Skip to Main Content
The Liability of Internet Intermediaries The Liability of Internet Intermediaries

Contents

The Liability of Internet Intermediaries The Liability of Internet Intermediaries
1

Identifying a defendant 3.02

1.1

Sources of information about wrongdoers 3.05

1.2

Compulsory disclosure 3.17

2

Selecting a defendant 3.18

2.1

General rule 3.18

2.2

Primary wrongdoers 3.25

2.3

Secondary wrongdoers 3.35

2.4

Local subsidiaries 3.39

2.5

Service outside the jurisdiction 3.44

3

Contacting an intermediary 3.47

3.1

The proper recipient of notice 3.48

3.2

Content of notice 3.58

4

Alternatives to litigation 3.62

4.1

Takedown notices 3.63

4.2

De-indexing requests 3.67

4.3

Defensive search engine optimisation 3.69

4.4

Domain name seizure 3.70

4.5

Customs border seizure 3.71

4.6

Forbearance 3.74

5

Monitoring content 3.77

5.1

URL monitoring 3.79

5.2

Alerts 3.80

5.3

Image search 3.81

5.4

Tracker data 3.82

5.5

Domain names 3.83

5.6

Custom agents 3.85

3.01 This chapter discusses five issues which commonly arise before the commencement of proceedings in disputes involving internet intermediaries. Broadly, these issues relate to the identification and selection of proper defendants, access to sources of information about online wrongdoing, and the taking of appropriate pre-action measures which may remove or reduce the need for litigation. Additionally, this chapter introduces several tools which practitioners may find useful in detecting and monitoring online wrongdoing.

3.02  Primary wrongdoers. The first and most fundamental question is: who is the proper defendant? In most cases, the answer will be obvious: he or she may be the author of impugned materials, the producer of an infringing sound recording, the supplier of a defective product or service, the counterparty to a breached contract, and so on. No difficulty arises in such cases because the person alleged to bear legal responsibility is the same as the person who engaged in the allegedly wrongful conduct. He or she is said to be the ‘primary wrongdoer’.

3.03  Defendants in internet disputes. In disputes involving internet wrongdoing, the identification of defendants requires particular care for several reasons. First, the identity of the primary wrongdoer is very often unknown. They may have acted under a pseudonym, obfuscated the source of communications, or otherwise taken steps to hide their true identities. Second, the primary wrongdoer will rarely act alone. Even a relatively simple act, such as posting an image to a social network, is facilitated by numerous intermediaries, such as for example, ISPs, media sharing platforms, web hosts, domain name registrars, and network operators.1 Third, activity on the internet has a tendency to amplify and propagate. An image, once posted, may be rendered accessible via search engines, syndicated by aggregators, and reposted, re-blogged, or retweeted. Each of these acts could implicate additional primary and secondary parties.

3.04  Preliminary research. In light of these complexities, it is important to begin with a clear understanding of who is involved in the conduct about which a potential claimant complains. Equally, service providers in possession of such information should understand when they are and are not required to disclose it to a prospective claimant, and what steps may be an appropriate response to allegations of wrongdoing. The following sections provide an introduction to common techniques and practices.

3.05  Overview. There is a widespread but largely untrue perception that is easy to act anonymously on the internet. In reality, it is frequently possible to unravel the source of internet communications by using a variety of public and private sources of information. Although the effectiveness of these forensic techniques will vary depending on the nature and sophistication of wrongdoing and the time that has elapsed since it occurred, such techniques are not complicated and can be very useful.

3.06 The WHOIS protocol is a method of storing and retrieving information about the registrants of domain names and the assignees of IP addresses.2 Using WHOIS, it is possible instantly to retrieve basic contact information for a specified internet resource. The available information varies between top-level domain names, but includes at a minimum the postal address, email, and telephone number of the registered owner and technical and administrative contacts.3 Numerous free services exist which can be used to perform WHOIS searches.4

3.07 Unfortunately, there is no practical guarantee that WHOIS data are accurate. Entry of false information can sometimes justify cancellation of a domain name; this and other remedies are discussed in chapter 7.5 In cases of malicious wrongdoing, a proxy registration service is often used to register a domain name in the name of an intermediary. In such cases, the registrant may simply be listed as ‘Contact Privacy Customer No 123456’ or similar.6

3.08 Another useful source of information is the server on which any relevant material is stored. The starting point is again the WHOIS record for a domain name or IP address, which will indicate the ‘nameservers’ for the domain name or (in the case of an IP address) the organisation to whom it is allocated. Nameservers, in turn, identify the server on which the website is hosted, which can be determined by querying the DNS records for the domain name and noting the IP address of the ‘A’ (address) records.7 The nameserver will usually be operated by the same service provider as the host server, but this is not always the case. Once the host of a website has been identified, information about the hosted material and account holder can be requested from the host.

3.09 It is often helpful to pinpoint the location of a potential defendant, even if his or her identity is not immediately known. This can be done to a limited extent using IP geolocation databases, which map IP addresses to approximate physical locations using known allocation data.8 Accuracy varies with region and the network design of the target ISP, and can be defeated through the use of proxies, VPNs, and other obfuscating tools.

3.10 Many websites engaged in illicit activity derive revenue from advertising: one report has estimated that 89 per cent of unlicensed television streaming websites and 86 per cent of P2P file-sharing websites do so.9 Another report concluded that the 596 most popular piracy websites generated $227 million from advertising during 2013.10 For such websites, another potential source of identity information is the advertising network that places advertisements, processes click-through activity, and makes payments to its members. Such a network is likely to possess contact information for the operators of participating websites (or their nominees) for the purpose of paying out revenue.

3.11 There are several hundred advertising networks, though a small number account for the substantial majority of traffic and revenue. It is normally possible to ascertain which network is used by looking at a website’s source code. Almost all networks have adopted policies prohibiting the display of advertising on websites engaged in unlawful activity.

3.12 It is likely that an anonymous wrongdoer will have made at least one payment to a service provider, most commonly a domain name registrar, website host, ISP, or security service. Although distributed crypto-currencies such as Bitcoin are now widespread, many payments continue to be made using traceable payment intermediaries such as banks, credit card processors, and online payment services. If such a payment has been made, it may be possible to obtain details of the source of the funds by seeking disclosure from the relevant payment intermediary.11 Other potential remedies targeting payment intermediaries are the subject of chapter 16.

3.13 A potential defendant will sometimes be identifiable using social media. If a particular social media account (such as a Facebook username or Twitter handle) is known, details of the account holder can be requested from the platform operator. Various techniques can also be used to connect an anonymous publication elsewhere with the public posts of a particular user; for example, Google Image Search can be used to find images matching a known sample, or linguistic stylometry can be used to identify the author of an anonymous written publication if a sufficient sample of attributed works is available.12

3.14 If correspondence has been initiated with the potential defendant, it may be possible to deploy tracking tools in emails or other communications which result in the disclosure of his or her IP address. This is commonly achieved in two ways: first, by inserting an invisible image (known as a ‘web bug’) into the body of an email, such that viewing the email triggers the download of a remote image with a unique query string; and second, by inviting the correspondent to visit a page whose URL is known only to the sender. In either case, the sender can examine their server logs to identify an entry corresponding to the recipient accessing the image or page. Because this process may involve the disclosure of personal data about the recipient, it should be done with some caution and sensitivity, and for a legitimate purpose (such as the establishment or enforcement of legal rights).

3.15 Many websites and advertising networks insert tracking cookies onto users’ computers for the purpose of identifying and monitoring their browsing activity. Although it is possible to block or opt-out from such tracking, relatively few users elect to do so. In some cases, it may be possible for a qualified security professional to identify a user from their cookie ID value (such as a ‘GooglePREFID’) or by using commercial fingerprinting technology.13 The use of tracking cookies may have data protection implications, which are discussed in chapter 10.

3.16 If an unidentified defendant has used a known device to carry out activity, it is often possible to identify that person by examining the device. For example, many mobile phones store a history of GPS locations, call and messaging metadata, and browsing history, even after being reset to their default settings.

3.17  Disclosure from intermediaries. If information about a potential wrongdoer is unavailable from public sources, intended claimants have several options. At the first instance, they may request disclosure from an intermediary who possesses relevant information. If voluntary disclosure is refused, it may be necessary to apply formally for compulsory disclosure by court order. This is the subject of chapter 4.

3.18  Primary wrongdoers. In general, the starting point is that the primary wrongdoer is the most appropriate defendant to a claim. If a remedy against that party is likely to vindicate the claimant’s rights at proportionate cost, then that should ordinarily be the end of the inquiry. Only if such a remedy would be somehow deficient, or if bringing the action or enforcing any remedy is not reasonably practicable, should consideration be given to other potential defendants.

3.19  Exhaustion of primary claims. A policy of suing primary wrongdoers is given statutory force in the case of defamation claims. Section 10 of the Defamation Act 2013 means that an English court will lack subject matter jurisdiction to hear a claim against a secondary publisher unless it is not reasonably practicable to bring an action against the author, editor, or publisher of the relevant material.14 The effect of this provision seems to be that actions against many internet intermediaries will be unavailable unless the claimant can first satisfy the Court that there is some good reason why a claim against the primary wrongdoer cannot be brought. The threshold of impracticability is uncertain, and it remains an open question whether it is reasonably practicable to obtain voluntary or compulsory disclosure of the primary author, editor, or publisher of material that is posted anonymously. This requirement is discussed further in chapter 8 in section 3.3.

3.20  Secondary remedies against intermediaries. Claims against intermediaries for infringements of intellectual property rights appear to be largely independent of any available claims against primary wrongdoers. As is discussed in chapter 13, the Enforcement Directive requires member states to make various remedies available against intermediaries who are best placed to bring infringements to an end.15 These remedies are not contingent upon any action being taken against the primary infringer. However, while these remedies must meet minimum standards of effectiveness and dissuasion, they must also be proportionate and must not constitute barriers to legitimate trade. Further, a fair balance must be struck between the rights of service providers to carry on business, and those sought to be upheld by claimants. In this regard, the availability of unexplored but practicable action against a primary infringer is clearly a relevant consideration.

3.21  The general rule. The general rule is that, if an independent cause of action exists against a secondary wrongdoer, such a claim may be brought in addition to or in substitution for a claim against the primary wrongdoer. However, a failure to take practicable action against a primary wrongdoer may still be relevant in several ways.

3.22  Proportionality of remedies against intermediaries. First, it is likely to be a highly material factor when determining whether a remedy sought against a secondary party is necessary and proportionate. For example, disclosure from an intermediary may not be appropriate if the claimant already has an available remedy against a known primary wrongdoer.16

3.23  Discretion. Second, the availability of a claim against the primary wrongdoer is clearly relevant to the exercise of the Court’s discretion whether to grant injunctive relief against a secondary wrongdoer. An injunction against an intermediary may be pointless or futile if an identical order can be made and enforced against the primary wrongdoer personally.

3.24  Abuse of process. Third, it is possible to imagine circumstances in which action against an intermediary who is not said to be a wrongdoer might not serve any real or legitimate purpose. Although the general rule is that a claimant is entitled to bring a reasonably arguable cause of action against a secondary party (whatever other claims may exist), there may be marginal cases in which ‘the game is not worth the candle’.17 For example, the wrongdoing may be trivial, or relief may be purely symbolic or disproportionately costly relative to the benefit likely to be obtained.18 In such cases, one option may be to proceed in the small claims track; however, care would need to be taken to ensure that the proceedings were conducted in a manner such that the potential gain to the claimant can still outweigh the resources required to determine the claim.19

3.25  Overview of material considerations. This section discusses some of the variables that will be relevant to a claimant’s choice of intended defendant in an internet dispute. The most common reasons why it may be undesirable to pursue the primary wrongdoer are that the wrongdoer cannot be identified, is beyond jurisdiction, lacks assets required to satisfy judgment, cannot provide a specific remedy, or if the volume of wrongdoing is simply too great to pursue individually.

3.26  Common problems. Primary wrongdoers are very frequently anonymous, or at least unnamed in their published material or communications. Although various means exist of identifying such a person,20 sometimes it will nevertheless be impracticable or impossible to do so. The trail may run cold at a foreign internet café or hotel, or lead only to a public access point; relevant evidence may have been deleted or overwritten by a service provider; or the defendant may have obfuscated its identity to such an extent, using service providers located in so many different jurisdictions, that it is simply too costly to obtain disclosure from each of the network-layer intermediaries who may be in a position to help. In such cases, an action against ‘Persons Unknown’, even if successful, may achieve little.

3.27  Identity of intermediaries. Conversely, intermediaries tend to be highly visible entities. Many operate fixed infrastructure in multiple jurisdictions and play well-publicised roles in internet communications; with some notable exceptions, they make no effort to hide their ownership or identity. Some are even publicly listed companies. Indeed, those that wish to avail themselves of safe harbours must publish information about their own identity and location, which ensures they are able to be identified.21

3.28  Foreign wrongdoers. Even if the identity of a primary wrongdoer is known, such a defendant may be domiciled in a country whose remoteness or domestic legal system makes it impractical to enforce any remedy against them. Whether such an action is reasonably practicable will depend on all the circumstances, including in particular the nature of the relief sought, whether an English judgment would be recognised and enforced in the courts of the wrongdoer’s domicile, and how costly it would be to do so.

3.29  Factors contributing to harm. The internet makes it disproportionately easy for people to cause harm on orders of magnitude greater than their ability to compensate the resulting losses. Defamatory rumours, confidences, and infringing material propagate virally on gossip blogs and discussion boards, assisted by two social phenomena: social cascades, by which informational signals given by others propagate beliefs; and polarisation, by which group deliberation amplifies individual responses.22 For example, repeated exposure to a salacious rumour increases its likelihood of being further disseminated, and copyright infringers are more likely to believe their actions are justified if they observe others behaving in the same way. These three properties—the low cost of dissemination, the tendency for viral cascades and amplification, and the scale with which tortious information can be reproduced—mean that damage can be caused on a large scale with relatively little effort.

3.30  Indigent wrongdoers. Primary wrongdoers present unattractive defendants if they lack sufficient assets with which to satisfy a judgment. In these circumstances, deep-pocketed intermediaries may present more obvious targets for claimants who seek to recover substantial monetary compensation, assuming that a monetary remedy is available against a secondary party. It will often make sense to join the primary wrongdoer as a party for the purposes of injunctive relief.

3.31  Ineffectiveness of claims against primary wrongdoers. In some cases, the claimant’s objective in pursuing litigation may be to effect a structural change to the enforcement policies or business practices of a facilitator. Although litigation against individual wrongdoers can sometimes cause an intermediary’s risk calculus to shift in ways favourable to a claimant, or deter similar wrongdoing by other individuals, an order against the enabling service provider is often regarded as a more effective way to prevent future wrongdoing. In these cases, the primary wrongdoer may not possess the power to give the kind of remedy that the claimant is seeking. In other cases, the primary wrongdoer may have lost control of the material about which complaint is made; for example, if it has been mirrored or distributed by third parties.

3.32  Intermediary liability and private ordering. In such cases, remedies against a secondary party offer claimants several advantages. First, the terms of an injunction may require pre-emptive enforcement against future tortfeasors long after the conclusion of the action. Intermediaries may be required to alter their technology or even business models and thereby internalise the costs of wrongdoing. Second, the scope of such remedies can extend to mirrored or downstream material which is hosted or transmitted from other sources. Third, orders against one service provider can influence the behaviour of many other users, which may prevent similar wrongful activity. However, such remedies are in one sense more limited, since their formal effects are restricted to the respondent’s own services, whereas relief against a primary tortfeasor binds the defendant personally.

3.33  Enforcement costs. Internet wrongdoing frequently occurs on a scale that makes it impractical for a claimant to enforce his or her rights against every primary wrongdoer. The cost of identifying, pursuing, and enforcing remedies against each defendant would in almost all cases be disproportionate to the expected aggregate remedy. Where tortious information is being propagated by tens of thousands of people online, it is likely to be far more cost-effective for a claimant to target the operator of the platform or to pursue a smaller number of intermediaries who facilitate wrongdoing.

3.34  Reputational costs of primary litigation. Litigation against the primary wrongdoer may also be unwise if it would result in reputational damage to the claimant. Consider, for example, the widespread criticism of litigation against individuals to enforce music copyrights in the United States during the early 2000s. Even in cases where the claimant complains about the publication of obviously wrongful material, bringing a claim against a primary author who is vulnerable or highly motivated may only serve to fuel criticism of the claimant in circumstances where the material might otherwise not have been taken seriously. In such cases, other measures—both litigious and market-based—may be both more effective and less costly to the claimant, though this obviously depends on the nature of the rights being protected.

3.35  Types of secondary wrongdoers. In addition to the primary wrongdoer, internet wrongs commonly implicate a wide range of secondary actors who facilitate the conduct of which complaint is made. A full description of the different classes of internet intermediaries is given in chapter 2, where it is noted that such parties are needed to transmit, store, and make available electronic data. Without them, primary wrongdoers would usually be unable to engage in the conduct or cause the harm that they did electronically. Given the difficulties of identifying, serving, and enforcing judgment against many primary defendants, the temptation to proceed against a secondary party will often be strong. In general, that temptation should be resisted, since in many cases a substantive claim against an internet intermediary will be unavailable, disproportionate, or both. Great caution should be exercised before a decision is made to pursue such a defendant.

3.36  Legal duties of secondary parties. Three main criteria may be used to guide the selection of defendants. First, the legal duties owed by a particular party should be considered. If a party is under no relevant obligation to prevent or cease wrongdoing, then no degree of causation (however intentional) will be sufficient to impose liability to do so. As Arnold J concluded at first instance in L’Oréal SA v eBay International AG, it can often be circular to reason backwards from a presumed legal duty without directing attention to whether any such duty exists in the first place:

L’Oréal’s answer either amounts to an acceptance that eBay Europe are under no duty to prevent infringements by third parties or amounts to a circular argument: eBay Europe are under a duty to prevent third parties from infringing because they are under a duty not to participate in a common design to infringe and they have participated in a common design to infringe because they have failed to prevent third parties from infringing. . . . [H]ow can it be relevant to inquire whether eBay Europe have taken ‘all reasonable measures’ to prevent infringement by third parties unless eBay Europe are under some legal duty or obligation to take all reasonable measures?23

3.37  Relationship between primary and secondary parties. Second, the relationship between the candidate defendant and the primary wrongdoer should be considered: how have they acted together, for what purpose, and with what knowledge of each other’s existence and of the primary conduct in question? Consideration will need to be given to whether a relevant connecting factor exists within the definition of secondary wrongdoing.

3.38  Practical considerations. Third, the practical constraints on pursuing the candidate defendant should be considered: issues such as domicile, jurisdiction, the location of assets, and choice of law, among others, are relevant at this stage.

3.39  Identifying the correct entity. Where a decision is taken to proceed against a secondary wrongdoer, care must be taken to ensure that the correct entity is named as a defendant. Many service providers operate subsidiaries in different jurisdictions which are not directly responsible for the development or day-to-day operation of their platforms but instead provide ancillary services. For example, Google UK Ltd is largely responsible for the sale of advertising in Google AdWords, rather than the operation of the company’s well-known search engine. However, in some circumstances, claims may be brought against a local establishment or subsidiary which carries out commercial activities ‘in the context of’ the technical system operated by a related company.24

3.40  Consequence of suing incorrect entity. Incorrectly addressing a complaint to a subsidiary can lead to serious difficulties, including strike-out of the claim.25 This may be because the relevant acts are those of the parent company rather than the subsidiary, and a mere relationship of holding company and subsidiary company is insufficient for joint tortfeasance.26 In Metropolitan International Schools Inc v DesignTechnica Corp, the claimant alleged that Google UK Ltd was liable for publishing defamatory ‘snippets’ in search results. Its defence was that the activities of Google UK Ltd are limited to sales and marketing, rather than operation of the search engine, and as such did not even have access to any of the technology used to operate and control google.com and google.co.uk. Eady J held that the ‘speculative approach’ of the claimant to pleading the liability of the subsidiary was not appropriate.27 Similar arguments may be available in relation to other national subsidiaries of multinational internet intermediaries.

3.41  Availability of claims against subsidiaries. Whether a claim may be brought against the local subsidiary of an international service provider necessarily depends on the cause of action. The decision of the Court of Justice in Google Spain SL v Agencia Española de Protección de Datos suggests that, at least in certain data protection claims, it is possible to claim against a branch or subsidiary established in a member state which carries on a substantial commercial activity that is ‘inextricably linked’ with the data-processing activities of the parent company.28 In that case, the Court regarded a claim as justiciable against Google Spain in relation to the publication of search results, despite there being no evidence that Google Spain itself carried out the indexing or storage of information contained in the search engine, which was instead operated by Google Inc.

3.42  Subsidiaries as ‘establishments’. In Google Spain, the Court of Justice concluded that Google’s Spanish subsidiary was an ‘establishment’ of Google Inc within the meaning of article 4(1)(a) of the Data Protection Directive.29 This was because the subsidiary was intended to promote and sell commercial advertising space on the search engine of the parent company, and the search engine was the ‘means enabling’ those sales to occur. It followed that the activities of Google in operating the search engine occurred ‘in the context of the activities’ of Google Spain, which was sufficient to satisfy that provision.

3.43  Extent of territorial jurisdiction over intermediaries. The Court in Google Spain was clearly motivated by the need to extend the reach of the Data Protection Directive in circumstances where many of the largest internet intermediaries who process personal data operate outside the European Union. Taken at face value, the approach in Google Spain may suggest that the practice of separating sales and technical functions between entities in different territories is a distinction of form rather than substance. If similar logic were applied to other causes of action, it may become possible to bring proceedings against subsidiaries that provide commercial services in relation to platforms headquartered elsewhere. However, the decision in Google Spain is closely tied to the wording and purpose of article 4(1)(a) of the Data Protection Directive, and it does not necessarily follow that other causes of action will permit claims against a subsidiary directly.30

3.44  Service upon foreign intermediaries. Where a service provider is domiciled outside the jurisdiction, the claimant will need to consider whether permission is required to serve out the claim form onto the defendant.31 Different considerations will obviously apply depending on whether the defendant is domiciled in a territory to which the provisions of the Brussels I Regulation or Lugano Convention apply,32 or if the Court has the power to determine the claim under the Civil Jurisdiction and Judgments Act 1982.

3.45  Criteria for grant of permission. Detailed discussion of the circumstances in which permission is required, and the criteria required to obtain permission, is beyond the scope of this work. In general, where permission is required the claimant must bring the case within one or more of the grounds specified in paragraph 3.1 of Practice Direction 6B.33 For example, the claimants in Vidal-Hall v Google Inc sought to rely upon four grounds to support an application for permission to serve Google Inc with claims for misuse of private information and breach of statutory duty.34 These are the jurisdictional gateways most commonly relevant to cases involving internet intermediaries, namely:

(a)

para 3.1(2): a claim for an injunction ordering the defendant to do or refrain from doing an act within the jurisdiction;

(b)

para 3.1(9): a claim in tort where (a) damage was sustained within the jurisdiction; or (b) the damage sustained resulted from an act committed within the jurisdiction;

(c)

para 3.1(11): a claim whose whole subject matter relates to property located within the jurisdiction; and

(d)

para 3.1(16): a claim for restitution where the defendant’s alleged liability arises out of acts committed within the jurisdiction.

3.46  Where conduct takes place. The difficulties of localising electronic conduct which has effects in the United Kingdom are discussed in chapter 7. Readers are referred to a specialist work for further discussion of related private international law issues.35

3.47  Pre-action conduct. Once the most appropriate defendant has been identified, steps should be taken to comply with any applicable pre-action protocol. This would usually require the claimant to give notice to each defendant of the substance of the complaint and a reasonable opportunity to respond. Care should be taken to ensure that such notifications are sent to the correct entity, through the proper channels and in the required form.

3.48  Methods of giving notice. In the ordinary case, pre-action correspondence should be sent to the defendant. There are several common ways to determine whom to contact.

3.49  Mandatory information. Most service providers publish contact details on their website. Pursuant to regulation 6(1)(c) of the Electronic Commerce (EC Directive) Regulations 2002 (which transposes article 5(1) of the E-Commerce Directive), service providers are required to provide details (including an email address) by which a recipient of the service can contact the service provider directly and effectively. Service providers are also required to publish their name, geographic address, and trade or public registration number (if any). The information must be provided in a form and manner which is easily, directly, and permanently accessible. It is unclear whether, in the case of an email address, this includes a web-based form which, although effective to send a message to the service provider, does not directly disclose the text of the address to which form submissions are sent.36

3.50  Failure to publish mandatory information. The consequence of a service provider failing to supply the required information is unclear. Although expressed as a mandatory obligation in the 2002 Regulations, it is doubtful whether any action for breach of statutory duty lies against a service provider who fails to publish the necessary information. This is chiefly because neither the Regulations nor the Directive benefit a limited class of the public, other than recipients of information society services (which might be thought to include almost anyone). Further, they do not provide any clear remedy for breach of the obligation, let alone a private law cause of action.37

3.51  Failure to use a specified contact method. It is advisable to follow any notification procedures specified by the service provider, in addition to any other method of notification that is used. Whether a service provider has received a notice through a means of contact made available in accordance with regulation 6(1)(c) is a relevant factor which must be considered when determining whether the service provider has acquired actual knowledge of wrongdoing for the purposes of the storage and caching safe harbours.38

3.52  Contractual methods. If the service provider publishes terms of service on its website, that document will often specify an email address or other contact information.

3.53  Administrative contact information. Using the techniques explained at paragraphs 3.06 and 3.07 may reveal the contact information associated with an identified IP address. That contact information normally relates to the data centre or network operator to whom the IP address block has been allocated. In some regions, the authority responsible for allocating IP address ranges requires recipients to nominate ‘abuse’ contact information. This information (which normally consists of an email address) can be used to contact the responsible network layer intermediary, such as a host, domain name registrar, or nameserver operator. However, it is often the case that these mailboxes are not actively monitored by the service provider concerned.

3.54  Other data hosted on shared servers. It is sometimes possible to ascertain details of a defendant by determining which other websites are hosted on the same server as a particular website. To the extent that such other websites are also operated by the same person, examining those other websites may lead to additional clues about the identity of a wrongdoer or secondary party. However, care is warranted since in a shared hosting environment many websites can share the same IP address without having any other connection.

3.55  Identifying shared websites. Obtaining a list of co-hosted websites involvesa process called a ‘reverse IP lookup’. This involves querying an IP WHOIS database with the IP address of the known website; the database responds with a list of other domain names hosted at the same IP address. This can be a useful way of locating mirror or affiliate websites, particularly where a single defendant may be involved in operating a number of distinct infringing websites. However, it relies upon the database being accurate, and it is not normally possible to guarantee that all shared websites have been identified, since there may be websites which are not configured to respond to reverse DNS queries.

3.56  Registrant contact information. As noted at paragraph 3.06, the WHOIS database will list contact details for the registrant and for technical and administrative contact persons associated with a domain name. These contact details are normally supplied by the registrant, and are unverified. However, if a complaint is made about a domain name or information published on a domain name, these parties may be relevant recipients of a notice.

3.57  Affiliate and white label services. Many internet services operate multiple layers of sales channels, allowing resellers to sell services on their behalf, typically in return for a commission, without having to invest in hardware or technical personnel themselves. This practice is especially common for website hosting and domain name registration. The reseller structures vary considerably in complexity; some are simple affiliate models whereby third parties are able to link directly to the service provider, but others are ‘white label’, where it is difficult or impossible to determine whether the point of sale is the service provider or a reseller. Where services permit resellers to engage further resellers, there can be several layers between the account holder of a service and the ultimate controller of the service. Higher-layer services may possess more direct control over the relevant infrastructure and are normally larger undertakings.

3.58  Notice of unlawful activity or information. Any notification sent to an intermediary should set out details of the wrongdoing that is alleged to have been carried out using their services. Such details need to be sufficient to enable a reasonable economic operator in the position of the service provider to ascertain the unlawfulness of the activity or information about which complaint is made. This requirement is discussed further in chapter 12.

3.59  Mandatory information to be supplied. Regulation 22 of the 2002 Regulations requires the Court to consider whether a notification contains certain information, namely: (1) the full name and address of the sender of the notice; (2) details of the location of the information in question; and (3) details of the unlawful nature of the activity or information in question. A notice that does not contain this information may still be effective, but is less likely to be held to confer actual knowledge for the purpose of precluding reliance upon the hosting and caching safe-harbours.39 This is because regulation 22 requires that the Court take into account all matters which appear to be relevant in the circumstances and, in particular, must have regard to the extent to which the notice includes the necessary information.

3.60  Notice requirements for website blocking orders. Similarly, section 97A of the Copyright, Designs and Patents Act 1988 requires the Court to consider a number of factors when determining whether a service provider has actual knowledge of someone using its service to carry out infringement of copyright (or database right). Knowledge under that provision does not require the identity of the wrongdoer to be notified; the ‘someone’ can be anyone. The requirements are discussed fully in chapter 14.

3.61  Liability of the intermediary. Where the claimant must comply with a pre-action protocol governing communications with the intended defendant, a notification alleging wrongdoing by a third party will not necessarily satisfy the requirements if action is subsequently taken against the service provider. If this possibility is contemplated, the pre-action notice should clearly deal with any allegations of liability which are, or are in future to be, made against the intermediary. However, the author of the notice should carefully consider whether those allegations could amount to unjustified threats of infringement.40

3.62  The search for effective redress. Litigation—whether against a primary wrongdoer or an intermediary—is costly, time-consuming, and often futile. Prospective claimants should be advised whether they could obtain more effective redress by using a variety of tools to detect and prevent wrongdoing at its source. Although these tools obviously will not be appropriate where serious damage has been suffered or wrongful profits made, such that a compensatory or restitutionary remedy is required, they remain complementary to the costly machinery of litigation.

3.63  Voluntary removal of unlawful material. Notice-and-takedown remains the most popular internet enforcement mechanism. Major intermediaries process millions of notifications each day using automated takedown mechanisms, with the vast majority of complaints succeeding. Unfortunately, in the absence of harmonised requirements for notices, claimants will need to follow the directions of individual service providers and notify each separately in accordance with the applicable procedure.

3.64  Notice to website operator or host. In most cases, it will be an appropriate first step to issue a notification to the website operator of any internet location where the impugned activity or information is accessible. In parallel, or if the website operator fails to respond, it may be helpful to notify the host of the website directly.

3.65  Notice to website host. As discussed in paragraph 3.58, such notifications should include sufficient information to put their recipients on notice of the unlawful activity or information and should request removal of the material at its source. For example, the notice should set out details of the material complained of, including the Uniform Resource Locators (‘URLs’) for any internet location where it is accessible. Such a notice should also explain the reasons why the material is said to be unlawful.

3.66  Effectiveness of notification. Notice-and-takedown is often the most effective enforcement technique, especially where material is hosted abroad and legal enforcement would be costly or complicated. It also has the virtue of being cheap and rapid. Sometimes, however, notice-and-takedown will be inappropriate or pointless. For example, the website operator or host may have a policy of ignoring (or simply publicising) takedown requests, or may prompt a calculated wrongdoer to attempt to cover his or her tracks.

3.67  Voluntary removal from search engines. Most search engines have well-established internal procedures for the removal of links to content prohibited by their policies. These procedures are usually described as ‘takedown’, even though their object is typically to remove hyperlinks to tortious material rather than deleting the material itself. Private de-indexing practices operate successfully on a large scale and offer low-cost relief to many victims of wrongdoing. They are discussed further in chapter 16.

3.68  Common procedures. Initiating a de-indexing request is very simple. Both Google and Bing publish forms in which complainants may request the de-indexing of content which infringes certain categories of rights. Such a request can be made quickly and at minimal cost. If accepted by the search engine, this may be an effective means of ensuring that unlawful material, although published, cannot be found by the vast majority of internet users. However, the categories of wrongdoing for which de-indexing may be requested without a court order tend to be relatively limited.

3.69  Organic search rankings. A claimant who wishes unlawful material not to be displayed in search results for a particular query but for whatever reason cannot obtain compulsory or voluntary de-indexing may instead seek to promote alternative search results. Although this is unlikely to be as effective as outright removal or de-indexing of the information, promoting the organic search rankings of legitimate or preferred sources of lawful information still has the potential to reduce the degree of harm associated with unlawful material by encouraging members of the public to access alternative material which is more prominent or easier to find. Influencing search engine rankings is an inexact science; various ‘white hat’ techniques are known most of which involve authoring high-quality, relevant content.

3.70  Compulsory transfers of domain names. One emerging technique which can in some cases bypass litigation entirely is the seizure of domain names by a relevant enforcement authority. This practice developed in the United States and has since been proposed in the United Kingdom by Nominet UK and the City of London Police.41 This technique is potentially effective, since it will deactivate the domain name associated with a website entirely. However, it will only be appropriate where the entirety of the domain name in question consists of unlawful or tortious material, such that there is no legitimate content that would be affected by seizure. Further discussion of remedies against and involving domain names can be found in chapter 7.

3.71  Seizure of counterfeit goods. Where the claimant suspects infringement of an intellectual property right by the sale and importation of counterfeit or pirated goods from a website targeted at a member state in the European Union, it may be possible to apply for the customs authorities to take action designed to prevent those goods from entering (or leaving) the relevant customs territory. These procedures are now harmonised by the Customs Regulation.42

3.72  Applications for seizure or detention. Under article 3(1) of the Customs Regulation, right-holders, collecting societies, and related groups have standing to submit EU-wide applications for Community intellectual property rights (such as Community trade marks and designs). They may also submit national applications in respect of national rights under article 3(2). Once an application has been granted, the competent customs authorities are required to detain or suspend the release of goods which they identify as being suspected of infringing an intellectual property right covered by an application, according to the procedures specified in article 17. Goods may also be detained pre-emptively under article 18.

3.73  Seizure contrasted with internet remedies. In some circumstances, these procedures could offer complementary redress against would-be importers of infringing goods. For certain types of goods, they may even be more effective than targeting the websites from which those goods are sold. This is because border seizure acts to restrict the channels of illegitimate trade directly, and remains in operation regardless of changes to the website’s domain name, host, or method of payment. Further, once consumers realise that counterfeit goods for which they have paid are unlikely to be delivered, they will be less inclined to seek out such websites even if they do exist.

3.74  Ineffective remedies. Unfortunately, there will be cases in which any enforcement activity is undesirable. Enforcement may be too costly compared to the prospects of recovering costs from an anonymous or indigent primary wrongdoer; the number of wrongdoers may be too numerous to bring all wrongdoing to an end; or a legal remedy may be unlikely to be effective because it is unenforceable, self-defeating, or simply too late. For example, even if material could be identified and removed, it may be sufficiently popular or already widely disseminated that it will be re-uploaded by a determined tortfeasor, or the damage may already have been done.

3.75  The ‘Streisand effect’. Moreover, attempts to remove material can backfire and leave claimants in far worse positions than when they began. Many commentators have noted the ‘Streisand effect’, whereby attempts to remove material from the internet merely draw unwanted attention to it.43 This may be because a claimant’s activity fans the flames of publicity, lends credence to an otherwise scandalous rumour, draws unwanted attention to unlawful material, or risks prompting backlash from consumers or highly motivated internet communities. In short, attempts to suppress access to information on the internet often have a disproportionate and ironic tendency to amplify demand for the information and magnify its availability.

3.76  Evaluation of likely costs and benefits. This is not meant to discourage claimants from pursuing proportionate enforcement means in the face of obvious wrongdoing and a clearly attainable benefit. However, claimants should consider very carefully whether enforcement will deliver the benefits they seek, or will simply cause disproportionate harm or risk a pyrrhic victory. No amount of litigation can turn back the clock after an unwise enforcement strategy is set in motion.

3.77  Volume of uploaded information. Enormous quantities of new material are uploaded to the internet each day. In a single minute online, at least 204 million emails are sent, over 100 hours of new video are uploaded to YouTube, 100,000 new tweets are published, somewhere between 2 and 4 million Google searches are carried out, and roughly 639,800 GB of data are transmitted by ISPs.44 Amidst this ‘exaflood’ of information, it can be difficult for claimants to detect and prioritise potentially harmful material.

3.78  Difficulty of monitoring information. For obvious reasons, internet intermediaries are generally not in a position to monitor content that is uploaded or transmitted via their services; as is discussed in chapter 12, member states are prohibited from imposing general monitoring duties upon service providers, though the terms of an injunction may require monitoring in specific cases. Accordingly, claimants require a scalable way to monitor the internet for relevant information and activity. Fortunately, a variety of technologies exist which make this possible at relatively low cost.

3.79 Occasionally it will be useful for a claimant to monitor a particular internet location to determine when, and how, its contents change. A variety of tools exist which make it possible to be notified as soon as material is altered. This can be helpful for monitoring compliance with a court order, or for detecting activity on a website of interest.45

3.80 Monitoring services enable a claimant to be notified when new material is indexed by the service which matches specified criteria. For example, Google Alerts provide a digest of new search results for keywords of interest at specified intervals.46 This tool can be useful for individuals who wish to monitor mentions of their name, trade mark or business, the availability of their intellectual property, or the activity of competitors.

3.81 Most search engines permit searching for images similar to a provided sample. This technique can be extremely useful; for example, it might allow an artist to identify which websites are communicating copies of a photograph, or it might allow an individual to determine whether photographs which infringe his or her right to privacy have been re-uploaded or mirrored following their removal from another website. These search tools are imperfect, since they depend on probabilistic matching, but they are useful starting points.

3.82 Claimants may wish to identify locations from which their material is made available to the public via P2P protocols. In the case of BitTorrent transmissions, this is relatively straightforward. A copyright owner may carry out searches of any number of public BitTorrent trackers to determine whether their copyright material is being shared and to identify the IP addresses of sharing peers. Some services (many of dubious intention) operate BitTorrent search engines which allow multiple trackers to be searched at the same time. Once relevant trackers have been identified, a list of peers (known as a ‘swarm’) participating in the exchange of a particular ‘torrent’ file may be downloaded.47

3.83 Searches for domain names may be carried out using any of the WHOIS tools identified at paragraph 3.06. Many such tools allow for more sophisticated wildcard searches to be performed to identify domain names that contain specific keywords or patterns. Domain name monitoring services also exist which permit their users to be alerted when new domain names are registered that contain a keyword of interest (such as a trade mark).48

3.84 For new generic top-level domains (‘gTLDs’, such as .london and .law), a centralised database known as the Trademark Clearinghouse permits brand owners to submit trade mark data and monitor the registration of domain names in these new namespaces.49 This process is discussed in further detail the context of trade mark enforcement in chapter 7.

3.85 Using relatively simple tools, it is now possible to create sophisticated monitoring agents which automatically aggregate content according to specified criteria.50 These tools allow actions (such as sending messages or alerts, recording data in a spreadsheet, or submitting web forms) to be carried out upon the occurrence of a trigger event. Triggers are diverse, ranging from the publication of tweets or YouTube videos with specified keywords, to the real-time monitoring of RSS feeds, brand mentions, URLs, or marketplaces for new content. For example, a copyright owner could trigger the submission of content removal forms or the sending of notice-and-takedown emails to a website operator or host as soon as new infringing content is detected and verified to be an infringement. Particular care would need to be taken to eliminate the risk of false positives (such as by designing conservative keyword triggers, which only target obviously infringing material, or by flagging or manual review).

Notes
1

See chapter 2, section 3 for detailed discussion of internet intermediaries and their classification.

2

Leslie Daigle, ‘WHOIS Protocol Specification’ (RFC 3912, September 2004).

3

See ICANN, ‘.com Registry Agreement Appendix 5: Whois Specifications’ (1 December 2012).

4

Eg, ‘WHOIS Search’ (2014) <http://who.is>; Hexillion Technologies, ‘CentralOps’ (2011) <http://centralops.net/co/>.

5

See chapter 7, section 3.5 for discussion of domain name cancellation and seizure.

6

See chapter 4, section 2 for discussion of compulsory disclosure from proxy registrants.

7

See, eg, SolarWinds Inc, ‘DNSstuff’ (2014) <http://www.dnsstuff.com/>.

8

See, eg, MaxMind Inc, ‘GeoIP2 Omni Web Service’ (2014) <http://www.maxmind.com/>; ‘IPInfoDB’ <http://www.ipinfodb.com/>.

9

BAE Systems Detica, ‘The Six Business Models for Copyright Infringement’ (27 June 2012) 3, 34.

10

See Digital Citizens Alliance, ‘Digital Thieves and the Hijacking of the Online Ad Business’ (February 2014).

11

See chapter 16, section 2.

12

See Arvind Narayanan et al, ‘On the Feasibility of Internet-Scale Author Identification’ [2012] IEEE Symposium on Security and Privacy 300.

13

See, eg, Ashkan Soltani, Andrea Peterson, and Barton Gellman, ‘NSA Uses Google Cookies to Pinpoint Targets for Hacking’ (The Washington Post, 10 December 2013).

14

See chapter 8, section 3.3.

15

See Information Society Directive recital (59), art 8(3); Enforcement Directive art 11. See also chapter 13, section 2 for discussion of the specific considerations relevant to intellectual property remedies, and chapter 14 for discussion of blocking injunctions against intermediaries.

16

Rugby Football Union v Viagogo Ltd [2012] FSR 353, [26] (Longmore LJ); [2012] 1 WLR 3333, [16] (Lord Kerr JSC); Charter art 52(1). See also chapter 4, section 3.3.

17

Jameel v Dow Jones & Co Inc [2005] QB 946, [69] (Lord Phillips MR). See also chapter 8, section 3.5.

18

See, eg, Sullivan v Bristol Film Studios Ltd [2012] EWCA Civ 570, [32], [37] (Lewison LJ) (Etherton and Ward LJJ agreeing).

19

Lilley v DMG Events Ltd [2014] EWHC 610 (IPEC), [30] (HHJ Hacon).

20

See paragraphs 3.05–3.17.

21

E-Commerce Regulations 2002 (UK) reg 6(1), (2).

22

See Cass Sunstein, ‘Believing False Rumors’ in Saul Levmore and Martha Nussbaum (eds), The Offensive Internet: Speech, Privacy, and Reputation (2010) 91, 92, 96.

23

[2009] EWHC 1094 (Ch), [373]–[374] (Arnold J).

24

See chapter 10, section 1.3 for analysis of the territorial scope of the Data Protection Directive.

25

In some cases, it may be to the advantage of a defendant facing a misdirected claim to act pragmatically, unless a real point of substance turns on the reissue of proceedings (such as expiry of a limitation period or permission to serve outside the jurisdiction).

26

Unilever v Chefaro [1994] FSR 135; The Mead Corp v Riverwood International Corp [1997] FSR 484.

27

[2009] EWHC 1765 (QB), [6], [28] (Eady J).

28

Case C-131/12, EU:C:2014:317 (‘Google Spain’).

29

Google Spain, [46], [55]–[57], [60].

30

But see In the matter of a warrant to search a certain e-mail account controlled and maintained by Microsoft Corporation, 13 Mag 2814 (SDNY, Francis J, 25 April 2014) (ordering parent company to disclose data stored on a server operated extraterritorially by an Irish subsidiary).

31

See generally CPR rr 6.32, 6.33, 6.36.

32

See Regulation 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters [2001] OJ L 12.

33

See CPR r 6.37(1)(a).

34

[2014] EWHC 13 (QB).

35

See, eg, Lord Collins et al (eds), Dicey, Morris & Collins on the Conflict of Laws (15th ed, 2012); Adrian Briggs and Peter Rees, Civil Jurisdiction and Judgments (4th ed, 2005).

36

See Google France SarL v Louis Vuitton Malletier SA, Joined Cases C-236/08 to C-238/08, EU:C:2010:159 [2010] ECR I-02417, [86].

37

The only English case to consider this obligation appears to be Devonshire Pine Ltd v Day [2013] EWHC 2619 (Ch), which did not decide the issue.

38

Electronic Commerce (EC Directive) Regulations 2002 reg 22(a).

39

See chapter 12, section 5.

40

This issue most commonly arises in relation to allegations of infringement of registered intellectual property rights: see, eg, Patents Act 1977 s 70; Trade Marks Act 1994 s 21; Registered Designs Act 1949 s 26.

41

See chapter 7, section 3.5.

42

Regulation No 608/2013 concerning customs enforcement of intellectual property rights [2013] OJ L 181/15 (‘Customs Regulation’).

43

See Andy Greenberg, ‘The Streisand Effect’ (Forbes, 11 May 2007) <http://www.forbes.com/2007/05/10/streisand-digg-web-tech-cx_ag_0511streisand.html>. The phenomenon is named after the actor’s failed attempt to have satellite photographs of her California home removed from the internet.

44

Intel Corp, ‘What Happens in an Internet Minute?’ (December 2013) <http://www.intel.com/content/www/us/en/communications/internet-minute-infographic.html>.

45

See, eg, Colin Markwell, ‘WebMon’ (5 June 2012) <http://www.cmcode.co.uk/webmon/>.

46

See Google Inc, ‘Google Alerts’ (2014) <http://www.google.co.uk/alerts>.

47

See Jie Cheng and Ryder Donahue, ‘The Pirate Bay Torrent Analysis and Visualization’ (2013) 3 IJCSET 38.

48

See, eg, DomainTools LLC, ‘Monitoring Tools’ (2014) <http://www.domaintools.com/monitor/>.

49

See Trademark Clearinghouse, ‘Ongoing Notifications’ (2014) <http://www.trademark-clearinghouse.com/content/ongoing-notifications>.

50

See, eg, Zapier Inc, ‘What is Zapier?’ (2014) <https://zapier.com/how-it-works/>; Elastic.io GmbH, ‘Elastic’ (2014) <http://www.elastic.io/>; IFTTT Inc, ‘About IFTTT’ (2013) <https://ifttt.com/wtf>; Yahoo Inc, ‘Yahoo Pipes’ (2014) <http://pipes.yahoo.com/pipes/>.

Close
This Feature Is Available To Subscribers Only

Sign In or Create an Account

Close

This PDF is available to Subscribers Only

View Article Abstract & Purchase Options

For full access to this pdf, sign in to an existing account, or purchase an annual subscription.

Close