

"Comment on any other matters that may be relevant."

About the Author

[back to Contents]
Mr Karl Auer is currently employed at the Australian National University in Network Services, Information Technology Services Division.

Mr Auer also holds the voluntary position of Project Manager for the Internet Project, an online information service set up by the PC Users Group (ACT) Incorporated and the Australian Unix Users Group (Canberra Chapter) to provide Internet access to their members.

Mr Auer is the Immediate Past President of the PC Users Group (ACT) Incorporated, and recently presented on their behalf a submission to the Senate Select Committee on community standards relevant to the supply of services utilising electronic technologies.

Mr Auer can be reached at