No more alibis for inaction


I believe several companies that engage in business on the internet, and their proxies, have taken a calculated and cynical view about some fairly fundamental issues. They know very well that the courts and judicial systems in their country, and in most countries around the world, have been having trouble coping with all manner of pressures that are upon them. In relation to criminal matters, law enforcement’s and the prosecutorial authorities’ ability to keep their end up has not been noticeably better and may even be worse.

Yet despite knowing this, with much hand wringing and angsting in the name of free speech, in the name of human rights, in the name of anything except how it might impact on the bottom line, when it comes to dealing with unlawful activity in cyberspace these same players regretfully insist that the courts and the analogue channels which have been used since time immemorial have to stay centre stage.

While they acknowledge, glory in and profit from the life changing technologies which have so transformed our modern world, they draw the line at allowing the same cleverness any major role in the field of obtaining compliance with the law.

No new resources 

In a world of shrinking public expenditure the courts, the cops and the  Crown Prosecution Service find it very hard to recruit and retain enough people of the right calibre to get through what might once have been thought of as a typical workload, never mind having to cope with the consequences of a digital tsunami.

If you get paid £1,000 per week by the police you would have to be of a hugely saintly disposition to refuse £2,000 per week, or more, for doing the same or similar work for a global high tech giant, with shares, shorter hours, generous expense accounts on top. And even if money were no object it is not clear to me that simply piling more and more bodies into the law and law enforcement is necessarily the best possible route to go for a modern society, particularly if there are other, possibly even better, ways of delivering justice.

I am emphatically not suggesting that we should think about automating law enforcement or judicial processes to a point where we no longer need any human eyes or ears to engage at any stage. I am merely suggesting that in a system where human resources are already severely overstretched Luddism will have highly undesirable consequences.

Operation Ore

Operation Ore was at the time, and probably still is, the UK’s largest ever police action on child abuse images. It had its origins in Dallas, Texas. As the 20th Century was saying goodbye the US Postal Inspection Service and Dallas police seized the servers of a company that was selling child pornography over the internet. 200,000 names were identified of people from all over the word who had bought illegal images using a credit card.

Ore finally got off the ground in Britain in 2002 not long after the US authorities handed over the list of UK residents whom they had identified among the larger number. Ore showed us one of the consequences of the lack of police resources. Of the original list of over 7,200 UK suspects nearly 3,000 never even received a knock on the door, and some only had a visit two or in some cases up to three years later. To be fair, the UK police had gone through a triage exercise so we can be confident all of the dodgiest characters were picked up and dealt with, probably quite quickly. Even so it is not a very comforting thought that so many people who appeared to have bought child abuse images on the internet got off without so much as a by your leave.

This sorry tale did not end there. Even after they were arrested, in several police force areas there were delays of up to 18 months or more before the suspects’ machines could be forensically, and expensively, analysed in computer labs. The word on the street was that, in other types of cases, police officers were systematically being discouraged from seizing computers unless it was absolutely essential because of the costs and delays this would inevitably introduce into the whole proceedings. If such an injunction were motivated by a reasonable desire to avoid unnecessary expenditure one might not feel too worried about it. However, I know few people who think that was the primary reason.

Operation Avalanche

In the same police action in the USA , known there as Operation Avalanche, about 35,000 US subscribers were finally identified from their credit card details. Of these in the end fewer than 200 were arrested. This is not because US police care any less passionately than their UK counterparts. Under US procedural laws, to obtain the necessary authority to seize a computer or search a suspect’s house the evidence which you rely on for the warrants has to be fresh or recently obtained. This is a relevant factor in the UK too but the US definition is much tighter and less generous. By the time all of the preliminary investigative work had been completed on the substantive case in the US it was already too late.

My understanding is that the comparatively small number who were arrested in the US were picked up because US law enforcement agencies treated the Avalanche database as a source of intelligence. They used it to set honey traps for the those they considered the worst offenders. Maybe not an ideal outcome but I don’t suppose many people complained.

Thus, in both the UK and the US, time and resources played their part in ensuring that justice was not done.

Justice delayed is justice denied

This is an ancient legal maxim said to have its roots in the Magna Carta. In the instances just referred to it needs to be amended

Justice delayed means you get away with it

The only case I have cited up to now is Operation Avalanche/Ore from over ten years ago. I wish I could say I thought the position had got better since then. I don’t think it has. I believe it is worse. Avalanche/Ore was a case involving web sites. Now we have Peer2Peer. The scale of offending on Peer2Peer completely dwarfs all previous numbers. This is one of the reasons why the police repeatedly say

We cannot arrest our way out of this

Think about that for a moment. What does it mean? It means the cops are saying that conventional law enforcement methods will not work, cannot work. People can scream “They must, they must” but that is not going to change the reality.

Absolutely I believe the UK police can deal with the most serious stuff, and there have been many substantial law enforcement operations since Ore. But unless as a society we are content to allow a constant hum of criminal activity involving the distribution of child abuse images online to persist into the indefinite future, we have to find other ways of dealing with this. Tipstaffs and powdered wigs can only be a very small part of the answer.

Brass neck

As already noted, from many parts of the internet industry the answer is always the same. Only judicial decisions are acceptable as the basis of doing anything. This is not a serious response and it is so obviously self-serving I never cease to be amazed at the brass neck of some of those who say it. This is code for

We don’t want to change our business model. We don’t want to spend any money on altering our systems to deal with this. We can just sit back and wait for court orders to come then we act sui generis. Because of the state the courts and legal processes are in we know there won’t be that many court orders to trouble us. Not our problem, Guv. Yawn. Next business.

Leaving child abuse images on one side for the moment, what about all the other kinds of criminal activity which is happening online, the kind of things that we, as ordinary citizens, are more likely to be affected by? If we do not find ways of dealing with this sooner or later the dam will burst. It is in no one’s long term interests to allow us to get to that point. I can see that a few cowboys might dismiss what I am saying or call it scaremongering but they’ll have taken their profits by then. The rest of us will have to deal with the consequences.

Ask the Birmingham 6

The idea that only courts or judges can be trusted to get things right is laughable. Obviously they usually do but ask the members of the Birmingham 6 who are still alive what they think about judicial infallibility, or the families of those granted posthumous pardons for what were once capital crimes we all now know they did not commit.

What counts is that you have processes in place which are fair and transparent, with appellate procedures and all should be administered by trusted bodies. Absolutely, in the end pretty much everything that impacts in the public space must be justiciable. The courts are the last bastion of human rights and freedom in any democracy. But they can be a lousy first bastion.

We need several tracks

Wilfully to clog up our legal system with admittedly important, but relatively speaking comparatively minor matters which can be dealt with justly in other ways, is tantamount to abandoning a proper sense of civic engagement. Think about parking or speeding tickets. We all hate getting them but no one seriously believes there is any bias or unfairness in how they are handed out. Moreover we all know that there are processes available to correct a mistake. In the end there is judicial oversight.

I am aware that in other areas, particularly connected with national security and criminal investigations, there has been criticism that remote or ex post facto judicial oversight has been weak to the point of being ineffectual, in part because those processes have also been swamped by the numbers and perhaps also by the complexity of some of the cases. However, and I accept I am no expert on this, that does not seem to me to be a good enough argument for saying therefore everything should go to court or Masters’ Chambers.

The eCommerce Directive – status quo?

All this is by way of an intro – OK a very long intro – for me to express a degree of apprehension about reports coming out of Brussels late last week about the eCommerce Directive. Thanks once again to the wonderfully comprehensive information services provided by Cullen International I was able to read what looks like a very full report of a meeting held in the European Parliament on 7th December. It was called by Dutch ALDE MEP Mariejeta Schaake. The meeting was entitled “Self-regulation: should online companies police the internet?” Apparently most people attending thought the answer should be “No”. That was a shock. Not.

The eCommerce Directive established mere conduit status for electronic carriers. Typically for these purposes a carrier would be an ISP, a social networking service or a file storage company. As long as the carrier had no actual knowledge of the existence of any unlawful items or behaviour involving their service they could not be held liable for it either in criminal or civil law. No problem with that. It is the only sensible position.

However, difficulties have arisen in relation to some of the ancillary clauses and in particular how they have been interpreted by courts in different EU Member States. The eCommerce Directive also said that if, for example, you adapted or changed the text in any way at all or your system, as it were, intervened to direct it to a particular audience, then you lose the immunity and in effect you become the joint publisher.

Many companies’ lawyers understood this to mean that the only sensible approach to adopt was one of indolence. The eCommerce Directive, so far from requiring carriers to police the internet, it introduced a positive incentive for them not to do so. Do nothing and you cannot attract any liability. Do anything and you might. This became known as the dumb pipes position. It is the foundation of Notice and Take Down.

In other words all that companies need do is sit back and wait until they are told by a third party there is something on their site that is wrong. Provided the firm then acts promptly to remove the offending items they are in the clear. The fact that it might have been there for months, even years, causing who knows what damage is irrelevant.

I have no problem with the broad thrust of the eCommerce Directive but what is completely wrong is this notion that doing nothing to police your content is the only sensible strategy. Lots of companies in fact reject this line. They believe their brand is more important. They actively patrol their site looking for content which is in breach of their terms of service, and obviously everything illegal is in breach. If they find anything they deal with it straight away, typically by deleting, preserving and reporting it. These good actors know that by doing this they could be making themselves liable but they choose to do it nonetheless. However, while some companies do this, not all do, and the ones that do nothing cite the eCommerce Directive as the reason. Henceforth that prop or shield must be denied them.

At the meeting in Brussels last week a Commission official indicated that they had no plans to seek a new text, a new Directive, saying guidance notes would be issued. That’s all very well providing two conditions are met: the guidance notes must make clear that simply looking for unlawful content on your site, simply policing the site to ensure conformity with your own terms and conditions, cannot on its own and without more create any liability, ever. For any liability to exist it is essential to prove that the company had actual knowledge of it or, having that knowledge, they failed to act to deal with it within a reasonable time frame.

And the second condition is that courts in every Member State must accept that the new guidance note has legal force.

Henceforth no online company should be able to point to the eCommerce Directive as an alibi for inaction.

About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised.
This entry was posted in CEOP, Child abuse images, Default settings, E-commerce, Pornography, Self-regulation. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s