Urgent help fixing the Defamation Bill

[Duke]

As some of you may be aware, there is a Defamation Bill currently going through Parliament; this is the product of several years of reasonably-successful campaigning by groups such as the Libel Reform lot. In general, this is a good bill, with cross-party support, and hopefully our libel laws will be more sensible and accessible after it passes. Unfortunately, there is one clause in the bill concerning "website operators" that is bad, but offers the opportunity to make things even better.

The Bill is now being considered by its Public Bill Committee, and it is possible to send in a submission with suggestions, evidence etc.; I think this is a good opportunity for the Pirate Party to use its available expertise in and understanding of the Internet etc. to try to make a difference. I would like us to submit some points on this clause, along with a draft amendment for replacing it. Ideally by Tuesday morning (when the committee first meets), if not a bit after. I will, however, need some help with this.

More details on the Defamations Bill's progress, including links to the second reading debate, can be found here.
More details on submissions to public bill committees can be found here.

===The Current Clause===

5 Operators of websites

(1) This section applies where an action for defamation is brought against the operator of a website in respect of a statement posted on the website.

(2) It is a defence for the operator to show that it was not the operator who posted the statement on the website.

(3) The defence is defeated if the claimant shows that—

1. it was not possible for the claimant to identify the person who posted the statement,
2. the claimant gave the operator a notice of complaint in relation to the statement, and
3. the operator failed to respond to the notice of complaint in accordance with any provision contained in regulations.

(4) A notice of complaint is a notice which—

1. specifies the complainant’s name,
   
2. sets out the statement concerned and explains why it is defamatory of the complainant,
   
3. specifies where on the website the statement was posted, and
   
4. contains such other information as may be specified in regulations.

(5) Regulations may—

1. make provision as to the action required to be taken by an operator of a website in response to a notice of complaint (which may in particular include action relating to the identity or contact details of the person who posted the statement and action relating to its removal);
   
2. make provision specifying a time limit for the taking of any such action;
   
3. make provision conferring on the court a discretion to treat action taken after the expiry of a time limit as having been taken before the expiry;
   
4. make any other provision for the purposes of this section.

(6) Regulations under this section—

1. may make different provision for different circumstances;
   
2. are to be made by statutory instrument.

(7) A statutory instrument containing regulations under this section is subject to annulment in pursuance of a resolution of either House of Parliament.

(8) In this section “regulations” means regulations made by the Secretary of State.

Basically, this gives a defence to website operators against defamation actions provided they can prove they didn't post the comment.

However, the defence is defeated iff:

• the claimant cannot identify the original poster,
• the claimant gives the website operator notice, and
• the website operator fails to comply with specific regulations that
  haven't been published (even in draft).

In theory, as this only creates a new defence and so gives website owners greater protection, it is a good thing. However... it has some downsides, and could be a lot better.

==Problems==

• It only applies to websites, not the rest of the Internet. Apparently it is supposed to, but the drafters may not have known the difference. Even then, it is still technology-specific which is usually a bad idea. The defence should cover any sort of platform-providing service, online or offline.
• There is no definition of "website operator". As someone who runs a wordpress blog, am I the operator of the website (re defamatory comments), or is Wordpress?
• Legally it is a mess; it doesn't fit in with existing (or proposed new) defences or law. The circumstances when it would apply but no other defence would apply are fairly narrow and there will be many situations where this defence would not apply, but a website will still not be liable (either due to not being a publisher, or having immunity under the e-Commerce Directive limitations).
• Following that, it gives website operators a false impression, i.e. that they must comply with this law in order to be protected from defamation. The result of this could be to strongly discourage UK-based websites from allowing anonymous or pseudo-anonymous postings (and this seems to be the government's aim).
• There seems to be no justification for not applying it to anonymous comments other than that the Government doesn't like anonymity. There are good arguments (both moral and legal) for this being bad.
• Even if we accept the limitation, the bill does not define "identify"; it does not specify whether the identity must be obvious on the face of the post, or merely provided to a claimant by the website operator on request. It does not say what will be sufficient; an email address, real name, IP address? None are enough alone to properly identify an individual. Additionally, it does not specify whether the burden is on the website operator to ensure any information it gets is accurate. In short, this bit is full of holes and uncertainty.
• It creates a formal notice-and-takedown system. We know from experience with the US's copyright one that these are very bad things. Interestingly, when examining the issues of defamation online back in 2002, the Law Commission considered, but seemingly rejected such a system, suggesting instead that ISPs be granted complete immunity. They also recommended other changes, some of which are finally being discussed in Parliament now.
• It fails to go far enough in some situations, such as where the poster is identified, but cannot be reached legally (due to being outside the jurisdiction, dead etc.). There the website would be immune so the defamed party would be completely stuck.
• It also misses (or does not consider) situations where someone could post material to a website, but cannot then remove it (e.g. Slashdot comments); in such a case the author could continue to be liable for each view the statement receives, while the website is immune, despite the author having no control over it.

==A possible solution==

Given all the problems it is likely this clause will be amended for the final version. We should try to ensure that the final version is us-friendly. I propose that we suggest an amendment where;

1. This defence applies to anyone who provides a public platform for posts (online or offline, but with some limits for when the website has full control, and exercises that control - such as with the main content, but not comments, on newspaper websites),
2. This defence should apply whether or not it is possible to identify the author.

On top of this, due to concerns about defamatory material staying online etc., I would add a new clause that:

• Allows the High Court to order the removal or modification (such as adding a correction or reply) of unlawfully defamatory material from a public publishing platform (as defined above);
• Requires the court to consider, among other things, any applicable defences, and the importance of freedom of expression, etc.
• Allows the court to order the claimant to reimburse the website for any reasonable costs incurred in complying with the order,
• Limits liability in defamation for a statement subject to such an order so anyone originally liable for it can't be sued for subsequent views/publications.

However, while 'reasonable', this second part possibly goes against current Party policy which states that "we will not allow censorship of the Internet for anything except for in the most extreme circumstances."

===What I need help with===
What needs doing is turning all of this into a formal submission, and turning the proposals into legalese. Most of that shouldn't be too hard (and I've begun working on it) but what I really need help and ideas on is who should get immunity under this, and how to define them legally so that it covers everything we want it to cover, but doesn't cover anything else.

It would also be helpful to have any thoughts on my suggestions in general (and particularly on the modification order part), to make sure I haven't missed anything obvious or important.

Finally, it would be very useful to get thoughts and feedback from who would be affected by something like this; such as people who run websites or platforms that allow comment. Obviously this includes people within or outside the Party.

Anyone willing to help draft the final submission, send me a PM/email or find me on IRC.

[liamreed]

I would say that the protection should extend to service providers and their staff and agents as a website operator *could* be linked to the individual <b>using</b> the website. Also as there are other methods of using a website, email submissions and texting shortcodes, without physically using the website. Therefore I feel it should be the service as a whole not just a website that benefits from this defence.

[Andy_R]

I think the best way to structure a reply would be to break it up into 2 parts:

1) We don't like what you are trying to do because... (moral and economic stuff: free speech, economic damage, legal bills etc.)
2) We don't think this wording will do what you think it will do because... (legal stuff: drafting mistakes, EC directives, vague wording)

I think only the 2nd one needs to be in legalese, the fist one should be in plain, (preferably non-technical) English.

[borgs8472]

It only applies to websites, not the rest of the Internet. Apparently it is supposed to, but the drafters may not have known the difference. Even then, it is still technology-specific which is usually a bad idea.

It depends on the definition of a website indeed - I would actually use the term public website or webservices as a better definition. This protects private closed communities, as well as covering webservices such as twitter, news groups and the like.

The defence should cover any sort of platform-providing service, online or offline.

I disagree that offline systems should be covered, unless they have some kind of public interface, such an offline computer terminal at an internet cafe, or other internal yet publically facing system. Again, public facing computer websites and web services seem an appropriate definition for both internet connected and non internet connected systems IMO.

There is no definition of "website operator". As someone who runs a wordpress blog, am I the operator of the website (re defamatory comments), or is Wordpress?

Wordpress are a software company and have zero liability for the (mis)use of their software. I believe CDN providers and search engines caches that operate in a content neutral fashion are also innocent so to speak. Liability as a 'website operator' typically falls to:
* Legal owner of the domain
* Hosting / connectivity / server company

For example, if I'm Company A, and I hire Agency B to build my website and Agency C to host my website, the liability for the website content falls to the domain registrant legal owner (who should be Company A, but is occasionally Agency B or C which it shouldn't be!) and hosting Agency B.

Agency A who may be building and maintaining the site content actually has no legal liability for the content, though obviously Company A or Agency B might sue Agency A for damages if they get fined etc.

All of this is irrespective of if there is a public commenting system, as there the commenter is never liable for content by default, until a take down / investigatory / reporting process is instigated, passing liability from Company A or Agency B down to the commenter.

Even if we accept the limitation, the bill does not define "identify"; it does not specify whether the identity must be obvious on the face of the post, or merely provided to a claimant by the website operator on request. It does not say what will be sufficient; an email address, real name, IP address? None are enough alone to properly identify an individual. Additionally, it does not specify whether the burden is on the website operator to ensure any information it gets is accurate. In short, this bit is full of holes and uncertainty.

I think recent cases, such as the recent Facebook 'troll unmasking case' is continuing the precedent that handing over the IP details, e.g. information logged is sufficient. There are no cases I'm aware of where a web host has claimed they don't log this data in any way shape or form, so originating IP appears to be the standard. Other identifying information such as registering email address and supporting profile data is non standardised across websites, so even in cases where it is available to the web host, I consider it difficult to consider how that information could be requested in a standardised framework.

It fails to go far enough in some situations, such as where the poster is identified, but cannot be reached legally (due to being outside the jurisdiction, dead etc.). There the website would be immune so the defamed party would be completely stuck.

A key point, that applies to most 'internet legislation'. Or if people get wise, they will proxy/tor out of the UK before posting their defamatory comments. Did you know, certain bot net attacks deliberately use machines outside of western control for the very reason that it effectively blocks legal follow up against them?

I think the best that could be suggested is to note the limitations of this effect and suck it up, so to speak.

It also misses (or does not consider) situations where someone could post material to a website, but cannot then remove it (e.g. Slashdot comments); in such a case the author could continue to be liable for each view the statement receives, while the website is immune, despite the author having no control over it.

Like with IP logging, I'm not familiar with any system that doesn't allow the site administrators to pull content. In such a case, despite the obligation having shifted to the poster to remove the content, if technical limitations prevent this, I suggest the site administrators must have a process in place allowing users to pull their own content be added as a guideline.

Allows the court to order the claimant to reimburse the website for any reasonable costs incurred in complying with the order,

Agreed, but I'm sure we're going to have lots of fun with 'reasonable'

Limits liability in defamation for a statement subject to such an order so anyone originally liable for it can't be sued for subsequent views/publications.

You're suggesting people be freed for the consequences of any Streisand effect? Absolutely, has to be the case IMO.

However, while 'reasonable', this second part possibly goes against current Party policy which states that "we will not allow censorship of the Internet for anything except for in the most extreme circumstances."

I think the party statement on the matter is far too simplistic and should be slowly set aside and replaced with more nuanced and developed lines such as those discussed here.

So Duke, how would you like me to turn my responses into fleshing out a statement now? Let me know

[Duke]

Thanks for the comments so far, a few clarifications for Borgs:

I disagree that offline systems should be covered, unless they have some kind of public interface, such an offline computer terminal at an internet cafe, or other internal yet publically facing system.

When I mentioned "offline", I was referring to non-computer things; things like physical notice-boards, or things relating to future technologies. Situations where the public (or a section of the public) can submit comments without specific involvement of the operator (although once submitted, some editorial stuff could be permitted?).

Wordpress are a software company and have zero liability for the (mis)use of their software.

Again to clarify, my blog is also hosted on Wordpress, so they could have liability for comments on it (although the Tamiz v Google case would suggest otherwise).

As for your Company A, Agency B, C situation, I think you got your letters a bit confused, but my impression of the current law is that if Company A asked Agency B to design a site and have it hosted by Agency C, then if something B wrote was defamatory, A, B and C could potentially be liable (as publishers at common law), although Agency C may be able to use the 'hosting' defence in the e-c directive and s1 Defamation 1996. More likely, with a large commercial contract, there will be various indemnity clauses between the three groups, to ensure that if one screws up they end up paying.

All of this is irrespective of if there is a public commenting system, as there the commenter [I think you mean company here, rather than commenter? The commenter *is* liable by default for their comment, as the author] is never liable for content by default, until a take down / investigatory / reporting process is instigated, passing liability from Company A or Agency B down to the commenter.

With that correction, at common law Company A, Agency B or C would be liable, but subject to the limitations in the e-commerce directive (or other defences). Unless we applied the Google case mentioned above, where (in a case involving comments on a Blogger post) Google was held not to be liable at common law.

The law in this area is a huge mess; there are so many issues to consider, most of which are unclear (due to limited and often contradictory case law); I was hoping this new law would clear it all up, but by throwing in that "identify" part (and limiting it to "websites") they've managed to make it even more complex.

[borgs8472]

When I mentioned "offline", I was referring to non-computer things; things like physical notice-boards,

That's a fair point, but not my area. Are you aware of any such cases of say... a company whose wall was graffitied on being liable for the contents of what was written for instance or anything like that?

or things relating to future technologies.

I do think public website and web services covers all future technologies I can think of. Other services like television and radio don't look they will ever go public AFAIK as all services merge with the web.

Situations where the public (or a section of the public) can submit comments without specific involvement of the operator (although once submitted, some editorial stuff could be permitted?).

Pretty much, obviously 'public' would need some further hashing out as there are some edge cases such as sites with moderated registration, tiered access and the like.

Again to clarify, my blog is also hosted on Wordpress, so they could have liability for comments on it (although the Tamiz v Google case would suggest otherwise).

Okay, didn't realise that, fits with what I was saying about them being the hosting company as per my examples.

As for your Company A, Agency B, C situation, I think you got your letters a bit confused, but my impression of the current law is that if Company A asked Agency B to design a site and have it hosted by Agency C, then if something B wrote was defamatory, A, B and C could potentially be liable (as publishers at common law), although Agency C may be able to use the 'hosting' defence in the e-c directive and s1 Defamation 1996. More likely, with a large commercial contract, there will be various indemnity clauses between the three groups, to ensure that if one screws up they end up paying.

Indeed, because there is a big mix between who hosts the end liability and how practically things would be done. Absolutely Agency A would typically do the work - but if Agency A goes bust, Company A and Agency B have to pick up the slack no matter what.

I should really research this more, for example my corporate data centre ISP indemnifies itself against pretty much anything my company hosts - but if we were performing illegal acts and didn't respond to expected channels, ultimately they would have to pull the plug on us. I will get back to this point as there are actually a lot of possible configurations really.

All of this is irrespective of if there is a public commenting system, as there the commenter [[i]I think you mean company here, rather than commenter?

I was going with a 4 party scenario, with a company, 2 agencies and an external commenter.

The law in this area is a huge mess; there are so many issues to consider, most of which are unclear (due to limited and often contradictory case law); I was hoping this new law would clear it all up, but by throwing in that "identify" part (and limiting it to "websites") they've managed to make it even more complex.

Indeed! I think a course of action could be to brainstorm different distinct actors in these scenarios, and work out how the liability pass the parcel goes in each case.

[Andy_R]

Having had a bit more time to think about this... I think the most worrying part is the concept of the claimant 'identifying the original poster'. As we all know, it's never possible to determine exactly who is sitting behind a keyboard, or to identify exactly who is using a shared ip address, even if the claimant went to the trouble of getting a Norwich Pharmacal order to identify the bill payer for the connection. This either opens up a whole DEAct-style can of worms (collective punishments etc.) or makes the whole defence meaningless, since it can always be defeated by the element of doubt about who was behind the keyboard.

It also looks to me that search engines can end up being liable for automatically making cache copies under the current wording, and if the definition of 'website' is broadened (as it clearly needs to be), then transitory copies need to be specifically exempted or people could end up being liable for simply having looked at a page and not flushing their cache afterwards.

I wonder if it's worth specifically exempting fictional environments? If my 43rd level dark elf knowingly wrongly accuses your paladin of looting the temple of Snorlax, in order to turn the citizens of Xybbyx against you, is that defamation? Do we end up having to play games under our real names if so?

[Duke]

Firstly, nothing under this clause imposes any liability; all it does is add a defence in some cases. So if you weren't liable before (which most websites probably aren't now) you're not liable because of this. But most websites may not realise this.

It also looks to me that search engines can end up being liable for automatically making cache copies under the current wording, and if the definition of 'website' is broadened (as it clearly needs to be), then transitory copies need to be specifically exempted or people could end up being liable for simply having looked at a page and not flushing their cache afterwards.

Caching is the third of the limitations in the e-commerce directive (along with mere conduit and hosting); not sure how it works in practice, though. As for looking at a page and not flushing their cache, then there's no publication, so no defamation (you can't defame someone to yourself).

I wonder if it's worth specifically exempting fictional environments? If my 43rd level dark elf knowingly wrongly accuses your paladin of looting the temple of Snorlax, in order to turn the citizens of Xybbyx against you, is that defamation? Do we end up having to play games under our real names if so?

Hmm, if you were accusing a player of using their character to do something bad, then that might be defamation (defaming the player) but you can't defame a fictional character. Plus you still have the "serious harm" threshold.

[Duke]

Thanks to all for you help; this has been submitted, hopefully the people involved will have a look at it.