Cyberlaw 70

2009 > HoT ToPICS 70
HOT
TOPICS
L e g A L I S S u e S I N P L A I N L A N g u A g e
This is the seventieth in the series Hot Topics: legal issues in plain language, published by the Legal Information Access Centre (LIAC). Hot Topics aims to give an accessible introduction to an area of law that is the subject of change or public debate. AUTHOR NOTE: Chris Connolly, LLB is a Director of Galexia, a specialist consulting firm undertaking internet law, privacy and electronic commerce projects. He is also a lawyer and researcher, and is a Visiting Fellow at the University of NSW where he has lectured in several Masters of Law courses, including Privacy Law, Cyberspace Law and Electronic Commerce Law. Chris is the founding editor of the Internet Law Bulletin, and also holds several board positions with major charities and community organisations. DESIGN: Bodoni Studio PHOTOS: iStockphoto cover image, Hans-Joachim Roy; and pp 1, 5, 9, 11, 14 & 21; AAP image, p 3.
Cyberlaw
1 2 4 6 10 12 15 17 18 20 22 24
Introduction Common terms. Access Equity of access accessibility standards for websites case study: National Federation of the Blind v Target. Content regulation International content regulation Australian content regulation ACMA complaints scheme online content regulation: ISP filtering scheme. Privacy and spam International privacy law Australian privacy law case study: Google Streetview spam. Social network sites Social network privacy issues Facebook Beacon cyber-bullying issues UK cyber-bullying prosecution. Consumer protection International consumer protection Australian consumer protection Australian Competition and Consumer Commission v Vassallo & Smith case study: Evagora v eBay Australia. Cybercrime International cybercrime law US v Robert Tappan Morris Australian cybercrime law. Defamation Case study Gutnick v Dow Jones. Domain names Domain name regulation in Australia domain name disputes case study: Madonna Ciccone v Dan Parisi case study: Myer stores v Singh. Copyright International copyright law Australian copyright law case study: The Pirate Bay Trial peer-to-peer networking and file sharing. Contracts International electronic contracts Australian electronic contracts. Further information
State Library of NSW Cataloguing-in-publication data
Author: Title:
Connolly, Chris Cyberlaw / [Chris Conolly].
Publisher: Sydney, N.S.W.: Legal Information Access Centre, 2009 Subjects: Internet Law and legislation. Internet Law and legislation Australia. Computer networks Law and legislation. Computer networks Law and legislation Australia. Other Authors/Contributors: Legal Information Access Centre Series: Hot topics (Sydney, N.S.W.) ; no. 70 343.940999 343.0999 Dewey Number:
Hot Topics ISSN 1322-4301, No. 70
Hot Topics is intended as an introductory guide only and should not be interpreted as legal advice. Whilst every effort is made to provide the most accurate and up-to-date information, the Legal Information Access Centre does not assume responsibility for any errors or omissions. If you are looking for more information on an area of the law, the Legal Information Access Centre can help see back cover for contact details. If you want specific legal advice, you will need to consult a lawyer. Copyright in Hot Topics is owned by the State Library of New South Wales. Material contained herein may be copied for the non-commercial purpose of study or research, subject to the provisions of the Copyright Act 1968 (Cth).
Introduction
Cyberlaw is a term used to describe an emerging body of law relating to the internet and electronic commerce. Phishing is the technique whereby one obtains
Much of this law involves the application of traditional laws to new technology, for example the application of defamation law to some internet communications. However, some completely new areas of law have emerged such as the law of domain names. This issue of Hot Topics does not attempt to cover every aspect of law which might be relevant to the internet and electronic commerce the field is simply too large. However, it discusses the key legal issues that are the subject of case law, legislation and law reform at the present time. COmmOn Terms
Malware short for malicious software, malware is
sensitive data, such as passwords, user names or bank details by hosting a fake website that looks like the website of a real corporation typically a bank or financial institution. Generally, such a website is promoted through email or instant messaging and lures customers, by emulating a real website in looks and feel, to give over personal details.
Pharming is the activity whereby hackers interfere
with the way a computer looks up web addresses. The primary ways this can be done is through changing a file on ones computer, router or DNS server.
Keystroke logging is the process of covertly
monitoring the keys struck on a keyboard from a remote location, so that the keyboard user is unaware of this. There are various software programs that enable hackers to target computers in this fashion.
the broad term given to a variety of intrusive and hostile software. It may refer to programs that enable the spread of viruses, the access and control of a computer from a remote party and the inclusion of computers into botnet networks amongst other things.
Hacker while the term may apply to various computer technical experts, hacker typically refers to an expert in computer and network security who may participate in illegal or criminal activities. Trojan malware that facilitates unauthorised remote
access to a computer system. Once a Trojan is installed any hacker is able to scan for its existence and perform a number of operations remotely such as uploading, downloading, modifying or deleting files, keystroke logging, data theft and many more.
Worm a program capable of self-replication. The term describes the way the software spreads itself, which doesnt require a users intervention or attachment to another program. Instead, it is able to send copies of itself to other computers through existing networks. Botnet a collection of computers infected by a trojan
im age u n av aila ble
or other malware, allowing someone to co-ordinate their operation. Botnets are networks of zombie computers, formed due to the downloading of malicious software, that enable the botnets originator or the bot herder to control the group of computers secretly.
Zombie a computer that is infected with a trojan or
furabolo iStockphoto.
other malware and is being used as part of a botnet.

Introduction
Access
A good starting point for the consideration of legal issues arising from the internet and electronic commerce is the question of access. Does the law provide a right of access to the internet? Can the law help to remove obstacles to access for people with particular needs or disabilities?
The internet creates many challenges for users with disabilities. > Some common barriers for users with disabilities are: > websites that do not have in-site search facilities; > websites that do not have a sitemap; > pop-up windows that interfere with normal site navigation and usability software; > inability to change font size in some web-sites; and > use of pictures and graphics on websites without the provision of ALT tags (meta tags describing images that can be read by usability software).1 equiTy OF ACCess The Disability Discrimination Act 1992 (Cth) protects people from discrimination in the workplace or in the provision of goods, services and facilities these include the internet and electronic commerce. Similar laws are present in most developed jurisdictions, including Europe and the United States. There are, however, some exceptions to this protection. The most relevant exception is the provision which allows discrimination to take place if adjustments to the workplace, goods, services or facilities which might improve access would be an unjustifiable hardship for the provider usually on financial grounds. This legal protection was the subject of a high profile internet case in the lead up to the 2000 Sydney Olympics. In 2000, the Australian Human Rights Commission heard a complaint from Bruce Maguire concerning the website for the Sydney Olympic Games. Mr Maguire is blind and uses web to braille technology to access the internet. This technology works best when
websites are formatted to comply with the Web Content Accessibility Guidelines developed by the World Wide Web Consortium. The Commission heard evidence that the Games website did not comply with the accessibility guidelines and Mr Maguire was unable to use the site. He argued that the costs of making the site accessible would be minimal, and that he believed he had been discriminated against because of his disability. The Commission agreed and ordered the organisers of the Games to make the site accessible in time for the Olympics. They refused and in November 2000 they were ordered to pay $20,000 in damages to Mr Maguire. This litigation helped to raise awareness and resulted in compensation for one individual, however it did not lead to improved access. Preventative measures are likely to deliver better outcomes for people with disabilities. In Australia, preventative measures include the promotion of accessibility standards for websites. ACCessibiliTy sTAnDArDs FOr WebsiTes In the web accessibility area there are standards that can be used by website developers to ensure sites are accessible to people with disabilities and that access is improved for the general public. These standards are the subject of continuous revision and updating as technology advances. Under the Commonwealth Disability Strategy, 2 Australian Government agencies are required to remove barriers which prevent people with disabilities from having access to their policies, programs and services. (At the time of writing, the Commonwealth Disability Strategy is the subject of a major review.) Under this strategy, government departments and agencies are required to comply with Web Content Accessibility Guidelines developed by the World Wide Web Consortium. These are usually known as the W3C guidelines. They explain how to make web content accessible to people with disabilities.
For further information on challenges faced by internet users with disabilities see Disabled people and the internet: experiences, barriers and opportunities, D Pilling, P Barrett and M Floyd, City University, London, 2004, available online at http://www.jrf.org.uk. Type disability and internet into the search box. 2. The Commonwealth Disability Strategy is available online at: www.fahcsia.gov.au/sa/disability/pubs/policy/Documents/cds/default.htm
1.
HOT TOPICS 70 > Cyberlaw
CAse sTuDy nATiOnAl FeDerATiOn OF THe blinD v TArgeT

To date, the most important case on disability access to websites is the uS case of National Federation of the Blind v Target (2008). This was a class action case against uS retailer Target on behalf of web users with visual impairment. The suit alleged that Targets website was not fully accessible to the blind, thus breaching the Americans with Disabilities Act (similar to Australias Disability Discrimination Act). The case focused on the alleged lack of descriptive alt tags in the code used to create Targets website, making the site impossible to navigate with screen reading software. In a major victory for people with disabilities, the plaintiffs won a court approved settlement in late 2008. The settlement included the establishment of a $6 million uSD compensation fund plus the payment of all legal costs. Target also signed undertakings to change the way their site was designed and to undergo regular accessibility audits. The case had a widespread impact on leading uS websites.
National Federation of the Blind v Target (2008) <http://www.nfbtargetlawsuit.com/final_settlement.html>
These guidelines do not discourage content developers from using images, video, etc., but rather explain how to make multimedia content more accessible to a wide audience. The two key W3C guidelines are: > Web Content Accessibility Guidelines (WCAG) 2.0 December 2008; and3 > Mobile Web Best Practices 1.0 Basic Guidelines (MWBP) July 2008.4
The Australian Government has also issued a Better Practice Checklist on Access and Equity Issues for Websites (2008).5 The checklist is designed for government agencies but also provides useful guidance for private sector websites. The checklist covers disability access issues as well as access and equity issues for people from culturally and linguistically diverse backgrounds.
Bruce Maguire a visually impaired man who took SOCOG to court over its lack of support and services to the blind on its Sydney Olympic Games website, August 2000.
Dean Lewins AAP Photo.
3. 4. 5.
Available online at: www.w3.org/TR/WCAG20/ Available online at: www.w3.org/TR/mobile-bp/ Australian Government Better Practice Checklist available online at www.finance.gov.au/e-government go to ICT Better Practice & Collaboration and then Better practice checklists scroll down to Access and equity issues for websites. Access
Content Regulation
Online content regulation refers to any type of regulation by governments or regulatory authorities directed at: > censoring information and communication on the internet based on its subject matter; and > controlling, or attempting to control, access to internet sites based on subject matter. inTernATiOnAl COnTenT regulATiOn The EU Convention on Cybercrime (the Cybercrime Convention),6 while primarily regulating criminal activities such as hacking, also requires parties to introduce laws to prohibit the production, offering, supply, distribution, procurement, or possession of child pornography, under Article 9 (Offences related to child pornography). Due to difficulties in reaching a consensus as to the types of material that should be prohibited, no further content restrictions were included in the Cybercrime Convention, although the possibility of including further content restrictions in an additional protocol to the Cybercrime Convention was left open. The Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems7 has since entered into force; parties to the Additional Protocol are required to enact laws to prohibit distributing, or otherwise making available, racist and xenophobic material to the public through a computer system. AusTrAliAn COnTenT regulATiOn Online content is regulated by a Commonwealth regime that establishes a framework for regulating internet service providers (ISPs) and internet content hosts (ICHs). An ISP is a person who supplies an internet carriage service, consisting of service points within Australia that enables end-users (members of the public) to access the internet. ICHs are persons who host internet content in Australia. The Broadcasting Services Amendment (Online Services) Act 1999 (Cth) establishes the Online Content Co-Regulatory Scheme for the regulation of prohibited content on the internet. The scheme is based on the principle that what is restricted offline should also be restricted online. That is, access to online content which is or would be likely to be refused classification (RC) or classified X (sexually explicit material for 18 years and over) or R (restricted to people over 18 years) by the Office of Film and Literature Classification (OFLC) Board should be restricted in the same way as access to offline material. The Act is intended to establish a co-regulatory scheme under which the Australian Communications and Media Authority (ACMA) and the internet industry share responsibility for the regulation of internet content. More specifically, the scheme is underpinned by industry developed codes of practice which the ACMA can supplement using its reserve powers. In general however, activity by the ACMA under the scheme is complaints-driven. The Codes of Practice constitute the main basis of regulating ISPs and ICHs under the Commonwealth scheme. They include: > ISP Obligations in Relation to Internet Access Generally; > ISP Obligations in Relation to Access to Content Hosted Outside Australia; and > Internet Content Host Obligations in Relation to Hosting of Content within Australia. Under the scheme, the meaning of prohibited content differs depending on whether the site is hosted in Australia or overseas. For sites hosted in Australia prohibited content is internet content that has been refused classification (RC) or classified X by the Office of Film and Literature Classification (OFLC). It is also internet content that is rated R where access to the internet content is not subject to a restricted access system (see below). For sites hosted overseas prohibited content is only material that would be refused classification (RC) or classified X by the OFLC.
6. 7.
Convention on Cybercrime, 2001 is available online at <http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm> Additional Protocol to the Convention on Cybercrime, 2003 is available online at <http://conventions.coe.int/Treaty/en/Treaties/ Html/189.htm>
ACmA COmplAinTs sCHeme Any person who is an Australian resident or an Australian company can make a complaint to ACMA about objectionable material on the internet or about a contravention of the codes by an ICH. The complaint must be made either in writing to ACMA, or via an online complaints form. If ACMA receives a complaint they must investigate it, unless they view the complaint as frivolous, misguided or designed to undermine the scheme. ACMA must take action where it is satisfied that the content complained of is prohibited content or potential prohibited content. In the cases of prohibited content, if the content is hosted in Australia and is classified RC, X or R (where there is no restricted access system (RAS) in place), ACMA must issue a final takedown notice directing the ICH to cease hosting the relevant content. If the ICH is not in Australia then ACMA only takes action if the prohibited content or potential prohibited content is either in the RC or X category. If ACMA decides that the content complained of is, or would be classified RC or X, then ACMA must notify suppliers of Scheduled filters and internet service providers of the location of the content. ACMA may notify the content to an Australian police force if it thinks such action is warranted. For example, if material might contravene a State Crimes Act, such as child pornography or assist in the commission of a crime. Failure to comply with an ACMA takedown notice or a direction to comply with a code is an offence carrying a maximum penalty of $5500 for individuals or $27,500 for corporations. For more information see the Australian Communications and Media Authority website: www.acma.gov.au Online COnTenT regulATiOn: isp FilTering sCHeme The Australian Government has also proposed the introduction of Internet Service Provider (ISP) level content filtering. The policy reflects the Governments view that ISPs should take some responsibility for enabling the blocking of prohibited material on the internet. The proposed filtering would block content using a blacklist of prohibited sites maintained by the Australian Communications and Media Authority (ACMA). The ACMA blacklist is a list of internet websites, predominantly comprising images of the sexual abuse of children.
ACMA completed a laboratory trial of available ISP filtering technology in 2008. The trial looked specifically at the effect of a range of filter products on network performance, effectiveness in identifying and blocking illegal and inappropriate content, scope to filter nonweb traffic, and the ability to customise the filter to the requirements of different end-users. The results of the laboratory trial were published in the report Closed Environment Testing of ISP-Level Internet Content Filtering (July 2008). The Government is also undertaking a live Pilot of ISP filtering which it hopes will provide information on the effectiveness and efficiency of filters installed at the ISP level. At the time of writing, an evaluation of this trial has not been published. The Governments proposal is the source of widespread community concern regarding perceived censorship and some industry concern regarding implementation costs and the impact on internet speeds. 8
mammamaart iStockphoto.
8.
Further information is available from the Department of Broadband Communications and the Digital Economy go to www.dbcde.gov.au and select Cyber safety plan under Quicklinks. There are a number of measures listed including ISP filtering. Content regulation
Privacy and Spam

Privacy may be defined as the claim of individuals, groups or institutions to determine when, how and to what extent information about them is communicated to others. It is the right of an individual to control what happens with their personal information.
sector) and that regulation is contained in enforceable legislation. Typically the legislation will also establish an independent regulator. The Directive also provides regulation of situations where data is transferred to non-EU countries. The basic rule is that the non-EU country receiving the data should ensure an adequate level of protection for the personal information, although a practical system of exemptions and special conditions also applies. The advantage for non-EU countries that can provide adequate protection is that the free flow of data from all EU states will be assured.
APeC Privacy Framework
inTernATiOnAl privACy lAW In establishing legislation to govern privacy issues relating to electronic data, the most prominent legal instruments are the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 1980, and the EU Data Protection Directive of 1995. An APEC privacy framework has also been developed, but it is of less practical value.
oeCD guidelines
In 1980 the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data became applicable for OECD Member Countries.9 The guidelines recommend member countries develop legislation incorporating a common set of privacy principles. Key principles include: > limiting data collection to that data collected lawfully, with the knowledge or consent of the data subject; > ensuring personal data is relevant, accurate and kept up-to-date; > recommending the employment of security safeguards for the protection of personal data; and > giving the individual the right to know that data about them has been obtained, and to know what that data is. At an international level the guidelines seek to minimise restrictions on cross-country data flows while maintaining a protection of privacy and personal liberties.
eu Data Protection Directive
In 2005 the Asia Pacific Economic Community (APEC) published the APEC Privacy Framework. The international instrument is built around nine high level Privacy Principles and a vague commitment to crossborder cooperation. The stated aim of the Framework is to find balance between personal privacy protection and the enablement of the global economy through a free flow of information. In practice the APEC Privacy framework is heavily weighted towards business interests. After five years the Framework has not been implemented, although some useful developments in cross-border cooperation regarding privacy complaints have emerged in the region. AusTrAliAn privACy lAW The regulation of privacy in Australia is complex. Relevant privacy laws include: Commonwealth, state and territory privacy legislation, privacy and confidentiality provisions within other laws, codes of conduct and the common law. In 2006, the Australian Law Reform Commission began an inquiry into the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia. The final report, For Your Information: Australian Privacy Law and Practice (ALRC 108) was published in May 2008. Its recommendations are yet to be implemented.
The EU Data Protection Directive of 199510 regulates the handling of personal information. The key components of the approach established by the EU Data Protection Directive are that privacy regulation is comprehensive (covering the public sector and the entire private
9.
The OECD Guidelines on the Protection and Privacy and Transborder Flows of Personal Data are available online at www.oecd.org type privacy and data guidelines into the search box. 10. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data 1995 is available online at <http://eur-lex.europa.eu>
CAse sTuDy: gOOgle sTreeTvieW

The google StreetView application was launched in 2007 and has continued to expand, showing more and more cities (and even some rural areas) in the united States, Australia, New Zealand, the uK, several european countries, Japan and others. Along with the increase in countries available have come widespread privacy complaints about the technology. In the united States, in April 2008 a couple (named Aaron and Christine Boring) sued google maps for displaying photographs of their garden and home, despite clear indication that they lived on a private road. The couple lost the case, but soon after a whole town from Minnesota, North oaks, sent a letter from their council to google asking that their town be removed from the application. google soon after removed the images of the town, to comply with the towns laws about trespassing. During the photography for the site in the united Kingdom, the english village of Broughton physically prevented the street view car from photographing their homes claiming the service facilitated crime. Following the launch of the Street View service in the uK the Information Commissioners office (uK) received 74 individual complaints and a request from Privacy International to investigate the sites potential violation of privacy laws. The ICo (uK) found google Street View did not violate any privacy laws and rejected claims that the consent of everyone photographed was required before publishing. The ICo (uK) found Street View carried a small risk of privacy invasion but should not be closed down. Following the launch in the uK google also received numerous individual requests for images to be removed and google dealt with these individually. The technology was introduced to Japan in August 2008 and was subject to numerous complaints including one groups argument the service constituted a violent infringement on citizens. The issue in Japan was that the high camera angles used meant pictures were being taken over short fences and walls into private areas. google agreed to lower the cameras on the cars by 40cm and are retaking the images with the belief that the new camera height allows a high-quality image of the street whilst respecting the privacy of homeowners. In May 2009, the greek Hellenic Data Protection Authority ordered that photographing in greece cease pending further inquiries into the details of the technology. The greek authorities want additional information on the storage of the images on googles database and measures the company will take to protect peoples privacy rights. google has agreed to discuss the issues with the greek authorities to ensure them of the importance placed on protecting user privacy. Street View was introduced to Switzerland in August 2009 and the Federal Data Protection and Information Commissioner demanded Switzerland be withdrawn from the service. The Commissioner claims the technology violates Swiss privacy law by failing to adequately obscure individuals faces and license numbers. google has again actively responded, announcing the company will work hard to facilitate the Swiss demands and the blurring of faces and license will be greatly improved. The Commissioner is currently considering the changes proposed by google Inc.
Australia has the following general privacy legislation in place:

Jurisdiction Legislation Regulator
Commonwealth ACT NSW NT QLD SA Tas Vic WA
Privacy Act 1988 (Cth) Privacy Act 1988 (Cth) Privacy and Personal Information Protection Act 1988 (NSW) Information Act 2002 (NT) Information Privacy Act 2009 (Qld) Cabinet Administrative Instruction 1/89 Personal Information and Protection Act 2004 (Tas) Information Privacy Act 2000 (Vic) No laws
Federal Privacy Commissioner Federal Privacy Commissioner NSW Privacy Commissioner NT Information Commissioner Queensland Information Commissioner Privacy Committee of South Australia Tasmanian Ombudsman Victorian Privacy Commissioner N/A
Privacy and spam
The state and territory legislation in this list generally applies to the activities of state and territory public sector agencies, while the Commonwealth legislation applies to both the Commonwealth public sector, and significant parts of the private sector. However two different standards of privacy protection exist in the Commonwealth legislation, namely the Information Privacy Principles (IPPs) which apply to Commonwealth and ACT government agencies and the National Privacy Principles (NPPs) which apply to parts of the private sector (those that earn more than $3 million annually). There is some inconsistency between the IPPs and the NPPs, although the Australian Law Reform Commission has recommended that the IPPs and NPPs be replaced by a new set of Uniform Privacy Principles (UPPs). The NPPs cover: > Principle 1 Fair Collection Collection of personal information is only allowed if it is necessary for the function or activity of the organisation. Organisations must explain their information practices to individuals at the time when they collect their personal information. > Principle 2 Use and disclosure Personal information should generally not be used or disclosed for the purpose other than for which it is collected without the consent of the individual concerned. > Principle 3 Data quality Organisations must take reasonable steps to ensure that personal information collected, used or disclosed by them is accurate, complete and up to date. > Principle 4 Data security Organisations must take reasonable steps to protect personal information they hold from unauthorised access, and must not hold data longer than needed. > Principle 5 Openness Organisations must clearly express and make available their policies about how they collect, hold, use and disclose personal information. > Principle 6 Access and correction Organisations must provide individuals with access to information they hold about them on request and must correct that information if it is not accurate, complete and up to date. > Principle 7 Identifiers An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by an agency or Commonwealth provider. The purpose of this NPP is to prevent the emergence of a de facto system of universal identity numbers, and loss of privacy from the combination and re-combination of the data.
> Principle 8 Anonymity Where lawful and practical, individuals must be given the option of remaining anonymous when entering into a transaction with an organisation. > Principle 9 Transborder data flows An organisation in Australia may transfer personal information about an individual to someone who is in a foreign country only if they believe the organisation upholds similar principles of fair data handling or it is for the benefit of the individual. > Principle 10 Sensitive information An organisation must not collect sensitive information about individuals unless the individual consents, or if the organisation is required to do so by law. spAm Spam is the term now generally used to refer to unsolicited electronic messages, usually transmitted to a large number of recipients. They usually, but not necessarily, have a commercial focus, promoting or selling products or services; and they share one or more of the following characteristics: > they are sent in an untargeted and indiscriminate manner, often by automated means; > they include or promote illegal or offensive content; > their purpose is fraudulent or otherwise deceptive; > they collect or use personal information in breach of privacy principles; > they are sent in a manner that disguises the originator; and > they do not offer a valid and functional address to which recipients may send messages opting out of receiving further unsolicited messages.
Major problems caused by spam
The problem of spam has reached a point where it is having a significantly negative effect on users confidence in using email. There are clear signs of a serious impact on the performance of the global email network, with some commentators predicting that the continuing proliferation of spam could mean the end of email as an effective form of communication. Some of the specific problems posed by spam include: > Privacy There are significant privacy issues surrounding the manner in which email addresses and personal information are collected and handled. It is not uncommon for address collectors to covertly harvest email addresses from the internet, as users visit certain sites, and buy and sell them in bulk without the knowledge or consent of the owner.
> Content It is likely that more than half of all unsolicited commercial emails contain fraudulent or deceptive content. > Financial costs It is likely that the worldwide cost of spam to internet subscribers exceeds US$20 billion per year. These sorts of costs are usually borne by internet users (and/or employers), through increased download times and lost productivity, or because the internet service provider has to purchase increased bandwidth. Spammers themselves, on the other hand, bear relatively small costs in sending these messages. The primary piece of legislation on spam in Australia is the Spam Act 2003 (Cth). The Act contains provisions regulating commercial electronic messages, address-harvesting software, and harvested address lists, as well as civil penalties for violations of these provisions. These provisions are concerned with spam within Australia, and are complemented by a number of international cooperation agreements. The Act is also supported by industry guidelines such as the Australian eMarketing Code of Practice11 and the Internet Industry Spam Code of Practice.12
Subsection 16(1) of the Act prohibits (with exceptions) the sending of commercial electronic messages. The Australian legislation defines spam as unsolicited commercial electronic messaging. The Australian legislation also covers more than just emails; it also covers mobile text messaging and some other forms of electronic messaging. Some exemptions are included Schedule 1 of the Act. These include: > messages authorised by a government body, a political party, a religious organisation, or a charitable institution, where the message relates to goods or services provided by that body, party, organisation or institution; and > messages authorised by an educational institution, where the relevant account holder is or has been a student of that institution, and the message relates to goods or services provided by the institution. The prohibition also does not apply if the relevant account holder has given consent to receive the message. Consent may be express, or inferred from the conduct or relationships (business or otherwise) of the account holder. Publication of an electronic address does not imply consent, except where the publication is conspicuous and relates to a business position or an office held by the account holder. Commercial electronic messages are required to include clear and accurate identification of the individual or organisation that authorised the sending, and accurate contact information for the individual or organisation: see section 17(1). A person must not send a commercial electronic message unless it provides a clear and conspicuous unsubscribe statement so that the recipient may inform the sender that they do not wish to receive further commercial electronic messages. The sender must provide a functional mechanism to allow unsubscribing: see section 18(1). The Spam Act also contains restrictions on the use of electronic address-harvesting software and the results of such software. Address-harvesting software is defined as software designed or marketed for searching for and compiling electronic addresses from the internet.
mammamaart iStockphoto.
11. ACMA, Australian eMarketing Code of Practice, ACMA, March 2005, http://www.acma.gov.au. Type emarketing code into the search box. 12. Internet Industry Association, Internet Industry Spam Code of Practice, December 2005, http://www.iia.net.au. Click on the Codes of Practice tab and follow the links to the Spam code. Privacy and spam
Social Network Sites

online communities and social network sites are a relatively recent development, with the number of users of these sites growing rapidly. Social network sites can be typically defined as online communication platforms which enable individuals to join or create networks of likeminded users.
The guidelines state that social networking sites should place default security settings at a high level and allow users to limit data disclosed to third parties.
FACebOOk beACOn
In November 2007 Facebook launched Beacon, as part of a campaign enhancing Facebooks advertising system. The program allowed users to see when friends had made purchases or interacted with any of the 44 associated websites (including sites like Blockbuster and Fandango). Through a more precise understanding of the users likes and dislikes, Facebook could then more accurately target advertisements at individual customers. The 44 affiliated companies sent information to Facebook that would then appear on a users news page. originally, to deactivate this, users needed to go to each individual company site and elect to opt-out. Controversy surrounding the privacy issues associated with the program arose quickly after its launch, with numerous active civil protestors demanding changes to the system (most notably from Moveon.org). At the end of November 2008, a new Beacon update was released giving customers multiple clear options to opt-out of the service before assuming their consent. However, a security researcher discovered that thirdparty websites were still sending information about the activities of their users to Facebook, even where the user was not logged into Facebook, or had optedout of Beacon. Due to the ongoing protests, Facebook announced in December 2008 that users would have the ability to turn Beacon off completely, as well as making it an opt-in service. In September 2009, Facebook agreed to shut down Beacon entirely under a settlement of a class action lawsuit. As part of the settlement, Facebook also agreed to establish a Privacy Foundation for funding programs designed to educate and promote online privacy, safety and security.
sOCiAl neTWOrk privACy issues Social network sites have several common characteristics: > users are invited to provide personal data for the purpose of generating a description of themselves or profile; > social network sites also provide tools which allow users to post user-generated content such as photographs videos and diary entries; > social networking is enabled using tools which provide a list of contacts for each user, and with which users can interact; and > social network sites generate much of their revenue through advertising which is served alongside the web pages set up and accessed by users. European Union Regulators have laid out operating guidelines for Facebook, MySpace, Twitter and other social-networking sites to ensure they comply with privacy laws.13 A panel of European privacy regulators that advises the European Commission issued an opinion in early 2009 that describes how EU privacy laws apply to social-networking sites. They express their concern in the following terms:
The personal information a user posts online, combined with data outlining the users actions and interactions with other people, can create a rich profile of that persons interests and activities. Personal data published on social network sites can be used by third parties for a wide variety of purposes, including commercial purposes, and may pose major risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm.
Cyber-bullying issues Social network sites have also raised concerns about cyber bullying. The 2008 Youth Poll found that cyber bullying is affecting more than one in five young Australians. The Poll found that 64 percent of those aged 15-20 years belonged to a social network site such as MySpace or Facebook, and that 22 per cent had been harassed or bullied online.14
13. EU Social Networking Privacy Guidelines (2009) <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp163_en.pdf> 14. Youth Poll Archive 2008 <http://www.natashastottdespoja.com/aspx/youthpoll.aspx>
10
uk Cyber-bullying prOseCuTiOn
An 18-year-old woman was sentenced to three months jail and placed under a five-year restraining order by the uKs Worcester Magistrates Court following comments made on the social networking site Facebook, in turn following offline behaviour. The defendant approached the victim in a bar two days before posting the comments, and was told to leave or the victim would call the police. The defendant told the victim she would give [the victim] something to call the police about, and later posted on Facebook that she would murder the bitch. The defendant had a history of bullying the victim (including previous convictions) over several years. The case has been reported as the first case in the uK (and possibly the world) of a conviction for cyber bullying, although convictions have been made prior to this for harassment and online stalking. Several laws in the uK potentially apply to prohibit such activity. The Malicious Communications Act 1988 prohibits the sending of a letter, electronic communication or other article that is indecent or grossly offensive, threatening, or false (and known or believed by the sender to be false) and sent for the purpose of causing distress or anxiety. The Protection from Harassment Act 1997 prohibits harassment and conduct causing another person to fear that violence will be used against him or her (on at least two occasions).
In Australia, the Commonwealth Criminal Code sets out an offence of using a carriage service (such as a mobile phone or the internet) in a way that is menacing, harassing or offensive. Typically this provision is used for harassing phone calls, but it could easily be extended to online communications.
In practice, cyber bullying probably involves activity that should be prosecuted under other laws. For example, serious threats may constitute an assault. Persistent online harassment may constitute stalking. In Australia, any conduct which could reasonably be likely to arouse an apprehension of fear in the victim is an offence. Accordingly, sending email or posting messages on interactive internet forums such as bulletin boards or chat rooms may constitute stalking.
vgajic iStockphoto.
Social network sites
11
Consumer Protection
Consumer protection law is government regulation of transactions between consumers and businesses. It protects the interests of consumers by providing redress in situations where businesses engage in unconscionable and deceptive practices. Consumer law covers a range of topics, including: product liability, unfair business practices, fraud and misrepresentation.
If an organisation is incorporated in or carries out business within Australia it is bound by the trade practices legislation. Breach of the trade practices legislation by a corporation or individual may result in significant fines and in some cases criminal liability. The TPA defines a consumer as a purchaser of goods or services for less than A$40,000 or if the price exceeds A$40,000, where the goods or services are of a kind ordinarily acquired for personal, domestic or household use or consumption. The TPA impacts on the internet in the following areas: > Implies terms and warranties into certain transactions The TPA implies into all consumer contracts a number of non-excludable conditions and warranties including that goods are supplied with a matching description; are of merchantable quality; are fit for purpose; and, any warranty of services will be rendered with due care and skill. Any term of a contract that has the effect of excluding, restricting or modifying rights or liability under these implied terms will be void. > Prohibits unconscionable conduct and contracts Generally, unconscionable conduct occurs whenever one party to a transaction is at a special disadvantage in dealing with the other party because of illness, ignorance, inexperience, impaired faculties, financial need or other circumstances affecting their ability to conserve their own interests, and the other party unconscionably takes advantage of this opportunity. > Prohibits misleading or deceptive conduct With regard to the internet, it may be misleading or deceptive conduct where a consumer is or is likely to be mislead or deceived by a statement on the website or if it is unclear when you connect from one website to another. The use on websites of internal and external links, frames, meta-tags, the location and prominence of disclaimers and content generally must not be misleading or deceptive to the extent goods or services of A are passed off as those of B. In 2008 and 2009, a number of reviews and reforms of Australias consumer law were initiated. In 2008 the Productivity Commission made a number of recommendations for reforming Australias consumer laws, including a recommendation for a single national consumer protection law.
inTernATiOnAl COnsumer prOTeCTiOn Although international regimes for consumer protection in electronic commerce have been slow to develop, there is one document which has some impact today the OECD Guidelines on Consumer Protection in Electronic Commerce (2000).15 These guidelines have no direct enforcement powers but may be implemented in various ways at the national or local level. The guidelines are a comprehensive set of consumer protection measures, with a strong emphasis on the provision of information to the consumer. They also set out the minimum requirements for the formation of a contract in electronic commerce. AusTrAliAn COnsumer prOTeCTiOn In Australia, the issue of consumer protection for electronic commerce is dealt with through a mix of legislation and the development of industry codes of conduct.
Trade Practices Act
In Australia, the Trade Practices Act 1974 (Cth) (TPA) generally applies to corporations rather than individuals. It will apply to individuals who are engaging in interstate trade or commerce or aiding or abetting a breach of the Act by a corporation. The actions of individuals are otherwise covered by equivalent state or territory trade practices legislation.
15. OECD Guidelines on Consumer Protection in Electronic Commerce are available at <http://www.oecd.org/>
12
AusTrAliAn COmpeTiTiOn AnD COnsumer COmmissiOn v vAssAllO & smiTH

In 2009 the ACCC brought a case against Leanne Vassallo and Aaron Smith, for selling online e-Books, which claimed to hold cures to a number of health issues (including acne, asthma, multiple sclerosis, menopause and prostate cancer). The pair used numerous websites to sell over 60,000 copies of their e-Books. The ACCC, who worked with the NSW Police Department on the case, brought expert evidence that concluded that the remedies offered held no therapeutic benefits, or medical efficacy. There were also a number of testimonies, which were repeated across different websites, which the court found were contrived. The judges of the Federal Court of Australia found that Vassallo and Smith had engaged in misleading and deceptive conduct. on the 30th of July the Court handed down an injunction, restraining the respondents from continuing any further activity through their numerous websites. In the court order, 60 website domains were listed to be removed by the respondents, and the respondents were made to pay the ACCCs costs. The injunction also specifically prohibited the pair from engaging in any future activity involving similar representations. The Washington State Attorney generals Department brought the scam to the attention of the ACCC. The Washington Department helped them conduct the subsequent investigation and also filed a suit against Vassallo and Smith in the uS.
Australian Competition and Consumer Commission v Vassallo & Smith http://www.austlii.edu.au/au/cases/cth/FCA/2009/954.html
A number of further consultations and reforms have followed from the Productivity Commissions report, including: a consultation on the unfair contract terms recommendations of the Productivity Commissions report; and the tabling of The Trade Practices Amendment (Australian Consumer Law) Bill 2009 (Cth). The Trade Practices Act is administered by the Australian Competition and Consumer Commission (ACCC).16
eFT Code of Conduct
> privacy provisions mirroring the new federal privacy legislation for the private sector must be complied with, plus some specific EFT industry privacy guidelines; and > complaint investigation and resolution procedures must be in place. Of course, the most important section of the EFT Code is the section apportioning liability for unauthorised transactions. This includes coverage of: > access methods; > security and disguise of codes; > contribution to loss; > fraud and negligence; > lost and stolen cards or devices; and > system or equipment malfunction. While the EFT Code has always been voluntary, it has in the past been a very successful and popular code with both business and consumers and has achieved a very high rate of industry coverage. The Code is administered by the Australian Securities and Investments Commission (ASIC).17
Australian guidelines on electronic Commerce
The Electronic Funds Transfer Code of Conduct is the main regulatory instrument in Australia for providing consumer protection in electronic payment systems. The EFT Code covers any business to consumer electronic transfer of value. Business to business electronic transfers of value will be excluded where the product being used was intended primarily for business use. An electronic transfer of value includes coverage of credit cards in some circumstances, but not where a signature is obtained. It certainly includes EFTPOS, ATM transactions, most internet and telephone banking transactions, direct debits and direct transfers. Stored value products, such as electronic purses and stored value smart cards, are included in a separate section of the Code Part B. Specific requirements of the Code include: > terms and conditions must be provided to consumers; > records of transactions must be available to consumers; > audit trails must be kept;
The Australian Guidelines for Electronic Commerce were released by the Treasury Department in March 2006 with the aim of enhancing greater consumer confidence in e-commerce by providing guidance to businesses on how to deal with consumers when engaged in business to consumer e-commerce.18
16. For more information see the Australian Competition and Consumer Commission website: <http://www.accc.gov.au> 17. For more information visit the ASIC website: <http://www.asic.gov.au> 18. Australian Government, The Australian Guidelines for Electronic Commerce (2006) <http://www.treasury.gov.au/documents/1083/PDF/ australian_guidelines_for_electronic_commerce.pdf>. Consumer protection
13
The guidelines contain provisions on a number of matters including: > fair business practices; > accessibility and disability access; > advertising and marketing; > engaging with minors; > disclosure of a businesss identity and location; > disclosure of a contracts terms and conditions; > implementing mechanisms for concluding contracts; > adopting privacy principles; > using and disclosing information about payment, security and authentication mechanisms; > establishing fair and effective procedures for handling complaints and resolving disputes; and > the law and forum for resolving contractual disputes. The guidelines have no enforcement provisions, complaints process or administrative structure. It is yet to be adopted or implemented by any industry body. In these circumstances it is best seen as another virtual code, which gives some useful guidance to business, but to date provides limited consumer protection. Released at the same time as the guidelines was a Checklist for Business-to-Consumer E-Commerce in Australia,19 which seeks to enhance business awareness of key issues to be considered when dealing with consumers through e-commerce. The checklist contains a list of issues that should be considered by businesses when transacting with consumers online including that the contract terms are clear and easily accessible by the consumer and appropriate steps are taken to protect the consumer. Further details on how to implement these measures are contained in the guideline.
CAse sTuDy: evAgOrA v ebAy AusTrAliA

In the case of Evagora v eBay Australia [2001], provisions of the Fair Trading Act 1999 (Vic) were used to protect a buyer who purchased on eBays website, relying on graphics saying Buy with confidence. eBay insured. Automatically insured. A smaller link connecting buyers to a Conditions section stated eBays liability, which limited insurance claims to $270. The plaintiff admittedly did not read the 12 pages of user terms and conditions when buying the computer from oman, however he submitted that the content of these terms seemed to contradict earlier representations made that users could buy safely and with confidence. The computer was never received, despite payment being made, and eBay tried to deny any liability in the matter. However, the Court held that eBays Conditions did not effectively negate the earlier claims, saying: The Respondent has an obligation to its consumers to ensure that any limitations associated with the use of its online auction facility are clearly notified to prospective users. It is not sufficient to have a 12 page user Agreement with numerous clickable links that in many respects contradicts the clear representations contained on the homepage and the bidding page. Where limits apply they must be clearly spelt out. Therefore, Mr evagora was allowed to rely on the misleading and deceptive sections of the Fair Trading Act 1999, and eBay was made to compensate Mr evagora the $2043 that he had paid in the transaction.
Aseev iStockphoto.
19. Australian Government, Checklist for Business-to-Consumer E-Commerce in Australia (2006) <http://www.treasury.gov.au/documents/1086/ PDF/ecommerce_factsheet.pdf>.
14
Cybercrime
In todays modern era where society is so heavily reliant on computers and the internet, cyberspace crime is becoming increasingly prevalent.
Article 5 is concerned with these activities when committed without right; so it does not apply to an authorised person such as a system administrator or security tester who may, for instance, alter computer data during a system upgrade. Article 6(1)(a) requires parties to the Convention to criminalise the production, sale, procurement for use, import, distribution or otherwise making available of: > a device and/or program designed primarily for the purpose of committing illegal access to computers or information, illegal interception, interference with data (i.e. altering or deleting data) or the serious hindering of a computer system; or > a password, access code or similar data allowing access to a computer system. For a crime to be established in accordance with Article 6(1)(a), there must be intent to use the device or data to commit one of the cybercrimes listed in the Convention.
inTernATiOnAl CyberCrime lAW At the international level, the most significant instrument regulating cybercrimes is the EU Convention on Cybercrime (the Cybercrime Convention).20 The Cybercrime Convention has been adopted by most members of the Council of Europe, and has been signed by several non-member states, including Japan, Canada, South Africa and the US. It has also been widely recognised as setting a benchmark in cybercrime laws. Article 2 of the Cybercrime Convention (Illegal access) requires parties to establish criminal offences for unauthorised access to a computer system. This is a broader prohibition than that in the law, since it does not require any dishonest intent, but the Convention allows parties to require that the access involved infringing security measures and/or that there was intent to obtain computer data or some other dishonest intent, as the law provides. Article 3 of the Cybercrime Convention (Illegal interception) requires parties to prohibit interception of non-public transmissions without right using technical means. The Article is intended to capture interceptions between computer systems, and within computer systems including transmissions within a single computer, such as from the computers graphics card to the computers monitor. Article 4 of interference) offences for alteration or right. the EU Cybercrime Convention (Data requires parties to establish criminal the damaging, deletion, deterioration, suppression of computer data without
us v rOberT TAppAn mOrris

In this case, Robert Morris developed a software worm that he hoped would be benign. He did not plan to interfere with normal processing on computers, but merely to demonstrate certain security flaws in unix (and the technological potential of computer worms). The problem which he did not anticipate was that if the worm duplicated itself numerous times on one computer it could bog it down. Therefore, the worm would ask the computer if it was already there and if so not duplicate itself. However, Morris set the program so that it would still duplicate itself once every 7 yes, just in case system controllers were trying to stop it. The problem was that the 1/7 ratio still caused the bogging down that Morris was trying to avoid. This led to $100,000s in costs to internet server operators while computers everywhere on the internet had to be shut down in order to get rid of it. The court found that the requirement of criminal intent only applied to obtaining unauthorised access, not to causing damage. Morriss benign intentions were irrelevant.21
Article 5 of the EU Cybercrime Convention (System interference) requires parties to prohibit as criminal offences under domestic law the intentional and serious hindering without right of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.
20. Convention on Cybercrime, European Treaty Series 185, 23 November 2001, <http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm> 21. US v Robert Tappan Morris 1991 928 F2d 504 (United States Court of Appeals for the Second Circuit) <http://www.austlii.edu.au/au/other/ crime/Morris.html> Cybercrime
15
AusTrAliAn CyberCrime lAW In many areas, including cyberspace crime, Commonwealth and state and territory offences exist and operate side by side. The Commonwealths Cybercrime Act 2001 offers the most comprehensive regulation of computer and internet related offences.
unlawful access and computer trespass
Similarly, the Commonwealth Act provides (s 76C) that a person is guilty of an offence if they intentionally and without authority or lawful excuse: > destroy, erase or alter data stored in, or inserts data into, a Commonwealth computer; > interfere with, or interrupt or obstruct the lawful use of, a Commonwealth computer; and > impede or prevent access to, or impair the usefulness or effectiveness of, data stored in a Commonwealth computer.
Theft of data
Hacker and cracker are terms which are used to describe people who intentionally seek to access computer systems or networks with dishonest intentions. The Commonwealth Act provides that a person who intentionally and without authority obtains access to Commonwealth data is guilty of an offence (section 76B(1)). Similar provisions appear in state laws. The Commonwealth Act also provides that a person is guilty of an offence (section 76B(2)) if they intentionally and without authority obtain access to Commonwealth data, being data that the person knows or ought reasonably to know relates to: > the security, defence or international relations of Australia; > confidential sources of information relating to the enforcement of Australian criminal law; > enforcement of an Australian law; > protection of public safety; > personal affairs of any person; > trade secrets; > records of a financial institution; or > commercial information, the disclosure of which could cause an advantage or disadvantage to any person; Under the Act it is also an offence for a person who has intentionally and without authority obtained access to Commonwealth data to continue to examine the data if they know or ought reasonably to have known that it relates to any one of the above categories of information (section 76B(3)).
Damaging data and impeding access to computers
The question of whether there can be theft of computer data remains unsettled. An intruder into a computer system who dishonestly appropriates information is likely to be charged with unauthorised access or computer trespass, rather than theft.
Computer fraud
Fraud in the off-line environment generally involves deception through the use of a tangible object, such as a created document. In cyberspace, however, fraud may be committed through the use of digital technology without the need for any such object. Section 477.1 of the Commonwealth Criminal Code provides that a person who without authorisation accesses or modifies data held in a computer or impairs communications to or from a computer with intent to commit a serious offence (which includes fraud against Commonwealth entities) is guilty of an offence and punishable by a penalty not exceeding the penalty of the serious offence (in the case of fraud, up to either five or ten years depending on the specific offence see Part 7.3 Criminal Code).
offences against children
A variety of Commonwealth, state and territory laws exist which make it an offence for a person to alter or impair information stored on a computer, or to impede access to a computer. For example, the New South Wales Crimes Act provides that a person who intentionally and without authority or lawful excuse destroys, erases or alters data stored, or inserts data into a computer, or interferes with, or interrupts or obstructs the lawful use of a computer is liable to imprisonment or a fine, or both (sections 308C and 308D).
The internet and other communications technologies pose new risks for children becoming the victims of crime, with offences such as child pornography and child grooming. Child grooming is a process that begins with sexual predators taking a particular interest in a child and making them feel special with the intention of forming a bond. Intimate personal details are shared with the child confidante with the intention of procuring the recipient to engage in or submit to sexual activity with the offender or another person. Offenders can seek out victims by visiting internet relay chat (IRC) rooms from their home or internet cafs at any time. Other communication technologies such as instant messaging, email and mobile phones can also be used. In NSW, changes to the Crimes Act 1900 were made in 2007 to introduce penalties for these offences.22
22. This information is drawn from the Australian Institute of Criminology High-tech Brief No. 17, Online child grooming laws, April 2008, available at www.aic.gov.au type online child grooming into the search box.
16
Defamation
Defamation is common in the online world, but is rarely pursued to the stage of litigation. A culture has developed in email discussion lists and chat rooms that accepts that the discussion may be fairly vigorous, frank and even heated. The most common online responses to defamatory material are to ignore it or to return fire.
may often be fruitless if they have no money, so some complainants may choose to sue the internet service provider (ISP), either to recover damages or to have the defamatory material removed. Unwitting distributors of defamatory material may avoid liability through the defence of innocent dissemination. At common law, the defence of innocent dissemination requires that the defendant: 1. had no actual knowledge of the defamation; 2. had no reason to believe the material carried was defamatory; and 3. was not negligent in that lack of knowledge. Consequently, if ISPs wish to rely on the defence of innocent dissemination they must prove that they do not have the ability to control internet content. The application of defamation law to internet content hosts (ICHs) is much more straightforward. If an organisation is in the business of hosting or publishing content, it will certainly be in control of that content in most circumstances, so the defence of innocent dissemination will not be available.
Despite the cultural shift towards greater freedom of speech, the traditional law of defamation still applies. As with any other defamation action, the key elements to be proved are: 1. a defamatory imputation must be made; 2. the material must identify the complainant; 3. the material must be published to a third person; 4. all available defences must be exhausted. The most relevant aspect of any internet defamation case will usually relate to the question of liability for internet service providers (ISPs) or internet content hosts (ICHs). Anyone who posts anything on the internet effectively publishes that material in every jurisdiction in the world. Attempts to recover damages from the author
CAse sTuDy: guTniCk v DOW JOnes

A Victorian businessman, Joseph gutnick, sued Dow Jones in the Supreme Court of Victoria for damages for defamation. It was alleged that Dow Jones, a uS corporation, published defamatory material about gutnick on its subscription online news site Barrons online. Material for publication in Barrons online is prepared in New York and transferred to servers at Dow Jones New Jersey premises. In dispute was whether Victoria was the appropriate forum to hear the defamation claim and whether the place of the tort (civil, rather than criminal wrong) was where the article was uploaded (New Jersey) or where it was downloaded (Victoria). The High Court of Australia unanimously held that defamation is located at the place where the damage to reputation occurs. ordinarily this is where the material is available in comprehensible form if the person defamed has a reputation in that place, which is damaged by the material. Material published on the internet is not available in comprehensible form until downloaded onto the computer of an end-user. It is where that person downloads the material that the damage to reputation may be done. The Court also held that Victoria was an appropriate forum to hear the dispute. gutnicks undertaking to confine his claim to damage caused to his reputation in Victoria as a consequence of publication in that state was a material consideration for the Court in reaching this decision. The decision left gutnick free to sue Dow Jones for damage to his reputation in Victoria in a Victorian court under Victorian law. The case was settled with gutnick receiving AuS$180,000 plus AuS$400,000 in costs. The case is a landmark internet jurisdiction case, particularly because it is one of the few internet cases considered by a countrys ultimate court of appeal. Despite this, the case has not opened the floodgates as Dow Jones argued. The lasting legacy of the decision, especially for Australia, is that it was decided by applying existing principles of defamation law to the internet. From an international perspective the case highlights the difficult if not impossible balance that must be reached between countries such as the united States where freedom of speech is paramount and those which place greater value in protecting the reputation (and through it the dignity) of citizens. Further reform, and international reform at that, is needed.
Gutnick v Dow Jones (2002) <http://www.austlii.edu.au/au/cases/cth/HCA/2002/56.html>
Defamation
17
Domain Names
A domain name is the unique name (corresponding to an IP address) that identifies and locates an internet address such as a website. Domain name regulation refers to standards and requirements for internet naming and addressing.
2. Registrants must be Australian Domain name licences may only be allocated to a registrant who is Australian. 3. Composition of domain names Domain names must be at least two characters long, contain only letters, numbers and hyphens or a combination of these; and meet some other syntax requirements. 4. Domain name licence renewal period The domain name licence period is fixed at two years. It is not possible to license a domain name for a shorter or longer period. 5. auDAs Reserved List auDAs Reserved List contains names that may not be licensed (generally consisting of obscene words and terms reserved for government use such as ASIO). 6. Prohibition on registering domain names for sole purpose of resale A registrant may not register a domain name for the sole purpose of resale or transfer to another entity. There are more detailed eligibility requirements for most domain name sub categories. DOmAin nAme DispuTes By far the biggest legal issue in the management of domain names is the conflict that arises between two parties who claim to have rights in a particular domain name (for example, trademark rights). Fortunately, a global system for resolving these disputes has developed, known as the Uniform Domain Name Dispute Resolution Policy (UDRP)24 of the Internet Corporation for Assigned Names and Numbers (ICANN). The UDRP sets out a mechanism for settling disputes arising between the owner of a domain name and a third party (the complainant). The complainant may lodge a complaint to an accredited dispute resolution provider under the UDRP, and must demonstrate all of the following: 1. That the domain name is identical or confusingly similar to a trademark owned by the complainant; 2. That the owner has no rights or legitimate interests in the domain name; and
Domain name regulation determines who may register and use a domain name, and how they may register and use it. In some cases, this is a formal matter of specifying which organisation can assign domain names, or who may register a particular type of domain name (for example, limiting the use of .org domains to non-profit organisations). In other cases, regulation limits the domain names which may be used (for example, prohibiting obscene words in domain names). DOmAin nAme regulATiOn in AusTrAliA The .au Domain Administrator (auDA) is an independent, non-profit Australian company with the responsibility of formulating and administering policy in relation to all .au domain names.23 The auDA is endorsed by the Australian Government and recognised by the Internet Corporation for Assigned Names and Numbers (ICANN). A large number of sub domain categories (known as second level domains or 2LDs) are available in Australia. These include .com, .org, .net, .edu and .gov, plus newer sub domains such as .asn and .conf. Most of these are open to the general public, subject to some eligibility requirements (for example, .com.au domains require the applicant to be a registered Australian company). A small number of these sub categories are closed in that their availability is restricted to defined communities of interest (for example, .csiro and .edu.au). Domain names are licensed (rather than sold) to registrants, on the terms and conditions set down by the relevant registrar. There are also general requirements that apply to all domain names in Australia. These include: 1. First come, first served Domain name licences are allocated on a first come, first served basis.
23. For more information see auDA: www.auda.org.au/ 24. Uniform Domain Name Dispute Resolution Policy: www.icann.org/dndr/udrp/policy.htm
18
CAse sTuDy: mADOnnA CiCCOne v DAn pArisi

This case involved a dispute over the domain name <madonna.com>. The complainant, Madonna Ciccone (Madonna) was the well-known entertainer and owner of registered trademark MADoNNA in the united States. The respondent, Mr Dan Parisi, was a website developer and owner of the MADoNNA trademark in Tunisia. The respondent acquired the registered domain name for $20,000 and the associated website initially displayed sexually explicit content. The website did contain a notice that the site was not affiliated or endorsed by Madonna the singer. The respondent argued that when the submission was made the website was inactive and he was in negotiations to donate the domain name to Madonna Hospital. The panel found the respondent provided no evidence to reasonably explain use of the term Madonna or suggest the term was used in association with its ordinary dictionary meaning. Rather, the term was used to attract users, for commercial benefit, by relying on the fame of the complainants mark. The panel doubted the offer to transfer the domain name to Madonna Hospital was a legitimate non-commercial use as there was little evidence of negotiations. The panel also held that mere registration of the trademark in Tunisia was not sufficient to create a right there must be evidence registration occurred in good faith and for bona fide purposes. Therefore, the panel held the respondent had no legitimate right or interest in the domain name. The panel found in favour of the complainant and directed that <madonna.com> be transferred to her.
Madonna Ciccone v Dan Parisi (2000) <http://www.wipo.int/>25
3. That the domain name was registered and has been used in bad faith. The UDRP also explains in more detail the meaning of bad faith: Bad faith can be demonstrated if the domain name was registered primarily for selling, renting, or transferring the domain name to the complainant at a profit, preventing the owner of a trademark from registering the corresponding domain name or disrupting the business of a competitor. Bad faith can also be
demonstrated where the domain name was registered in order to mislead internet users into thinking that the owner was affiliated with the complainant, in order to draw them to the website for commercial gain. A successful claim under the UDRP can result in cancellation, transfer, or other changes to the domain name registration, but does not include other remedies such as financial compensation.
CAse sTuDy: myer sTOres v singH

This case involved a dispute over the domain name <myeronline.com>. The complainant was Myer Stores Ltd one of Australasias largest retailers. The respondent was Mr David John Singh. The disputed domain name related to a website containing Myer company information and financial commentary, which displayed numerous disclaimers denying any formal association between the website and Myer Stores Ltd. However, the respondent had previously registered numerous other domain names including <telstraonline.com>, <optusonline.com> and <qantasonline.com>. The panel found the domain name containing the registered trademark (MYeR) followed by the descriptive word (online), a word customers would expect MYeR to be associated with. They found it falsely conveyed an association with Myer Stores Ltd and therefore was confusingly similar to the registered MYeR trademark. The respondent registered the domain name without authorisation of the complainant and in registering the domain name utilised the goodwill of the MYeR trademark to attract users to a site where he illegitimately identified himself as the complainant (the disclaimers were not sufficient to displace users assumption of association). The respondent contended he had a legitimate interest to inform the public on the financial position and details of Myer, however the panel held the respondent had no rights or legitimate interests in the domain name. The panel further found the domain name was registered and being used in bad faith. This was evidenced by the respondents registration despite knowledge of the existence of the MYeR trademark and evidence of numerous similar registrations. The panel found in favour of the complainant and directed <myeronline.com> be transferred to Myer Stores Limited.
Myer Stores v Singh (2001) <http://www.wipo.int/>26
25. On the WIPO site www.wipo.int, under Most requested, go to Domain name decisions, then go to All WIPO domain name decisions. Scroll down to the year of the case and click on the span of numbers that includes the case number you are looking for. Madonna case number is D2000-0847 26. See instructions in note 25 above Myer case number is D2001-0763 Domain names
19
Copyright
Copyright law sometimes struggles to keep pace with internet developments. Most internet content is protected from unauthorised reproduction by copyright, which provides protection against the copying of original work including website graphics, pictures, videos, music and original text. But enforcement is difficult.
COpyrigHT lAW AusTrAliA Copyright generally remains in force from the time of publication for the life of the originator plus 70 years. In Australia, the issue is covered by the Copyright Act 1968 (Cth), which was updated by the Copyright Amendment (Digital Agenda) Act 2000. This legislation, which came into force in March 2001, ensures that copyright protection is extended to the full range of new media and internet content. It also introduced one completely new aspect of copyright a copyright holder now enjoys an exclusive first right to communicate their work to the public in whatever form they see fit. Copyright is designed to ensure that content creators are suitably rewarded for their efforts, and protected from pirating. It also gives them some control over how their work will be used. However, the rights of people and organisations who would like to gain access to the content are also considered in copyright law which attempts to balance these competing interests. The main exceptions are: > Licences the copyright owner can licence individuals or organisations to copy the work for specific purposes, usually for commercial applications. > Research and criticism content can be used for the purposes of research, criticism, satire, news, current affairs and professional advice, but the use must be considered fair. Fair dealing is generally considered to be 10% of the total content. There is also a range of technical exemptions for situations where information is only copied temporarily in order to run computer software or complete a communication or transaction. These technical exemptions allow general internet browsing, linking and searching to take place without breaching copyright. For more information on the general law of copyright in Australia see Hot Topics 52 Copyright.29
COpyrigHT lAW inTernATiOnAl The two main international instruments on copyright law are the World Intellectual Property Organisation (WIPO) Copyright Treaty27 and the EU Convention on Cybercrime, 2001.28 The EU Cybercrime Convention contains provisions that require signatories to develop criminal offences for more serious and widespread breaches of copyright. For example, Article 10(1) provides:
each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright, as defined under the law of that Party where such acts are committed wilfully, on a commercial scale and by means of a computer system.
In practice, most countries rely on civil provisions rather than criminal provisions for digital copyright breaches. The EU Cybercrime Convention permits a country to reserve the right not to impose criminal liability for copyright breaches, provided that other effective remedies are available.
27. World Intellectual Property Organisation, Copyright Treaty, 1996 available online at <http://www.wipo.int/treaties/en/ip/wct/> 28. EU Convention on Cybercrime 2001 available online at <http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm> 29. Available in full text online at <www.legalanswers.sl.nsw.gov.au/hot_topics/pdf/copyright_52.pdf>
20
CAse sTuDy THe pirATe bAy TriAl

In January 2008, Swedish prosecutors filed charges against four men for facilitating and promoting copyright infringement through their website The Pirate Bay. The charges were heard following a raid on 12 different premises where The Pirate Bay was hosted, in which 186 servers were confiscated. The four men charged were Peter Sunde, Fredrik Neij, gottfrid Svartholm, the owners of The Pirate Bay Website and Carl Lundstrm, who sold internet services to the site. The prosecutors claimed that by developing, hosting and administering the website the four had facilitated the peer-to-peer sharing, and encouraged numerous copyright infringements. The prosecutors gave evidence of the revenue that was made through advertising on the site, using this to argue that their purposes were commercial in nature. They also claimed damages on behalf of a number of the companies affected, adding up to around $13 million (uS). Thirty-four cases of copyright were included in the claim, including 21 music files, 9 movies and 4 games. The defendants main reply to the charges was that the site is only a search engine that connects people who want to share their files. They posed a defence that has become known as the King Kong defence, arguing that merely providing an information service did not make them responsible for the information being transferred, unless they had a close association with individual users. They submitted: This film has been uploaded by user King Kong. You can read that clearly. But the prosecutor hasnt established who King Kong is or where King Kong is. He can have been in Stockholm, he can have been in Malm, he can have been in the jungles of Cambodia. Above all else the prosecutor hasnt even tried to show how any of the defendants could have encouraged this King Kong in the jungles of Cambodia to break IP law. However, in April 2009 the court found that the operators had collective responsibility, as they were responsible for the site, while knowing that some of the files pointed to copyrighted material. They therefore made a ruling that all four defendants were guilty of being accessories to crimes against copyright. The court handed down sentences for one year in prison (for each of the defendants) and damages amounting to $3.5 million (uS). All four defendants have appealed the decision. Although the owners have maintained that The Pirate Bay will continue running, during the appeal, the Swedish Court has temporarily shut down the site on several occasions by threatening the internet service providers hosting the Pirate Bay with large fines.
The Pirate Bay Trial (2009) <http://trial.thepiratebay.org/>
peer-TO-peer neTWOrking AnD File sHAring The most significant copyright issue in cyberspace is the sharing of music, film and games amongst internet users, typically using peer-to-peer networks. Some of these shared files are copyrighted material and the typical licence for this material does not permit widespread distribution or sharing. However, other files do not have any copyright protection and it is difficult for the software or the providers of peer-to-peer services to identify the copyright status of all material. Many of the legal issues regarding peer-to-peer sharing remain unresolved.
ssuni iStockphoto.
Copyright
21
Contracts
A contract is a legally binding agreement between two or more people or organisations. The terms of a contract may be expressed in writing or orally, implied by conduct, industry custom, and law or by a combination of these things. electronic contracting refers to the ability to form contracts via electronic means, free of legal restrictions that would require paper records or hand-written signatures. Core principles
The Convention contains provisions embodying the two principles at the core of any electronic transactions legislation: > functional equivalence paper documents and electronic transactions are treated equally by the law; and > technology neutrality the law does not discriminate between different forms of technology. Of these two principles it is the former that is of the greatest importance, allowing the legal requirements of paper-based documents such as writing and signature to be readily translated into electronic equivalents.
Formation of contracts
Any agreement to make an online purchase or use an electronic commerce service requires the formation of a contract. Contract law was initially developed around certain requirements for hard copy documents, writing and in some cases witnessing. These concepts are not so useful when the transaction is to take place via electronic communication between two parties who may never share the same physical location. For electronic commerce to take full advantage of the speed and convenience delivered by new communication technology, full electronic contract formation must be possible. eleCTrOniC COnTrACTs inTernATiOnAl At the international level, UNCITRAL (the United Nations Commission on International Trade Law) has developed the UN Convention on electronic contracting, formally titled the Convention on the Use of Electronic Communications in International Contracts. The text of the Convention was finalised in November 2005. The Convention has been signed by around 20 countries and Australia is considering signing it. The Convention seeks to enhance the legal certainty and commercial predictability of international electronic transactions by setting out a number of interpretive rules for the use of electronic communications in negotiating and forming contracts. The Convention is likely to establish a default standard for electronic transactions. Even if a country does not ratify the Convention it will still influence the terms of a transaction; particularly where the other contracting party is from a country that is a signatory to the Convention. For more information on treaty making see Hot Topics 69 International Law.
The Convention contains a number of provisions facilitating the non-discriminatory treatment of contracts formed using electronic communications. These include: > a communication shall not be denied validity or enforceability on the sole ground that it is in the form of an electronic communication; > while a party is not obliged to use or accept electronic communications, their agreement to do so may be inferred from their conduct; > electronic communications that are not addressed to a specific party but are accessible by a number of parties using an information system are to be considered an invitation to make an offer (or an invitation to treat), unless a contrary intention is clearly expressed; and > a contract formed where one or both parties are an automated information system shall not be denied validity on the sole ground that there was no intervention by a natural person.
Form requirements
Article 9, the central article of the UN Convention, contains a number of default minimum standards for enabling electronic equivalents to traditional paper-based form requirements. These are: > where the law requires that a communication or contract is in writing, that requirement is met if an electronic communication is used that is accessible and usable for subsequent reference;
22
> where there is a legal requirement for a communication or contract to be signed, that requirement is met if: a method is used to identify the party and to indicate that partys intention in respect of the information in the communication; and the method used is reliable as appropriate for the purpose which the electronic communication was generated; or is proven to identify the party and indicate their intention in respect of the information within the communication; and > where the law requires that a contract or communication should be retained in their original form, that requirement is met if there is a reliable assurance as to the integrity of the communication and the information is capable of being displayed to the person whom it is to be made available.
Location of the parties
Time of dispatch and receipt of electronic communications
The UN Convention sets out default rules governing the time of dispatch and receipt of electronic communications. Article 10(1) provides that the time of dispatch of an electronic communication is when it leaves an information system under the control of the originator. Article 10(2) provides that the time of receipt of an electronic communication is when it becomes capable of being retrieved at an electronic address designated by the addressee. If an electronic address has not been designated, the time of receipt is when the addressee becomes aware of the electronic communication being sent to that address and it is capable of being retrieved.
error in electronic communications
Article 6 of the UN Convention sets out a number of presumptions to determine the location or place of business of the parties. The location of the parties plays an important role in determining the place of dispatch of an electronic communication and the place of contract formation. These help in determining which court in which country has jurisdiction to hear disputes arising from an electronic contract. Location is also important in determining the applicable law. Factors that may be considered in determining the location of the parties are: > the place of business is presumed to be the location indicated by the party; > if a place of business has not been indicated and there is more than one then the place of business is the location which has the closest relationship to the contract; > where a person does not have a place of business, their place of habitual residence is to be used; > a location is not a place of business simply because it is the location where the technology used in connection with the formation of a contract; and > the use of a domain name or email address connected to a specific country does not create a presumption that a partys place of business is located in that country. The rules set out above can all be rebutted with evidence to the contrary they simply provide a convenient and practical starting point to determine a partys place of business.
A new legal provision introduced by the UN Convention is a test for when there has been an error made by a natural person in communicating with an automated system. The likelihood of a mistake being made is increased where transactions are completed instantaneously, rather than through more traditional means such as through person-to-person dealings or in written contracts. Article 14 provides some assistance for a party who has made an input error in such transactions by giving them the opportunity, in certain circumstances, to withdraw that communication. For example, under Article 14 of the Convention, where a consumer makes an input error in exchange with an automated system (e.g. they order 100 items at an online shop instead of 10), and the shops system does not provide the consumer with the opportunity to correct the error, the electronic communication can be withdrawn if: > the consumer notifies the shop of the error as soon as possible after having discovered the error; and > the consumer has not used or received any material benefit from the goods or services. eleCTrOniC COnTrACTs AusTrAliA Electronic contracting in Australia is covered by the Electronic Transactions Act 1999 (Cth) (ETA).30 The ETA is mirrored by State and Territory laws. The ETA provides businesses and individuals with the option of using electronic communications when dealing with government agencies. Australia is also considering amending the ETA to align our laws more closely with the UN Convention.
30. The Electronic Transactions Act 1999 (Cth) is available online at <http://www.comlaw.gov.au>. Contracts
23
Further information
Australian Communication and Media Authority (ACMA) www.acma.gov.au The ACMA website contains various industry codes of practice, a magazine on current issues and sections on spam and e-security, sections on keeping your computer secure, how to make reports and complaints etc. The Australian Guidelines for Electronic Commerce, 17 March 2006, <http://www.treasury.gov. au/documents/1083/PDF/australian_guidelines_for_ electronic_commerce.pdf> or go to www.treasury.gov. au and type electronic commerce into the search box. Australian Securities and Investments Commission The FIDO website www.fido.gov.au has information on scams and identity theft. You can also access the Electronic Funds Transfer Code of Conduct by going to the tab for Publications & resources and clicking on other resources. Then select codes. Office of the Federal Privacy Commissioner www.privacy.gov.au Website has information on spam, social networking and protecting personal information. Internet Industry Association www.iia.net.au Roger Clarkes homepage www.rogerclarke.com Roger Clarke is a consultant specialising in eBusiness, information infrastructure, and data surveillance and information privacy. Cyberspace Law and Policy Centre University of New South Wales www.cyberlawcentre.org This site provides access to articles that are fairly specialised and in-depth.
IDeNTITY THeFT
Identity theft in an online environment by M Paphazy & A Prpich (2008) 11 (8) Internet Law Bulletin 132-136. (Available at the State Library.) SCAMwatch! by Alan Davidson (2007) 27 (9) Proctor 45-46 *
SoCIAL NeTWoRKINg
Stormy weather ahead: the rise of cloud computering by M Davis & A Sedsman, (2009) 31 (8) Bulletin (Law Society of SA) 21-25 * Facing the unseen truth: the legal implications of using social networking site Facebook by M Giancaspro (2009) 31 (4) Bulletin (Law Society of SA) 26-28 * Burning the law and celebrating violent vigilantism by C Minogue, (2009) 34 (2) Alternative Law Journal 118-119, 136 * Privacy on the internet an illusion, experts warn by A Susskind (2008) 46 (7) Law Society Journal 24-25.
CYBeRCRIMe
Spam & e-security go to ACMAs website: www.acma. gov.au and click on Consumer & community advice and then select Spam & e-security. Scamwatch is a site to help you recognise, report and protect yourself from scams. www.scamwatch.gov.au Personal fraud, Australian Bureau of Statistics, 2007, 4528.0. This is the first national survey of personal fraud in Australia. Go to the ABS website www.abs.gov. au and type 4528 into the search box. Platypus the magazine produced by the Australian Federal Police often has articles on cybercrime. Go to www.afp.gov.au and click on the link to new edition of Platypus and you can also see previous issues. See the issues for October 2009, and September 2007 for several articles. Inquiry into cyber crime, House of Representatives, Parliament of Australia, due 26 June 2009. Copies of submissions are available from the website, but the report is not yet available: http://www.aph.gov. au/house/committee/coms/cybercrime/ (2 November 2009). International journal of cyber criminology (online) www.cybercrimejournal.co.nr Encyclopedia of cybercrime, S C McQuade (ed), Greenwood Press, 2nd ed. 2007.
* These articles are available in full text via AGISPlus. You can access these articles and other useful information if you have a State Library Readers card. Register online at http://www.sl.nsw.gov.au/using/membership/
Identity Cards and the Access Card E-Brief, 5 February 2008 http://www.aph.gov.au/library/intguide/law/ IdentityCards.htm Your life, sold for $15 by J Giles, New Scientist, 23 May 2009: 36-39 * Routine activity theory and phishing victimisation: who gets caught in the net by H Hayes & A Hutchings, (2009) 20 (3) Current Issues in Criminal Justice 433-452 *
24

Cyberlaw 70

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyberlaw 70

Uploaded by

Copyright:

Available Formats

2009 > HoT ToPICS 70

State Library of NSW Cataloguing-in-publication data

Connolly, Chris Cyberlaw / [Chris Conolly].

Hot Topics ISSN 1322-4301, No. 70

im age u n av aila ble

other malware and is being used as part of a botnet.

HOT TOPICS 70 > Cyberlaw

CAse sTuDy nATiOnAl FeDerATiOn OF THe blinD v TArgeT

HOT TOPICS 70 > Cyberlaw

im age u n av aila ble

Privacy and Spam

HOT TOPICS 70 > Cyberlaw

CAse sTuDy: gOOgle sTreeTvieW

Australia has the following general privacy legislation in place:

Commonwealth ACT NSW NT QLD SA Tas Vic WA

Privacy and spam

HOT TOPICS 70 > Cyberlaw

im age u n av aila ble

Social Network Sites

HOT TOPICS 70 > Cyberlaw

im age u n av aila ble

Social network sites

HOT TOPICS 70 > Cyberlaw

AusTrAliAn COmpeTiTiOn AnD COnsumer COmmissiOn v vAssAllO & smiTH

CAse sTuDy: evAgOrA v ebAy AusTrAliA

im age u n av aila ble

HOT TOPICS 70 > Cyberlaw

us v rOberT TAppAn mOrris

HOT TOPICS 70 > Cyberlaw

CAse sTuDy: guTniCk v DOW JOnes

HOT TOPICS 70 > Cyberlaw

CAse sTuDy: mADOnnA CiCCOne v DAn pArisi

CAse sTuDy: myer sTOres v singH

HOT TOPICS 70 > Cyberlaw

CAse sTuDy THe pirATe bAy TriAl

im age u n av aila ble

HOT TOPICS 70 > Cyberlaw

Time of dispatch and receipt of electronic communications

HOT TOPICS 70 > Cyberlaw

You might also like