Tech Liberty NZ Defending civil liberties in the digital age

Remove ISP Liability from the Criminal Procedure Reform Bill

Posted on February 7, 2011

The attempt to make ISPs (Internet Service Providers) criminally liable for their users' breach of name suppression orders is unjust and unworkable.

The Criminal Procedure (Reform and Minimisation) Bill is an omnibus bill that makes significant changes to the New Zealand criminal justice system. In its attempt to reform and streamline, it weakens the right to a jury trial, takes away the right to silence and forces defendants to help the Police make the case against them.

It also changes the law around name suppression. While we support the attempt to make name suppression harder to get, we have serious concerns about the attempt to make ISPs liable for breaches of name suppression online. Read section 216 of the proposed law and then consider some of these questions:

"ISP" is defined to include people who provide Internet as well as anyone who hosts material on a website.

Q. Why do they use the term "ISP" when the definition very clearly shows that anyone who runs a website will be classed as an ISP?

The ISP/website owner is liable to a fine of up to $100,000 if they have 'reason to believe' that some material on that website breaches a suppression order.

Q. Is an anonymous email adequate reason to believe? What about email from a stranger? A customer? A lawyer?

Q. Does this mean that the ISP/website owner has a duty to monitor news media to find out what information has been suppressed?

Q. Does this mean that the ISP/website owner must actively monitor user-created content (such as forums) to check for suppressed material?

There is no way to find out what information is suppressed.

Q. If you were about to publish something about a court case and you wanted to know if any of it was suppressed, how would you find out?

Q. If the courts than change the order how will the ISP/website owner know to undelete the material?

Some people have suggesting fixing the bill by creating a register of suppression orders.

Q. Who would be allowed to have access to this register of suppressed information?

Q. If all ISPs/website owners might be liable won't they all need access to the list? In which case won't everyone who wants to know who was charged just register as a website owner?

The ISP/website owner can protect themselves from liability by deleting the material or blocking access to it.

Q. If you were an ISP/website owner and someone accused one of your users of breaching a name suppression order and you were going to be criminally liable if you made the wrong call... what would you do?

Q. Can an article that includes clues to the information breach a suppression order? How much legal training does the average ISP worker or website owner receive?

Q. How is an ISP meant to delete a comment from a customer's online forum when it might not even have an account on that forum software? Do they have to take down the entire site?

Q. How is an ISP meant to remove an article from a customer's server they host when they might not even have access to administer the server? Do they have to shutdown the server thereby possibly taking down many websites?

Q. If an ISP/website owner disconnects a customer server, are they liable for damages caused to the customer's business?

There is no penalty for falsely claiming that information is suppressed.

Q. If you were charged in court and refused name suppression, what's to stop you sending takedown notices to ISPs saying that you were granted suppression and they need to remove your name from the article?

Q. How would an ISP know if this person was telling the truth or not?

The law has no effect on material hosted overseas.

Q. What's to stop someone creating suppressednames.blogspot.com and anonymously posting suppressed information there, where the NZ courts couldn't do anything about it?

Q. Is there any point removing suppressed information considering that it will have already gone out to Twitter, RSS feed readers, the Google cache and other places?

Drop ISP liability from the Bill

We think the proposed law is both technically and legally ridiculous.

  • It is unacceptable to force ISPs and website owners to make complex legal decisions about the actions of others at the threat of 6 months jail or a $100,000 fine if they get it wrong.
  • It is unacceptable that this Bill will mean that anyone can claim that some information is suppressed and that there is no way for the liable person to check.

We recommend that section 216 of the Criminal Procedure Reform Bill be deleted in its entirety. The ease of publishing in the Internet age may mean that it's already too late for suppression orders, but as the conviction of Cameron "Whaleoil" Slater shows, current law already provides sufficient protection for the current regime.

Get your submission in by Feb 18th.

Posted by Thomas Beagle

Comments (7) Trackbacks (0)
  1. Development of the idea I briefly raised at the seminar.

    If you know – or think you know – the defendant in the hearing in question was Sam Brown, you enter that name and other basic details such as the date and place of the hearing into the register inquiry system.

    The system hashes “Sam Brown” into a human-meaningless code and looks for that field in the keys on the database; then it matches any other fields you entered and returns the reply:
    “name known in the context of this hearing, but suppressed”;
    “name known in this context; no suppression order”;
    “name not known in this context: are you sure the other details you entered are correct?”
    “name not known at all”.

    Only the opaque code, not the name “Sam Brown”, is stored in the database, so this deters casual exploration.

    People will, of course, be able to launch wild guesses as to a defendant’s identity but this can be deterred by limiting the number of tries permitted.

    Not a perfect scheme but better than nothing. Suggestions for improvement welcome.

    • I might be missing something, but I don’t see how that helps.

      It doesn’t matter how the name is stored in the database. If you can enter “Sam Brown” and get a “Yes/No” answer on suppression, doesn’t that allow for causal exploration?

      • I was thinking of a curious person who wants to know the identity of the defendant in a particular hearing and has no prior knowledge. If the register contained all fields explicitly, they would simply look up the date and time of the hearing and obtain the name.

        With the scheme I outline, such an inquiry would not yield the information, but a journalist or blogger who knows the name and merely wants to check whether a suppression order exists would be able to get an answer.

        Of course there is a middle case, where someone has a good idea what the name is and will be able to confirm their guess; but encoding the name will at least stop some casual inquirers.

  2. Does this mean that the ISP/website owner must actively monitor user-created content (such as forums) to check for suppressed material?

    No! The complainant needs to inform the ISP of a breach. This is undertaken with a take down notice under the Digital Millennium Copyright Act (DMCA). You can learn about it here if your work is infringed upon:

    http://rising.blackstar.com/how-to-send-a-dmca-takedown-notice.html

    The whole reason for this is to protect people in the fastest way possible. However there is one major flaw, the expectation that ISP’s undertake a workload that is fraught with legal claims and technical practicality. Unfortunately this is the fastest way to enforce a legal right.

    How is an ISP meant to delete a comment from a customer’s online forum when it might not even have an account on that forum software? Do they have to take down the entire site?

    The ISP should have software for editing sites. If you know what you’re doing you can remove the item within the code. If editing is not achievable because of various code structures, the page should be removed.

    There is no penalty for falsely claiming that information is suppressed.

    But there is a penalty for a false take down notice.

    How would an ISP know if this person was telling the truth or not?

    Good judgment.

    Is there any point removing suppressed information considering that it will have already gone out to Twitter, RSS feed readers, the Google cache and other places?

    The law states that a cache must not occur. Theoretically all further reproduction of the item must be taken down as well.

    It is unacceptable to force ISPs and website owners to make complex legal decisions about the actions of others at the threat of 6 months jail or a $100,000 fine if they get it wrong.

    I agree that the penalties are rather extreme, however there needs to be a practical way of protecting your works quickly and effectively. Perhaps the person undertaking any infringing could be liable for additional costs the ISP might incur. Unfortunately if there’s no liability, there is no incentive to act.

    • Hi Todd,

      This article is not about the DMCA or any other US law. It’s about the proposed changes to suppression law in New Zealand and therefore much of your comment is misleading. For example, under the proposed bill there is no penalty for making false claims.

      As for your comment “The ISP should have software for editing sites”, unfortunately it bears no relationship to reality. An ISP hosting a server owned by someone else will not have the necessary user account to log in to the server and change anything on the site. All they can do is turn it off.

      Then there’s your claim that ISPs can use “good judgement” to decide whether a notice of infringement is accurate or not. This is impossible as ISPs can’t even find out what information is suppressed so as to make an informed decision about it. And, seeing as they’re liable if they get it wrong, it is clear that the only rational response is to take things down upon accusation.

      • You’re correct in that my response was from a copyright perspective and not specific to section 216 of the Criminal Procedure Reform Bill. It is misleading to state that ISP should not be liable for content on their servers within a wider context. I believe a take down notice as outlined under the DMCA is applicable under New Zealand law.

        An ISP hosting a server owned by someone else will not have the necessary user account to log in to the server and change anything on the site.

        Yes! There are certain impracticalities under that particular instance. It’s apparent that the law has not considered the practicalities of access properly. However Stephen has proposed a practical fix to the scenario posed in the case of suppression, where access is available to the server content by the ISP. I would surmise that this is the majority of current systems. So again your assumptions are slightly erroneous.

        I’m pretty sure any Judge would give the benefit of the doubt to the ISP for any incorrect administration caused by a fake notice of infringement or take down notice. As long as the ISP has followed logical steps as outlined, liability would fall on the applicant, who must identify, before action on a notice is undertaken.

        I also doubt that an ISP would switch off a server just because a particular site on it has material under an infringement notice without contacting the owner first, which is a requirement under the law. In fact notification to the site owner must be made straight away. There is already a relationship between the ISP and site owner so contact should not be an issue.

        The practical solution is to remove the site link through the domain structure, so that the public cannot access it. Usually physical access to the server would allow this. Again this is a knowledge-based decision. I’m unsure if the law has considered such aspects and broader practicalities either. Your article rightly questions many of the impracticalities and I must agree with you that the proposed law needs to work on its disassociation from reality.

        Things aren’t always black and white though.

  3. Great information about ISP liability. They must be responsible in securing their customers. Thanks also for the FAQ’s.


Trackbacks are disabled.