Monday, 14 August 2017

21 years of cross-border liability on the internet

The Canadian Supreme Court decision in Equustek and the French Conseil d'Etat decision to make a CJEU reference in Google v CNIL have once again focused attention on the intractable issues around cross-border liability for publication on the internet. 

This is a topic on which I have been writing and speaking off and on since 1996 when I first heard lawyers calling for an international convention to govern cross-border internet liability issues. My view then was that, given the strong inclination of each state to assert the superiority of its own laws over anyone else's, anything that 100-plus governments were able to agree on was unlikely to be good for the internet.  We were better off with continuing chaos. (See further my contribution 'Content on the Internet - Law, Regulation, Convergence and Human Rights' in International Law and The Hague's 750th Anniversary (ed. W.P. Heere. TMC Asser Press 1999.) 

Subsequent experience has, if anything, reinforced that view. And what was originally a debate about information published across borders has, not to its benefit, now become tangled up with the separate jurisdictional question of police and intelligence agency powers to obtain private user data from internet companies in other countries (see e.g. Global Commission on Internet Governance Primer on Internet Jurisdiction (PDF)). 

The root of the intractability is simple.  Unlike any previous medium, the internet is cross border by default and is used, not just as reader but as publisher, by individuals in their hundreds of millions. An internet site is, unless its operator takes positive steps to prevent it by geo-blocking, accessible in any country (excepting those that have erected national firewalls at their borders and banned VPNs). This applies not only to commercial websites but also to individual blogs, tweets, Facebook posts and the like. Accessibility also applies to search engines, which since they operate on the internet are themselves by default accessible worldwide.  

How do nation states respond?  They may accept the possibility that their citizens (or residents and visitors) can, if they try hard enough, find information on the internet that has been created under other countries' laws and which may not be lawful at home (just as when citizens travel abroad and read books not available at home). 

If states reject that possibility they end up either forcing their laws on the citizens of other countries by insisting on worldwide removal, or compelling the site or search engine to geo-block. That holds out the prospect of less permeable borders in cyberspace than existed in the pre-internet physical world (putting on one side the ugly precedents of the Berlin Wall and jamming foreign broadcasts). (See further my chapter 'Cyberborders and the Right to Travel in Cyberspace' in The Net and the Nation State (ed. Uta Kohl, CUP 2017).)  

In a submission to the Leveson Inquiry (PDF) in 2012 Max Mosley said: 
“Anyone using the internet must therefore obey the laws in their country.  Similarly, they should obey the law in countries where their posts appear. As a practical matter, it is the search engines and service providers which can best prevent breaches of the law outside the country of origin of the original post."
As the Equustek and CNIL cases illustrate, the focus is indeed now on search engines, with plaintiffs seeking to leverage their gatekeeper potential not just domestically but on a worldwide basis. 

But Mr Mosley's beguiling proposition begs the same questions that have been asked since the 1990s: should the mere fact that a post appears in another country be enough to trigger the law of that country when the default setting built into the internet is cross-border accessibility? Does it accord with reasonable expectations to require individual bloggers and social media posters to comply with the laws of all countries? Does such a rule strike the right balance from the point of view of readers worldwide, bearing mind the resulting incentive to apply the most restrictive common denominator? My answer is no to all three questions. (See further my September 2012 submission (PDF) to the Leveson Inquiry commenting on Max Mosley's proposal.)

In one respect we have made progress since 1996. In an increasing number of subject matter areas a targeting test has been held (at least within the EU) to define the territorial scope of a right. Targeting rules hold out the prospect of something approaching a peaceful co-existence regime. Properly formulated and applied, a targeting test (a) lays down that mere accessibility does not trigger the laws or jurisdiction of another country and (b) requires relevant positive conduct, not mere omission, in order to do so. (See further my articles Directing and Targeting: The Answer to the Internet's Jurisdiction Problems Computer Law Review International, 2004 and Here, There or Everywhere? Cross-border Liability on the Internet (Computer and Telecommunications Law Review, 2007 C.T.L.R. 41).

However, the furore that periodically erupts around cross-border internet cases shows that there is still little consensus on these issues. Nuanced approaches may be at greatest risk of being jettisoned when the law in question is said to embody a core value of the state asked to adopt an expansive jurisdictional stance. That is also the time when greatest care should be taken not to let enthusiasm for the perceived merits of domestic law override respect for the different laws of other countries and the principle of peaceful co-existence.

Monday, 17 July 2017

Worldwide search de-indexing orders: Google v Equustek

The Supreme Court of Canada has issued its decision in Google Inc v Equustek (28 June 2017). This is the case in which a small Canadian technology company, Equustek, asked the Canadian courts to grant an injunction against the well-known US search engine ordering it to de-index specified websites - not just on its Canadian domain google.ca, but on a worldwide basis. The injunction was an interim order pending trial of Equustek’s action against the operator of the websites. The SCC (by a 7-2 majority) dismissed Google’s appeal and upheld the injunction.

According to taste and point of view the decision is:

(a) a victory for a small Canadian company against a US tech giant

(b) a damaging precedent for future overreaching assertions of extraterritorial jurisdiction by other nation states

(c) a narrowly decided case about interim injunctions with few broad implications

(d) a case that paid insufficient attention to its underlying territorial moorings

(e) a decision that reinforces the role that online intermediaries can and should play in combating unlawful activities

(f) a case heavily influenced by the unattractive behaviour of the operator of the impugned websites, which lays down little in the way of principle to guide future cases

(g) an uncontroversial and well-reasoned illustration of the circumstances in which a court may make orders with extraterritorial effect

(h) another nail in the coffin of worldwide freedom of expression

(i) a pointless exercise in applying national law to the inherently borderless internet.

Commentators critical and supportive (here, here, here, here, here, here and here) have begun to dissect the decision. Some reaction has been less than nuanced. One tweet asked what business a national court had upholding a global injunction, as if no national court had ever issued an injunction with extraterritorial effect before.

Courts have long considered themselves able to grant extraterritorial injunctions. However, out of concern for offending the sensibilities of other territorially sovereign states (comity) they have tended to exercise caution about the circumstances in which they should do so, about the extent of the injunction and to pay close attention to safeguards designed to minimise any possible international conflict.

The difference between Equustek and previous kinds of world-wide injunction (such as asset-freezing orders) is of course the internet. That distinction cuts both ways. In one direction (emphasised by the SCC) it may be said that a worldwide medium requires a worldwide remedy if it is to be effective. In the other direction the internet, as a cross-border vehicle for speech, amplifies and broadens the extraterritorial impact of injunctions aimed at online activity. From that perspective national courts should be more, not less, cautious about extraterritorial effects on the internet.

Comity urges sensitivity to the concerns of other states, including a state's interest in protecting the rights of its own citizens. The British Columbia Court of Appeal judgment in Equustek adopted this description of comity in the Canadian case of Spencer v The Queen:
"Comity” in the legal sense, is neither a matter of absolute obligation, on the one hand, nor of mere courtesy and good will, upon the other. But it is the recognition which one nation allows within its territory to the legislative, executive or judicial acts of another nation, having due regard both to international duty and convenience and to the rights of its own citizens or other persons who are under the protection of its laws ….' (emphasis added)
However in the context of modern day international human rights we are concerned not only with the sensibilities of other states as proxies for their citizens, but with directly respecting the fundamental rights of internet users in other countries. Typically in internet cases those will be rights to privacy (as in the US Microsoft Warrant case) or freedom of expression (as in Equustek). The fundamental rights of internet users are a separate matter from the sensibilities of a nation state. To focus only on state sensitivities risks overlooking or understating the distinct interests of their citizens. (For more on this topic see my chapter in the recently published book ‘The Net and the Nation State’.)

Cases on extraterritorial injunctions tend to resolve themselves into questions not of whether a court has the power to make an extraterritorial order, but whether it should exercise that power and if so how. That is a question of discretion, involving any applicable principles on which discretion should be exercised, and voluntary jurisdictional self-restraint. When faced with a bad actor, an ugly set of facts and a demand for an effective remedy it is all the more important that a court should anxiously examine the basis for exercising its power and carefully identify and balance competing factors, even – perhaps especially - where the internet is concerned.

Whatever the future significance of the Equustek decision (a rich source of jurisprudence or a barren seed destined for obscurity) the factual background to the case is unusual and provides illuminating context for the way in which the Supreme Court of Canada approached the case. (Caveat: my comments are from the perspective of an English lawyer, with no particular knowledge of Canadian law.)

Background and context


The story starts fairly conventionally when Equustek, a manufacturer of electronic networking products, fell out with its distributor Datalink Technologies Gateways Inc ('Datalink'), which then operated from Vancouver. Equustek claimed that for many years Datalink had been re-labelling one of Equustek's products and passing it off as Datalink's own; that Datalink then acquired confidential information and misused it to design and manufacture a competing product; and that Datalink then passed off the competing product by supplying it in substitution for Equustek products advertised on its websites. Equustek terminated the distribution agreement and in April 2011 started litigation in British Columbia against Datalink and its principal.

Initially Datalink defended the proceedings. However the complexion of the dispute changed in 2012 with Datalink abandoning its defence, skipping the jurisdiction, setting up numerous shell companies, operating multiple websites and breaching various orders made by the Canadian courts.

Whatever may have been the merits (or not) of its original defence, Datalink now exhibited the demeanour of a fugitive from justice. Among the injunctions granted against Datalink during 2012 was an order freezing Datalink's assets worldwide. In September 2012 Equustek applied for Datalink and its principal to be found in contempt of court. The Canadian court issued a warrant for the arrest of the principal.

The defences of two of the defendants were struck out in June 2012 for failure to comply with court orders (and the third in March 2013). As the first instance judge (Fenlon J.) observed they were therefore presumed to admit the allegations against them. Although Equustek was given permission in June 2012 to apply for final judgment against Datalink it did not do so. As a consequence the interim orders made by the Canadian court continued in force.

Despite all this Datalink continued, according to the Supreme Court judgment, to carry on business from an unknown location, selling its impugned product on its websites to customers all over the world.

Google entered the picture in September 2012 when Equustek asked it to de-index the Datalink websites. Google refused, following which Equustek applied for an order requiring it to do so.

Google then told Equustek that if it obtained an order against Datalink prohibiting it from carrying on business on the internet, Google would remove specific webpages (but not, in accordance with its internal policy, entire websites).

Shortly afterwards, in December 2012, Equustek (supported by Google) obtained from the Canadian court an injunction against Datalink ordering it to "cease operating or carrying on business through any website". The SCC judgment does not state in terms whether this injunction was itself worldwide. However in the context of Datalink having moved its activities outside Canada, it would be unsurprising if the order were understood to include Datalink websites operated from outside Canada, and not limited to the .ca domain. In any event that is the implication of statements in the judgments that Datalink's activities outside Canada had breached that order.

Parenthetically, a previous judgment of the Canadian Supreme Court (Pro Swing) counsels the need to be explicit about the territorial scope of injunctions when dealing with the internet and territorially defined rights such as trade marks:
"The Internet component does not transform the US trademark protection into a worldwide one. … 
Extraterritoriality and comity cannot serve as a substitute for a lack of worldwide trademark protection. The Internet poses new challenges to trademark holders, but equitable jurisdiction cannot solve all their problems. In the future, when considering cases that are likely to result in proceedings in a foreign jurisdiction, judges will no doubt be alerted to the need to be clear as regards territoriality. Until now, this was not an issue because judgments enforcing trademark rights through injunctive relief were, by nature, not exportable."
Following the December 2012 order against Datalink Google voluntarily removed specific webpages from its .ca search results. Equustek became aware of the limitation to google.ca in May 2013 as the result of cross-examining a Google witness (1st instance judgment [75]).

The order against Datalink requiring it to cease carrying on business on the internet was, as the dissenting judgment in the Supreme Court points out, wider than Equustek's underlying claim against Datalink. That claim was for relief against specific aspects of Datalink's business: using Equustek's trade marks and free-riding on the goodwill of any Equustek product on any website, disparaging or in any way referring to Equustek products, distributing certain manuals and displaying images of Equustek's products on any website; and selling a named line of products alleged to have been created by the theft (sic) of Equustek's trade secrets.

But in the application against Google the effective complaint about Datalink moved away from Equustek's underlying infringement claims. The basis of the decision to grant an order against Google was that Datalink, by continuing business on the internet, was breaching the existing wide interim injunction – an order obtained with the support of Google and which, the Supreme Court says [SCC 34], Google had offered to comply with voluntarily. Third parties with notice of an interim injunction can be treated as if bound by it [SCC 29, 33]. The claim for a de-indexing injunction against Google was therefore for an order piggybacked on a pre-existing broad and, it seems, worldwide injunction against Datalink.

The significance of the order requiring Datalink to cease carrying on business on the internet can be seen at all three judicial levels. Fenlon J. at first instance said that the plaintiffs sought the injunction against Google to prevent continued and flagrant breaches of the court's orders in the underlying action [1st inst. 86]. The BC Court of Appeal described the injunction claimed against Google as 'ancillary relief designed to ensure that orders already granted against the defendants are effective' (emphasis added) [BCCA 2].

The Supreme Court emphasised that in the absence of de-indexing the sites Google was facilitating Datalink’s breach of the order “by enabling it to carry on business through the Internet” (emphasis added). [SCC 34] The de-indexing injunction against Google was said to flow from the necessity of Google’s assistance to prevent the facilitation of Datalink’s ‘ability to defy court orders and do irreparable harm to Equustek’ (emphasis added) [SCC 35].

The specifics of Equustek’s underlying complaints against Datalink and (pertinently, in a case where the appropriateness of a worldwide injunction was in issue) the extent to which they may have been based on territorially limited Canadian rights received relatively little attention.

The fact that an underlying claim is territorially limited does not mean that interim ancillary relief must be similarly limited. Otherwise it would not be possible to grant a worldwide asset-freezing injunction in a case based on a territorially limited right. However, as the minority judgment pointed out, a de-indexing injunction differs from an asset freezing injunction (the rationale for which is to maintain the integrity of the court's process [1st instance 132]) in that it enforces a plaintiff's asserted substantive rights [SCC 72].

In principle any consideration of whether to grant a worldwide de-indexing injunction against an intermediary ought therefore to take into account the nature and territorial extent of the claims made and rights asserted against the alleged wrongdoer. All the interests potentially affected by the grant of the injunction can then be identified and weighed. 

It does not necessarily follow that if the SCC had approached these issues differently the outcome would have changed significantly, or indeed at all. This was after all an appeal against an exercise of the court's discretion, which is entitled to a high degree of deference [SCC 22]. And the underlying defendant’s flouting of court orders was always likely to weigh heavily.

Nevertheless, the minority two judges of the SCC considered that the majority seven judges had not exercised sufficient judicial restraint. They would not have made the order at all. At any event a closer analysis of extraterritoriality might provided a more detailed foundation on which to consider different factual situations in future cases.

The SCC's reasoning



My focus is on three aspects of the SCC's reasoning:
  • The range of interests engaged by an extraterritorial de-indexing injunction
  • Territoriality of underlying claims against Datalink; and
  • Approach to freedom of speech rights.


Interests engaged by a worldwide de-indexing injunction


The SCC discussed worldwide injunctions against offline intermediaries and domestic injunctions against online intermediaries such as ISP site blocking orders. These precedents, however, do not fully address the issues that arise with a global de-indexing injunction against a search engine.

Under existing caselaw ancillary orders may be granted that affect offline intermediaries such as banks. Such an order can cover freezing of a defendant’s assets and disclosure of information identifying bank accounts and about their contents. Both elements can be granted on a worldwide basis. A third party such a bank can be required to assist.

The courts have been at pains both to respect the position of the intermediary as a party not accused of wrongdoing and to minimise the possibility of conflict with foreign law. Thus the standard form English worldwide asset freezing injunction contains several safeguards:

- The Babanaft proviso. The order is only to affect a third party in a foreign country to the extent that the order is declared enforceable by, or is enforced by, a court in that country.

- An undertaking by the applicant not, without the permission of the court, to seek to enforce the order in any country outside England and Wales.

- The Baltic proviso. Nothing in the order, in respect of assets located outside England and Wales, prevents any third party (whether within or outside the jurisdiction) from complying with what it reasonably believes to be its obligation, contractual or otherwise, under the laws and obligations of the country or state in which those assets are situated; and any orders of the courts of that country or state.

These provisions achieve three things. The Babanaft proviso minimises potential comity and conflict of law problems by making the order conditional on enforcement in the foreign court; the undertaking enables the English court to prevent the applicant taking oppressive enforcement action in a foreign country; and the Baltic proviso recognises that even a third party within England and Wales (such as a London bank with a foreign branch where an account is held) ought not to be compelled to do something contrary to foreign law or court order.

The banking system, like the internet, is international. But the courts have recognised, even faced with hard cases such as alleged fraud, the need to pay careful attention to balancing the various state and non-state interests involved.

Asset freezing orders affect fewer interests than does a worldwide de-indexing injunction. A freezing injunction typically affects only the claimant, the defendant and its assets, any third party (such as a bank) that may be holding that defendant’s assets, and potentially the sovereignty of any state in which those assets may be held.

A worldwide de-indexing injunction against a search engine engages a new category: the millions of people around the world who would otherwise be able to seek out the material. This is novel territory, engaging a different kind of interest: freedom of speech at scale.

In Equustek the first instance judge Fenlon J. considered whether a Baltic proviso should be inserted in the order, but decided it was not necessary:
"In the present case, Google is before this Court and does not suggest that an order requiring it to block the defendants' websites would offend California law, or indeed the law of any state or country from which a search could be conducted. Google acknowledges that most countries will likely recognise intellectual property rights and view the selling of pirated products as a legal wrong." [1st inst. 144] 
"Google was named in this application, served with materials, and attended the hearing. It is not therefore necessary to craft terms anticipating possible conflicts Google could face in complying with the interim injunction. No terms of this kind have been requested by Google and I see no basis on the record before me to expect such difficulties." [1st inst. 160]

The BC Court of Appeal added that "in the unlikely event that any jurisdiction finds the order offensive to its core values, an application could be made to court to modify the order so as to avoid the problem." [BCCA 94]

The SCC similarly relied on Google's ability to apply to modify the order:

"If Google has evidence that complying with such an injunction would require it to violate the laws of another jurisdiction, including interfering with freedom of expression, it is always free to apply to the British Columbia courts to vary the interlocutory order accordingly. To date, Google has made no such application" [SCC 46]
And

"In the absence of an evidentiary foundation, and given Google’s right to seek a rectifying order, it hardly seems equitable to deny Equustek the extraterritorial scope it needs to make the remedy effective, or even to put the onus on it to demonstrate, country by country, where such an order is legally permissible. We are dealing with the Internet after all, and the balance of convenience test has to take full account of its inevitable extraterritorial reach when injunctive relief is being sought against an entity like Google." (emphasis added) [SCC 47]
Unlike the Babanaft and Baltic provisos this places the burden on the third party to demonstrate that compliance with the injunction would place it in conflict with another state's laws, rather than crafting the injunction so as to minimise the risk of the third party being placed in that position in the first place. Of course asset freezing orders have to anticipate in a vacuum potential difficulties for third parties, since they are made without the presence of the third party in court. In Equustek Google was, as Fenlon J commented, before the court. Whether that is a good basis on which to shift the burden to the third party is a question that will no doubt be revisited in future cases.

The SCC was sceptical of the possibility of conflicts with other jurisdictions' laws. First it observed that there was no harm to Google because it did not have to take steps around the world, but only where its search engine was controlled. [SCC 43]

It went on:

"Google’s argument that a global injunction violates international comity because it is possible that the order could not have been obtained in a foreign jurisdiction, or that to comply with it would result in Google violating the laws of that jurisdiction is, with respect, theoretical. As Fenlon J. noted, 'Google acknowledges that most countries will likely recognize intellectual property rights and view the selling of pirated products as a legal wrong.'" [SCC 44]
The passage refers to comity. It does not address the new element introduced by a worldwide de-indexing injunction, namely potential interference with freedom of speech rights of individual internet users in other countries. This is different from the question of whether the injunction might require the search engine to violate the law of another state. It is quite possible for a search engine’s compliance with an injunction to inhibit users’ access to a website (and thus engage their freedom of speech rights) in another country without the search engine itself contravening the law of that country.

Nor does the passage distinguish between the abstract concept of a state recognising intellectual property rights and the question of what specific rights Equustek may or may not have possessed outside Canada, to which I now turn.

Territoriality of underlying claims


As to territoriality of Equustek's underlying claims, one of the claims was for passing off. A claim for passing off has to be supported by goodwill, which is territorial. A Canadian company doing business in Canada will own goodwill in Canada, plus in any other countries in which it does business. The geographic extent of the plaintiff’s business determines the geographic extent of its rights. The plaintiff does not automatically have worldwide rights.

Equustek’s other main claim against Datalink was for breach of confidence. Unlike passing off that, at least in English law, is not in its nature a territorially delimited right. It is an equitable obligation owed personally rather than something in the nature of a property right. On the assumption that most countries recognise breach of confidence as a cause of action, that might provide a stronger foundation for a worldwide remedy than for passing off.

The SCC did not analyse these separate causes of action, no doubt because its emphasis was on breach of the court order preventing Datalink from carrying on business on the internet rather than on Equustek's underlying claims against Datalink.

Instead the SCC concentrated on the harm that Datalink's various internet-based wrongdoings were causing to Equustek on a worldwide basis, with no analysis of the geographical extent of Equustek’s business or rights:
“The problem in this case is occurring online and globally. The Internet has no borders — its natural habitat is global. The only way to ensure that the interlocutory injunction attained its objective was to have it apply where Google operates — globally. As Fenlon J. found, the majority of Datalink’s sales take place outside Canada. If the injunction were restricted to Canada alone or to google.ca, as Google suggests it should have been, the remedy would be deprived of its intended ability to prevent irreparable harm. Purchasers outside Canada could easily continue purchasing from Datalink’s websites, and Canadian purchasers could easily find Datalink’s websites even if those websites were de-indexed on google.ca. Google would still be facilitating Datalink’s breach of the court’s order which had prohibited it from carrying on business on the Internet.” [SCC 41]
This passage justifies the worldwide nature of the injunction on two separate and distinct grounds.

The first is that purchasers outside Canada could continue to purchase from Datalink's websites. The SCC tells us ([16], [41]) that the majority of Datalink’s sales were to purchasers outside Canada. The first instance judge said that Datalink’s sales originated primarily in other countries, “so the court’s process cannot be protected unless the injunction ensures that searchers from any jurisdiction do not find [Datalink’s] websites”. [SCC 19]

Whilst from one perspective this factual context may be seen as reinforcing the need for extraterritorial relief, from another the intention to prevent searchers from countries other than Canada accessing Datalink’s sites raises the question whether any of Equustek’s rights were territorially limited and whether it had any rights outside Canada.

None of the three judgments (first instance, BC Court of Appeal, Supreme Court) contains an explanation of whether Equustek claimed to have rights worldwide, and if so what rights. (One of the previous judgments in the underlying litigation between Equustek and Datalink refers to a predecessor company of Datalink having at some time previously distributed Equustek's products in Canada and the USA.)

The closest is a comment by Fenlon J. at first instance that the French case of Max Mosely was distinguishable on the basis that publication of the images in that case was a breach of the French penal code and was not a breach of the laws of other countries. The implication is that in Equustek there was a breach of other countries' laws. If Equustek did have a worldwide business and rights outside Canada that is not made clear in the judgments.  

There may also be an implication from the suggestion in the SCC judgment that Equustek was being harmed worldwide that Equustek had business or underlying rights worldwide. But nowhere is that made explicit.


The second ground on which the passage quoted above justifies the worldwide nature of the injunction is that purchasers inside Canada could easily find Datalink's sites on Google search domains other than .ca. At first instance Fenlon J. also concluded that to be effective even within Canada Google had to block search results on all its websites. [SCC 40]

This ground is implicitly based only on Equustek's domestic rights in Canada. That could raise the question of how far a court should strive to prevent local users' access to a foreign website without first considering whether such a site is targeted at its country. There is a trend in intellectual property to hold that a foreign site does not by virtue of its visibility alone substantively infringe (say) a domestic trade mark. Targeting the jurisdiction is also required.

More generally, an application for an extraterritorial de-indexing injunction based purely on domestic rights is likely to be treated with more circumspection than one underpinned by an express showing of worldwide rights.

Approach to freedom of speech rights


The third aspect of the SCC judgment of particular interest is its approach to freedom of expression.  

The SCC, while acknowledging the significance of freedom of expression, in this case saw it as weakly engaged:

"And while it is always important to pay respectful attention to freedom of expression concerns, particularly when dealing with the core values of another country, I do not see freedom of expression issues being engaged in any way that tips the balance of convenience towards Google in this case." [SCC 45]
How did the SCC reach this conclusion?

The SCC effectively sidelined the question of individual freedom of speech rights by equating freedom of speech with comity. It endorsed the reasoning of the BC Court of Appeal, which had said:

"In the case before us, there is no realistic assertion that the judge’s order will offend the sensibilities of any other nation. It has not been suggested that the order prohibiting the defendants from advertising wares that violate the intellectual property rights of the plaintiffs offends the core values of any nation." [BCCA 93]
However this passage frames a fundamental rights question (would this remedy engage the freedom of speech rights of internet users in country X?) as a purely state-centric comity issue (would this remedy offend the sensibilities of State X?).

The SCC appears to address that comity question by asking not whether Equustek had any relevant rights in other countries, but whether at some abstract level another state might be offended by a Canadian court enforcing the plaintiff's intellectual property rights.

This brings us back to the point that intellectual property rights are mostly local, not global. A UK right is separate from a US right and so on. For many IP rights (particularly trade marks and patents) we cannot assume that because someone owns a right in country A it owns a corresponding right in country B. Often they do not. Some IP rights (such as copyright) do come closer to being global, since states party to international treaties undertake to grant automatic reciprocal rights to other states’ nationals. Even then the content and scope of the rights will differ from one country to another.

So if, for instance, Equustek had trade mark rights or goodwill only in Canada (which, to repeat, the SCC judgment does not discuss) then the grant of a worldwide de-indexing injunction would inhibit users in other countries from accessing sites which, as a matter of the trade mark law of those countries, they would be entitled to see. That would strongly engage their individual freedom of expression rights. Even viewed purely as a comity question, might that not offend the sensibilities of that state?

The territorial nature of most IP rights also provides perspective for the comment of the SCC that it hardly seemed equitable to put the onus on Equustek to demonstrate, country by country, where an extraterritorial order is legally permissible.

If a plaintiff seeks a worldwide order against a non-wrongdoer third party that engages the fundamental rights of millions of internet users around the world, why (it might be asked) should it not have to make some kind of showing that it has rights in those other countries that could underpin the grant of such relief?

It must be acknowledged (again) that the territoriality of trade marks and passing off is a different matter from territoriality of breach of confidence. One can envisage arguments that breach of confidence, as a personally owed equitable obligation, might require less of a showing of rights in other countries than the inherently territorial passing off.

However the SCC judgment undertakes no analysis of that kind, perhaps because (as already discussed) the real foundation of the de-indexing injunction against Google was not Equustek’s underlying claims against Datalink at all, but the broad and apparently worldwide order against Datalink to cease carrying on business through any website.

Indeed the BC Court of Appeal, commenting on freedom of expression concerns raised not only by Google but also by intervenors the Canadian Civil Liberties Association and the Electronic Frontier Foundation, said:

"The order made in this case is an ancillary order designed to give force to earlier orders prohibiting the defendants from marketing their product. Those orders were made after thorough consideration of the strength of the plaintiffs' and defendants' cases. Google does not suggest that the orders made against the defendants were inappropriate, nor do the intervenors suggest that those orders constituted an inappropriate intrusion on freedom of speech." (emphasis added) [BCCA 109]
Nevertheless, in terms of justifying the impact of the claimed relief on freedom of speech rights of internet users in other countries it might be thought that in such a case the more relevant consideration is not the breadth of a pre-existing order made against the defendant by the domestic court, but whether the plaintiff has underlying rights in those countries capable of justifying the interference.

The SCC went further and said that the de-indexing order did not engage freedom of expression values at all:

"This is not an order to remove speech that, on its face, engages freedom of expression values, it is an order to de-index websites that are in violation of several court orders. We have not, to date, accepted that freedom of expression requires the facilitation of the unlawful sale of goods." [SCC 48]
Whatever the position in Canadian law, as a matter of international human rights law this passage elides the concepts of engagement and balancing of fundamental rights. The de-indexing order inhibits the ability of users to access and read the websites in question. That plainly engages the right of freedom of expression. For copyright that is established by the European Court of Human Rights Ashby decision.

The question of whether the interests of the plaintiff should outweigh an infringer's (or in this case an internet user's) right of free expression is a matter of necessity, proportionality and balancing the respective rights. Only exceptionally would an infringer's right to freedom of expression outweigh that of the IP rightsowner (although it is possible). But that does not mean that the right of freedom of expression is not engaged. Once engaged, the need to justify the interference leads inexorably to the question of what, if any, rights, Equustek may have owned in countries in which users' access to Datalink's sites would be inhibited.

The SCC did go on to say that “Even if it could be said that the injunction engages freedom of expression issues, this is far outweighed by the need to prevent the irreparable harm that would result from Google’s facilitating Datalink’s breach of court orders.” [SCC 49] It is difficult to comment on this since the SCC evaluated the weight of the freedom of expression issues not in terms of the possible effect on individual users, but as a matter of state sensibilities.

In contrast, Fenlon J. at first instance identified the interests of internet users as a relevant factor in assessing the balance of convenience. Again this was with emphasis on the prexisting broad Canadian court order against Datalink rather than what underlying rights Equustek might have had in other countries:

"To this list of considerations I would add the degree to which interests of those other than the applicant and the identified non-party could be affected – here potential purchasers will not be able to find and buy the defendant's products as easily, but that is as it should be in light of the existing court orders prohibiting the defendants from selling the GW1000 and related products." (emphasis added) [1st inst. 155]

The dissenting judgment


The SCC upheld the de-indexing injunction by a 7-2 majority. The minority identified five factors that in their view told in favour of exercising judicial restraint and declining to make the order. Among the concerns they identified was lack of effectiveness, in that Datalink's websites could be found by other means whether Google searches listed them or not. This suggested restraint in granting the de-indexing injunction. Effectiveness was also related to worldwide effect, in that "the quest for elusive effectiveness led to the [de-indexing order] having worldwide effect." While the worldwide effect of the order did not make it more effective, it could raise questions of comity.

The minority were also concerned that although in form an application for interim relief, in substance it would effectively be a permanent injunction against a party that had neither acted unlawfully nor aided and abetted illegal action. It gave Equustek broader relief than it has claimed substantively against Datalink. The order was mandatory and would require court supervision (for instance in updating the list of websites to be de-indexed). The minority also considered that Equustek had alternative remedies available against Datalink in another jurisdiction.

Overall the minority considered that the majority had slipped too easily outside the constraints of settled doctrine and practice.


Conclusion


The path that led to the SCC judgment was factually convoluted and dominated by the behaviour of the underlying defendant. The central role played by the pre-existing, apparently worldwide, order requiring Datalink to cease doing business on the internet is striking. If for no other reason, the case may come to be seen as one very much on its own facts.

Where an apparent bad actor thumbs its nose at the court’s authority it is perhaps unsurprising that if a well-resourced global intermediary is haled into court, apparently able to take steps to mitigate damage to the plaintiff at little inconvenience to itself, the tribunal may (if satisfied that it has the power) be inclined to enlist its assistance.

Nevertheless if a future court should contemplate a similar order then a more detailed identification of the rights and interests involved, analysis of any territorial aspects of those rights and consideration of the freedom of speech rights of internet users separate from the sensibilities of states may be key to arriving at an appropriate outcome.



Monday, 29 May 2017

Squaring the circle of end to end encryption

Eager student: Encryption seems to be back in the news. Why has this come up again?
Scholarly lawyer: It never really went away. Ever since David Cameron sounded off about encryption before meeting Barack Obama in January 2015 it’s been bubbling under.
ES: What did David Cameron say about it?
SL: He said: “In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to listen in on mobile communications, ... The question remains: Are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.” That sounded very much as if he wanted some kind of encryption ban.
ES: Didn’t Downing Street row back on that?
SL: At the end of June 2015 David Cameron said something very similar in Parliament. Downing Street followed up with: “The prime minister did not suggest encryption should be banned." They said much the same to the BBC in July 2015.
ES: Now the focus seems to be specifically on end to end encryption.
SL: Yes. Amber Rudd said in March this year that E2E encryption was “completely unacceptable”. Downing Street weighed in again: “What the home secretary said yesterday is: where there are instances where law-enforcement agencies wish to gain access to messages which are important to an investigation, they should be able to do so.”
ES: Which brings us to this weekend?
SL: Yes. Amber Rudd has disclaimed any intention to ban end-to-end encryption completely, but at the same time she appears to want providers of E2E encrypted messaging services to provide a way of getting access.
ES: So where does that leave us?
SL: The government evidently wants to do something with end to end encryption. But exactly what is unclear.
ES: Can we ask them to make it clear?
SL: Many have tried. All have failed. That isn’t really surprising, since the very nature of end to end encryption is that the messaging provider has no way of decrypting it.
ES: So if the messaging provider does have a way in, it’s no longer true end to end encryption?
SL: Exactly.
ES: But hasn't end to end encryption been around for years?
SL: In the form of standalone software like PGP, yes. In fact that is what sparked the First Crypto War in the 1990s.
ES: Which ended up with universally available public key encryption?
SL: Exactly. The encryption genie couldn’t be put back in the bottle – you can write a public key encryption algorithm on a T-shirt - and they stopped fighting it.
ES: So what has changed now?
SL: Apps and the cloud. Software such as PGP is an add-on, like anti-virus software.  I make the decision to get PGP from somewhere and to use it with my e-mail. It has nothing to do with my e-mail provider.  But now messaging service providers are incorporating E2E encryption as part of their service.
ES: What difference does that make?
SL: Commercially, the provider will be seen as part of the loop and so as a target for regulatory action. Technically, if the communications touch the provider’s servers someone might think that the provider should be able to access them in response to a warrant.
ES: PGP-encrypted e-mails are also stored in the e-mail provider’s servers, but the provider can't decrypt those.
SL: Certainly. But if the messaging service provider itself provides the ability for me to encrypt my messages as part of its service, then it could be said that it has more involvement. It may store some information on its servers, for instance so that I can set up a connection with an offline user.
ES: If the provider does all that, why can’t it decrypt my messages?
SL: Because I and my counterparty user are generating and applying the encryption keys. With full end to end encryption the service provider never possesses or sees the private key that my app uses to encrypt and decrypt messages.
ES: But that’s the case only for full end to end encryption, right?
SL: Yes, there are other encryption models where the service provider has a key that it could use to decrypt the message.
ES: If it never sees the key and cannot decrypt your message, isn’t the service provider in the same position with end to end encryption as with original PGP? What can the service provider be made to do if it doesn’t have a key?
SL: Now we need to delve into the UK’s interception legislation. Buckle your seatbelt.
ES: Ready.
SL: As you know the new Investigatory Powers Act 2016, like the existing Regulation of Investigatory Powers Act 2000, includes power to serve an interception warrant on a telecommunications operator.
ES: Would that include a messaging provider?
SL: Yes. It shouldn’t include someone who merely supplies encryption software like PGP, but a messaging service provider would be in the frame to have a warrant served on it.
ES: What can a messaging provider be made to do?
SL: It could be required to assist with the implementation of the warrant. If it does have a key, then it could assist by using its key to decrypt any intercepted messages.
ES: Is that a new requirement under the IPAct?
SL: No, RIPA is the same. And even if the provider handed over only an encrypted message, a separate RIPA power could be deployed to make it use its key to decrypt the message.
ES: And if the telecommunications operator doesn’t have a key? How can it assist with the interception warrant?
SL: All it can do is hand over the encrypted message. Both RIPA and the new IPAct say that the telecommunications operator can be required to do only what is reasonably practicable in response to a warrant. If it has no key it cannot be made to do more.
ES: Is that it?
SL: No, the government has one more card, which might be a trump.  Under both the new IP Act and existing RIPA the Minister can serve a notice (a 'technical capability notice', or TCN) on a telecommunications operator requiring it to install a permanent interception capability. This can include the capability to remove any electronic protection applied ‘by or on behalf’ of the telecommunications operator.
ES: Does ‘electronic protection’ include encryption?
SL: Yes. But pay attention to ‘applied by or behalf of’. If the encryption is applied by the user, not the telecommunications operator, then a TCN cannot require the telecommunications operator to remove it.
ES: So a lot could turn on whether, in the particular system used by the operator, the encryption is regarded as being applied by or on behalf of the operator?
SL: Yes. If so, then the TCN can require the operator to have the capability to remove it.
ES: But if the operator doesn’t have a key, how can that be reasonably practicable?
SL: For an operator subject to a TCN who is served with a warrant, reasonable practicability assumes that it has the capability required by the TCN.
ES: So the operator is deemed to be able to do the impossible. How do we square that circle?
SL: A Secretary of State considering whether to issue a TCN has to take into account technical feasibility. Clearly it is not technically feasible for an operator who provides its users with true end-to-end encryption facilities to have a capability to remove the encryption, since it has no decryption key. That might mean that a TCN could not require an operator to do that.
ES: But what if the Secretary of State were to argue that it was technically feasible for the operator to adopt a different encryption model in which it had a key?
SL: Good point.  If that argument held up then the service provider would presumably have to stop offering true end to end encryption facilities in order to comply with a TCN.
ES: Could a TCN be used in that way, to make a telecommunications operator provide a different kind of encryption? Wouldn't that be tantamount to making it provide a different service?
ES: How would we know whether the Secretary of State was trying to do this?
SL: That’s difficult, because a telecommunications operator is required to keep a TCN secret. One possibility is that the new Investigatory Powers Commissioner may proactively seek out controversial interpretations of the legislation that have been asserted and make them public.
ES: Is there a precedent for that?
SL: Yes, the Intelligence Services Commissioner Sir Mark Waller in his 2014 Report discussed whether there was a legal basis for thematic property interference warrants. David Anderson QC’s Bulk Powers Review has supported the idea that the Investigatory Powers Commissioner should do this.
ES: So what happens next?
SL: Draft TCN regulations have recently been consulted on and presumably will be laid before Parliament at some point after the election.  If those are approved, then the ground will have been prepared to approve and serve new TCNs once the IPAct comes into force, which will most likely be later this year.
ES: Thank you.

Sunday, 21 May 2017

Time to speak up for Article 15

Article 15 of the ECommerce Directive lays down the basic principle that EU Member States cannot impose a general obligation on internet intermediaries to monitor what people say online. We in the UK may have to start worrying for Article 15. It could easily be overlooked, or even deliberately left behind, when we start the process of converting EU to domestic UK law in preparation for leaving the EU. 

Article 15 is a strong candidate for the most significant piece of internet law in the UK and continental Europe. It is the stent that keeps the arteries of the internet open. It prevents the state from turning internet gateways into checkpoints at which the flow of information could be filtered, controlled and blocked.

The principle embodied in Article 15 is currently under pressure: from policymakers within and outside Brussels, from antagonistic business sectors, from the security establishment and potentially from all manner of speech prohibitionists. The common theme is that online intermediaries – ISPs, telecommunications operators, social media platforms - are gatekeepers who can and should be pressed into active service of the protagonists’ various causes.

Article 15 stands in the way of the blunt instrument of compulsory general monitoring and filtering. It does so not for the benefit of commercial platforms and ISPs, but to fulfil the policy aim of protecting the free flow of information and ultimately the freedom of speech of internet users.

Freedom of expression is not just any old policy aim, but a universal value at the heart of human rights – whether we look at Article 19 of the Universal Declaration of Human Rights, Article 10 of the European Convention, Article 11 of the EU Charter, the US First Amendment or the unwritten British historical attachment to freedom of the press. It is particularly precious because, for better or worse, speech reflects our very selves. “Give me the liberty to know, to utter, and to argue freely according to conscience, above all liberties.” (John Milton)

Conversely, freedom of expression has always been threatened by governments whose first instinct is to control. That is one reason why, perhaps more so than for any other human right, defenders of free speech find themselves taking principled stands on the most unattractive ground. “Because if you don't stand up for the stuff you don't like, when they come for the stuff you do like, you've already lost.” (Neil Gaiman)

The peculiar vice of compelled general monitoring, however, is that we never get to that point. If the filtered and blocked speech doesn’t see the light of day it never gets to be debated, prosecuted, tested, criticised or defended. To some, that may be a virtue not a vice.

Where freedom of speech is concerned, if principle is allowed to take second place to the exigencies of the moment we find ourselves not so much on a slippery slope as in a headlong rush down the Cresta Run. So it is with Article 15. The queue of noble causes on whose behalf we are urged to compel gateways to be gatekeepers - countering copyright infringement, trolling, hate speech, terrorism, pornography, fake news and the rest - stretches round the block.

We defend the right to bad speech for the sake of the good. We understand the impossibility of drawing a bright line between bad and good speech. We regulate bad speech only at the peril of the good. The peril is greater when the regulatory implement of choice is a tool as blunt as general monitoring.

Article 15 lays down a principle that applies across the board, from copyright to terrorism. EU Member States must not impose on internet intermediaries (conduits, hosts and network caches) a general obligation to monitor or actively to seek facts or circumstances indicating illegal activity. Intermediaries cannot be made to snuffle around their systems looking for unlawful activities. Article 15 goes hand in hand with the Directive’s liability shields under which conduits, hosts and network caches have various degrees of protection from criminal and civil liability for the activities of their users.

It is only too easy for policymakers to point the finger at intermediaries and demand that they do more to control the unpleasant and sometimes illegal things that people do on their systems. Policymakers see intermediaries as points of least cost enforcement: it is more efficient to enforce at a chokepoint than to chase tens of thousands of individual wrongdoers. The theory is made explicit in Recital (59) of the EU Copyright in the Information Society Directive:

“In the digital environment, in particular, the services of intermediaries may increasingly be used by third parties for infringing activities. In many cases such intermediaries are best placed to bring such infringing activities to an end.”
Mr Justice Arnold in Cartier explained the policy that underlies Recital (59):
“As can be seen from recital (59) to the Information Society Directive, the economic logic of granting injunctions against intermediaries such as ISPs is that they are the "lowest cost avoiders" of infringement. That is to say, it is economically more efficient to require intermediaries to take action to prevent infringement occurring via their services than it is to require rightholders to take action directly against infringers. Whether that is correct as a matter of economics is not for me to judge. Nor is it for me to judge whether it is good policy in other ways. That judgement has already been made by the legislators …”
At the same time, Article 15 of the ECommerce Directive constrains the breadth of injunctions that courts can grant against intermediaries under the Copyright and Enforcement Directives. The effect of Article 15 can be seen in the ECJ decisions of SABAM v Scarlet and SABAM v Netlog prohibiting content filtering injunctions, and in Arnold J’s Cartier judgment itself:
“If ISPs could be required to block websites without having actual knowledge of infringing activity, that would be tantamount to a general obligation to monitor.”
But if intermediaries are best placed to stop infringement, why should Article 15 constrain what can be imposed on them? Why shouldn’t the intermediaries be required to monitor?

The only sense in which intermediaries could be seen as best placed is that, since users’ communications flow through their systems, they have the potential to be technical chokepoints. In every other respect intermediaries are poorly placed to make decisions on legality of content and thus on what to block.

Intermediary enforcement risks exaggerating the ease with which unlawful behaviour can be identified, often assuming that illegal content is identifiable simply by looking at it. In relatively few categories is illegality manifest. Legality is predominantly a matter of factual investigation and judgement. That is why it is preferable to have independent courts ruling on matters of illegality rather than compelling private platforms to attempt it and have them overblock out of fear of liability or sanctions.

A too narrowly focused cost analysis tends to underplay or even ignore the negative externalities and unintended consequences of compelling gateways to act as gatekeepers. It excludes any broader implications of reinforcing chokepoints, the creation of a climate in which playing gatekeeper on behalf of the state and its proxies becomes the norm. In a broader context the least cost enforcer may turn out to be highest cost.

Notice-based intermediary liability systems result in material being removed before a court determines whether it is unlawful. That already carries a risk of overcautious blocking or removal. Compelled proactive monitoring and filtering, since it blocks information about which no complaint has been made, moves the scale of risk to another level. It is akin to prior restraint on a grand scale, conducted not by courts after hearing evidence but by private entities made to act as investigator, prosecutor, judge, jury and executioner.

Our aversion to prior restraint reflects also that the public are sometimes well served by the airing of something that at first blush might appear to be against the strict letter of the law. Speech may be rendered lawful by a public interest defence, or by fundamental freedom of speech considerations. Or a court might decide that even though unlawful the appropriate remedy is damages but not removal. Legality of speech, even in areas such as copyright, can be a heavily nuanced matter. Proactive general monitoring obligations allow for no such subtlety.

Some may argue that in modern times the quid pro quo for living with freedom of speech has been that speech is generally mediated through professional, responsible editors. And that we need to put that genie back in the bottle by converting online intermediaries into editors and publishers, responsible for what other people say on their platforms.

Never mind whether that could be achieved, the argument misunderstands the nature of freedom of expression. The great advance of the internet has been to bring about something akin to the golden age of pamphleteering, freeing mass individual speech from the grip of the mass media. District Judge Dalzell was right when, in ACLU v Reno, he said:

“As the most participatory form of mass speech yet developed, the internet deserves the highest protection from governmental intrusion.”
The US Supreme Court in the same case said:
“Through the use of chat rooms, any person with a phone line can become a town crier with a voice that resonates farther than it could from any soapbox. Through the use of Web pages, mail exploders, and newsgroups, the same individual can become a pamphleteer.”
Those quotations were from 1996 and 1997. They are, if anything, more relevant now. Individual, unmediated speech deserves more, not less, protection than the traditional press.

It may be discomfiting that the kind of vitriol that used to be confined to Speaker's Corner can now reach an audience of millions. But freedom of individual speech was never something only to be tolerated as a tourist curiosity, or indulged as long as it was hidden away in a pub saloon bar. Nor, as we know from the ECtHR decision in Handyside, is freedom of expression confined to that which would not offend in a genteel drawing room.

Article 19 of the 1948 Universal Convention on Human Rights is not predicated on the assumption of mediated speech. It articulates an individual, personal right that transcends place, time and medium and could have been written with the internet in mind:

“Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”
Article 15 stands squarely in the path of compelling mediated speech through the instrument of general monitoring. So why might it be vulnerable to being overlooked in the Brexit process?

Caveat: what follows is based on the existing Conservative government’s plans for a Great Repeal Bill and is subject to the outcome of the General Election.

Article 15 and Brexit

Article 15 operates at several levels. If a Member State were to legislate in breach of Article 15, a national court would be obliged to disapply the legislation. So it acts as a powerful constraint on Member States at the policy and legislative level. As we have seen it also constrains Member States’ courts. They cannot issue an order that would impose a general monitoring obligation. They cannot interpret a domestic statute or develop a common law obligation in a way that is contrary to Article 15. Regulatory and enforcement bodies are similarly constrained.

The Brexit starting point is that the incumbent government has committed to continuing existing EU law through the Great Repeal Bill. Theresa May says in the introduction to the Great Repeal Bill White Paper:

“Our decision to convert the ‘acquis’ – the body of European legislation – into UK law at the moment we repeal the European Communities Act is an essential part of this plan.
This approach will provide maximum certainty as we leave the EU. The same rules and laws will apply on the day after exit as on the day before. It will then be for democratically elected representatives in the UK to decide on any changes to that law, after full scrutiny and proper debate.
… Th[e Great Repeal] Bill will, wherever practical and appropriate, convert EU law into UK law from the day we leave so that we can make the right decisions in the national interest at a time that we choose.”
On that basis Article 15 ought to be continued post-Brexit. However there is a technical problem. Although it is in a Directive, and so was required to be implemented in UK law, the text of Article 15 appears nowhere in UK domestic legislation. Depending on how the proposed Great Repeal Bill is drafted, Article 15 may have to be specifically written in to UK legislation in order to continue post-Brexit.

The White Paper recognises the need to write EU Regulations into domestic law, but appears to assume that since a Directive will already have been implemented in UK domestic law it just needs to be preserved post-Brexit:

“• the Bill will convert directly-applicable EU law (EU regulations) into UK law;

• it will preserve all the laws we have made in the UK to implement our EU obligations”


Article 15 could run the risk of falling between the cracks.

In any event the desirability of continuing Article 15 may not be universally accepted. UK Music, in its ‘Music 2017 Manifesto’, has noted the opportunity that Brexit presents to ‘place responsibility on internet service providers and require them to have a duty of care for copyright protected music’. If that implies proactive monitoring it would put Article 15 in question. Where one industry leads others may follow. A government interested for its own purposes in turning the screw on intermediaries might not welcome the impediment of Article 15. It might be tempted to invoke the ‘wherever practicable and appropriate’ White Paper qualification on continuation of existing EU law.

“Freedom of expression is not self-perpetuating, but rather has to be maintained through the constant vigilance of those who care about it.” So said Index on Censorship in 1972. The run-up to Brexit may be a time for especial vigilance.