Curtis E. A. KARNOW <firstname.lastname@example.org>
Sonnenschein Nath & Rosenthal
Vicarious liability is the single most important legal underpinning for liability on the Internet. It is an outgrowth of the usual doctrines: parents responsible for the acts of their children, employers responsible for the acts of their employees. The presumption in each case is that the parent, or employer, has the duty and ability to control the wrongdoer, so that when the wrongdoer injures another, it is the employer, or the parent, who is sued. Vicarious liability finds liability even when the defendant -- the parent or employer -- has done nothing wrong, and never even knew about the wrongdoing. A large variety of wrongs are subject to vicarious liability: copyright and trademark infringement, harassment, discrimination, and so on.
On the Internet, enormous debate has taken place over the vicarious liabilities of Internet service providers (ISPs) and other site owners or managers for the acts of their users, engendering many law suits including the Software Publisher's Association's suits against three different ISPs for hosting Web pages that pointed to other sites that in turn had cracker tools and infringing materials. The doctrine has been addressed, too, in recent legislation such as the Millenium Digital Copyright Act. For those injured by widespread Internet-based transmissions, the ability to sue (on the basis of vicarious liability) the bottleneck, or choke point, represented by a website host or ISP is essential; without it, there may be no meaningful suit to bring at all.
Vicarious liability is the most important legal doctrine for the Internet. But the assumptions underlying the doctrine may not pertain to the Internet: for example, that the target defendant has the ability to control the acts of the original wrongdoer, or that ISPs can control the acts of their users. But with the advent of increasingly intelligent and automated processes, and the increasingly high volume of communications, humans are increasingly unable to control the content and effect of communications. This paper explores the extent to which developments in technology will eviscerate the assumptions of the doctrine of vicarious liability, and the legislative responses to the problem.
Contributory and vicarious liability, together known as "indirect" liability, are among the most important legal doctrines for the Internet, and for companies seeking to engage in e-commerce. These doctrines impose liability for an enormous list of claims against those who did not, in fact, do the bad act; in many cases, these doctrines impose liability against those who did not even know the bad act happened.
Contributory liability is that of a person who knowingly aids the direct infringer. In the criminal law context, those who aid and abet the primary criminal actor -- say the bank robber -- by providing the getaway car, acting as a look out, and so on, have this sort of contributory liability.
Vicarious liability is an outgrowth of old doctrines: parents responsible for the acts for their children, employers responsible for the acts of their employees. The presumption in each case is that the parent, or employer, has the duty and ability to control the wrong doer, so that when the wrong doer injures another, it is the employer, or the parent, who is sued. Vicarious liability finds liability even when the defendant -- the parent or employer -- has done nothing wrong, and never even knew about the wrongdoing.
An immense variety of wrongs are subject to indirect liability: copyright, trademark and patent infringement, harassment, discrimination, libel, theft of trade secrets, and so on.
There is substantial debate on the indirect liabilities of Internet Service Providers (ISPs) and other site owners or managers for the acts of their users. We have seen law suits such a those brought by the Software Publisher's Association's suits against three ISPs for hosting Web pages that pointed to other sites that in turn had cracker tools and infringing materials. A university has been sued for the asserted defamation by a student, posted to the Usenet through the university system. More recently, trademark owners have sued sites that permit the use of trademarks as search terms with which to seek out sites on the Internet, and suits are threatened against other Internet sites that point users to sources of other potential infringing materials. In addition to ISPs, indirect liability issues affect broader groups: Web site operators, hosts, universities and colleges, and managers. Employers that operate Web sites, and others, may all be subject to indirect liability. Recent legislation such as the Digital Millenium Copyright Act seeks to modify some aspects of indirect liability.
For those injured by widespread Internet-based transmissions, the ability to sue (on the basis of indirect liability) the bottle-neck, or choke-point, represented by a Web site host or ISP is considered essential; without indirect liability, plaintiffs fear there may be no meaningful suit to bring at all.
But the assumptions underlying these doctrines do not fit well with the Internet. Indirect liability assumes that the target defendant has the ability to control the acts of the original wrong doer -- that ISPs, for example, can control the acts of their users. But with the advent of intelligent and automated processes and the increasingly high volume of communications, humans are increasingly unable to control the content and effect of communications. Difficult questions are posed by the issue of to what extent an ISP and others involved in Internet distribution should be held liable for the numerous, sometimes almost infinite copies and crimes enabled by Internet distribution. Developments in technology have eviscerated the assumptions of the doctrine of indirect liability.
In the past, analyses of these issues have devolved to a "battle of analogies." For example, the imposition of liability on ISPs is clothed with debates on whether an ISP is more like a public utility (e.g., telephone service) or a newspaper, or like a television broadcaster, or a bookstore. To the extent services provided by the ISP are deemed analogous to those of a public telephone company, liability will be sharply limited because it will have little right or ability to control unauthorized e-mail, just as a telephone company cannot control an unauthorized facsimile. To the extent that the ISP is seen to control content as a newspaper does, liability can be imposed more easily. Or perhaps the ISP should be treated like a bookstore, which does not, and indeed could not, review the contents of every title on its shelves. There is an endless variety to these analogies, but they provide less guidance than a manner of clothing foregone conclusions. The fact is that old doctrines of indirect liability do not work, and their underlying principles find no purchase, in the Internet context.
The case of Religious Technology Center v. Netcom On-Line Communications, Inc., is useful, because each of the Netcom defendants represented one of the primary participants in the Internet communication under legal attack. These participants included (1) the subscriber of a small Bulletin Board System (BBS) who had allegedly posted an infringing copy to the BBS for distribution across the Internet; (2) the BBS operator; and (3) the ISP that provided the BBS with Internet access. Religious Technology Center sued the ISP, the BBS, and the subscriber for direct, contributory, and vicarious copyright infringement.
Direct liability is the liability of the direct actor. In the copyright context, this is the person who actually initiates the copying of the infringing work. Direct liability is straightforward, attaching to any person who orchestrates or directs the infringement. The entity directly liable for infringement may be referred to as the "primary infringer." In the present context, the primary infringer is usually the ISP subscriber, or user.
The primary infringer is not the only target of an infringement suit for a variety of reasons. First, he may not have the financial resource to satisfy a judgment. Secondly, the plaintiff will generally desire an order to an ISP or others in an effort to stop the infringement. Thirdly, and most significantly, where millions of subscribers can send billions of infringing works and link to a billion more, only threats to an ISP or other centralized defendant are considered effective. If ISPs fear massive lawsuits for vicarious or contributory liability, the ISPs may be cajoled into policing their own sites.
Plaintiff in Netcom claimed that the subscriber, the BBS operator, and the ISP should each be held directly liable for the infringing acts instigated by the subscriber. Netcom held that the subscriber's posting of the plaintiff's work to the Internet was probably copyright infringement. The subscriber was directly liable.
The Netcom court next discussed whether the BBS operator's and ISP's extensive copying of the plaintiff's work on their computers should subject them to direct liability for copyright infringement, as well. Conceding that the copying of the work via computer could constitute direct liability, Netcom nonetheless declined to impose direct liability because doing so would
create many separate acts of infringement and, carried to its natural extreme, would lead to unreasonable liability. . . . It would also result in liability for every single Usenet server in the worldwide link of computers transmitting [the subscriber's] message to every other computer. These parties . . . do no more than operate or implement a system that is essential if Usenet messages are to be widely distributed. There is no need to construe the [Copyright Act] to make all of these parties infringers. Although copyright is a strict liability statute, there should still be some element of volition or causation which is lacking where a defendant's system is merely used to create a copy by a third party.
Thus Netcom held that the ISP was not directly liable for the unauthorized copying initiated by the subscriber. Where "the BBS merely stores and passes along all messages sent by its subscribers and others, the BBS should not be seen as causing these works to be publicly distributed or displayed."
Other courts will probably follow the lead of Netcom, reserving direct copyright liability in the ISP or BBS context to those cases where the service provider's conduct amounts to active participation in the copying, displaying or distribution of the protected work. At least with respect to ISPs whose only connection to the primary infringer is the provision of Internet access, courts are not likely to hold the site owners directly liable for the infringing acts of their subscribers.
Contributory liability may be imposed where the defendant, "with knowledge of the infringing activity [of the primary infringer], induces, causes or materially contributes to the infringing conduct of another." Thus, there are two prongs to contributory liability: (1) the defendant's knowledge of the infringing activity, and (2) the defendant's contribution to, or participation in, the infringing activity.
There can be no contributory liability without a defendant's actual or "constructive" knowledge of the underlying wrongful act. This knowledge element distinguishes contributory from vicarious liability.
In Netcom, the plaintiff warned the ISP that its subscriber was posting infringing copies. This, the court suggested, might be knowledge enough of the infringement. The court suggested that once an ISP receives notice of infringement it must act to investigate, and ultimately stop, the infringement or risk being held contributorily liable based on that knowledge. There the ISP "retains some control over the use of its system," and that it had taken action on prior occasions to shut down postings of pirated software.
This standard could provide a potential plaintiff a substantial veto power over anything on a site. Plaintiffs can claim copyright infringement and force the ISP to take action to shut down the alleged infringer. The new Digital Millenium Copyright Act, discussed below, seeks both to put that power in the hands of the plaintiff, and to protect both ISPs and users against frivolous claims of infringement.
The Netcom court skipped over the questions of when an ISP can be deemed to have constructive knowledge. "Constructive" knowledge is a nice legal fiction; as is true with most legal fictions, it means somewhat the opposite of what it says. A person with "constructive" knowledge of a fact does not actually know the fact at all. "Constructive" knowledge is a conclusion made by a court that while one was ignorant, one should have, under all the circumstances, known the fact because the knowledge was somewhere, available. One case suggests that finding this sort of constructive knowledge by an ISP depends on the "degree to which [the ISP] monitored, controlled, or had the ability to monitor or control the contents of its subscriber's Web pages." This threshold may be easily established. All ISPs can at least "monitor the contents" of their subscriber's Web pages, although severe practical difficulties will arise if the "contents" include millions of pages and billions of e-mails or other transactions conducted via the pages. While a court might find that an ISP should have known that a work was copyrighted -- most everything is -- enormous difficulties remain in deciding whether the posted work was either (1) truly created by the person posting it, and/or (2) licensed to be posted by the copyright owner. Against the background of Internet, the legal fiction of constructive knowledge quickly breaks down.
A defendant with knowledge will be contributorily liable if it "induces, causes, or materially contributes to the infringing conduct" of the primary infringer. "Such a participation must be substantial." The Netcom court found "participation" in the ISP's failure to cancel the user's "infringing message and thereby stop an infringing copy from being distributed worldwide." That, too, is a simple test to meet.
Thus, an ISP might be held contributorily liable for content it receives from an outside source, or for offenses committed at linked sites on the theory that it pointed to, contributed to, or even enabled the offenses of others through its links. For example, several large software developers brought suit against various ISPs for contributory and vicarious copyright infringement. The suit was based on the allegation that the ISPs were providing their users with "cracker tools," links to cracker tools at other sites, and that the ISPs were permitting their users to maintain Web sites that in turn provided pointers to other sites that actually contained pirated software. The lawsuit was dropped when some of the ISPs agreed to adopt a policy of monitoring their users' Web pages for copyright infringement. While this case was settled, it illustrates how far some litigants hope to push the doctrine of contributory infringement.
Vicarious liability is based on the defendant's relationship with the direct infringer. The defendant need not have directly contributed to the infringing activity. Vicarious liability derives from agency principles of respondeat superior, and will be imposed on a defendant that (1) has the right and ability to control the infringing acts of another, and (2) receives a direct financial benefit from the infringement. Unlike contributory infringement, knowledge is not an element of vicarious infringement. That is, a party may be guilty of vicarious liability without any knowledge that the bad act has occurred. A familiar application of this doctrine is the liability of an employer for the acts of its employees.
In the so-called "dance hall" cases, vicarious liability for copyright infringement was imposed on the owners of dance halls deemed to have "allowed" the unauthorized public performance of musical works by musical groups. This was done even though the owners had no knowledge of the infringements and had even expressly warned the bands not to perform copyrighted works without a license from the copyright owners. Indeed "cases are legion which hold the dance hall proprietor liable for the infringement of copyright resulting from the performance of a musical composition by a band or orchestra whose activities provide the proprietor with a source of customers and enhanced income. He is liable whether the bandleader is considered, as a technical matter, an employee or an independent contractor, and whether or not the proprietor has knowledge of the compositions to be played or any control over their selection."
In examining whether an ISP could be held vicariously liable for copyright infringement, Netcom left open the first issue: whether the ISP had the "right and ability" to supervise and control the conduct of its subscribers. With respect to the "direct financial benefit" prong of the test, however, the court found that there "is no evidence that infringement by [the subscriber], or any other user of Netcom's services, in any way enhances the value of Netcom's services to subscribers or attracts new subscribers." Thus, the court held that the BBS operator and the ISP could not be liable for vicarious infringement because they did not have the requisite financial interest in the infringing conduct of subscribers.
Employers do secure a direct financial benefit from the direct infringer's activity, and thus an employer may be vicariously liable for its employees' use of the company computer networks. This legal regime burdens the employer with a practical obligation to supervise its employees' use of the company network. That, in turn, increases the risk of employers' liability for direct and contributory infringement, because that employer is then far more likely to be tagged with knowledge of the illegal actions of its employees when they do occur.
There is a similar risk for ISPs that function as content providers, and other forum moderators, systems operators, colleges and universities, e-commerce companies, and anyone who supervises the flow of content (or advertises claiming to control content). This is an increasing risk, because Web site operators continue to add content to their site in an effort to attract users to increase advertising revenues. Increasingly, Internet sites seek to have customers use their site as a first stop home page and last stop online community providing a wide variety of interactive services, such as news, chat rooms, message boards, merchandise order placement, and other interactivity. Many of these activities are supervised by the site owners. For example, in an effort to maintain a family-friendly atmosphere, and also to avoid the sorts of liability outlined above, AOL employs a staff of 100, and 14,000 volunteers, to patrol message boards and chat rooms. Offensive messages are deleted, and serious offenders lose their account, together with their access to e-mail. Every increase in these services increases the content flowing through the sites. But simultaneously, both (a) reduce the ability of the site operator to actually catch illegal behavior and (b) increase the site's exposure to indirect liability, because this overt supervision helps to establish both the knowledge element for contributory liability and the right and ability to supervise elements for vicarious liability. And there is another problem: AOL, with over 42% of the ISP share, is subject to complaints that its near monopoly is abused when its vague guidelines are used to censor online debate.
The problems with indirect liability have some statutory responses.
1. Congress has enacted legislation that provides ISPs some relief from indirect liability for copyright infringement. The Digital Millenium Copyright Act blocks ISPs' liability for third party copyright infringements unless they have failed to remove the offending material after notice from the copyright holders. The Act also exempts ISPs from direct or vicarious liability for infringing transmissions by third parties if the ISP did not (1) place the material online, (2) select or alter its content, (3) determine its recipients, (4) benefit financially from the infringement, (5) endorse or advertise the material, and (6) know that the material was infringing.
2. An older statute has been used to insulate ISPs from liability for defamatory statements of a user. Invoking a section of the Communications Decency Act (CDA) that survived the Supreme Court's constitutional invalidation, the Fourth Circuit applied the CDA to shield online provider AOL for a defamatory statement made on AOL by a user, outside of AOL's direct control. The court held that
Lawsuits seeking to hold a service provider liable for the exercise of a publisher's traditional functions -- such as deciding whether to publish, withdraw, postpone, or alter content -- are barred.
Zeran is a significant opinion, and in part resolves previous split decisions in the area that struggled for the appropriate metaphor with which to analyze on-line providers -- by opting, under the guidance of the CDA, for the publisher option, and with it the First Amendment values that will ensure a vigorous exchange of views.
3. Section 230 of the Telecommunications Act of 1996 has also been used by ISPs functioning solely as conduits of information to avoid liability, much as a telephone service provider is not responsible for the defamations or threats uttered by those speaking on the phone.
These statutory responses recognize the problem, but they do not solve it. ISPs and others who provide Internet access are, increasingly, hosting content; they are not simply acting as conduits, as pipelines for data. To that extent the Telecommunications Act of 1996 may not shield the ISP from liability. While the Zeran's court use of the CDA provides protection for libel, it remains unclear whether indirect liability for other wrongs are similarly barred. And the Digital Copyright Millenium Act, which addresses only indirect liability for copyright (and not any other type of claim), still requires substantial oversight by ISPs of their users, and case by case management of every single complaint that is made.
More important, these statutes do little to address the problems of indirect liability by those who are not ISPs, such as employers who manage Web sites and Internet service for their employees, and educational institutions and companies embarking on the vessel of e-commerce, attracting users, and providing as much by the way of interactive content as they possibly can.
ISPs and other hosts are caught in a proverbial catch-22. They are the apparent deep pocket, and an attractive choke point, sued for the activities of their users and advertisers. They are tagged with "constructive" knowledge of bad acts they know nothing about, and are charged with contributory liability when they do supervise in an attempt to diminish the likelihood of bad acts. When they police their sites, tossing users off the system or revoking privileges, they become the object of ridicule, scorn, and anger. The vast majority of these potential indirect targets, for the majority of types of legal claims for which indirect liability will be imposed, benefit nothing from the legislative responses.
And in the background are the millions of users; billions of e-mails and chat discussions; an unknown number of computer security attacks; uncountable transmissions of files and copies with copyright implications; and virtually infinite links, frames, and other uses with potential trademark implications. Intelligent agents are launched and roam the highways and byways of the Internet, spiders on millions of Web pages, agglutinating and updating an astronomical number of links. Much of the interaction is automated, and unpredictable. The conceit of doctrines of indirect liability that site operators have the ability to supervise, or know ("constructively") of individual bad acts of users, is just false. And worse: the threat that indirect liability will be imposed can create monsters, e.g., ISPs' random acts of policing, and the imposition of vague and arbitrary standards; the exposure of otherwise private action to the supervising site manager; supervising managers caught in the unpleasant middle, between users accusing each other of infringement, libel, stalking, and all the rest. And then the coiled snake of the self-fulfilling prophecy: The more supervision to ward off liability, the more the supervisor knows, and so the better the odds of a finding of liability.
Fundamentally, there is something disquieting about this application of indirect liability. It should be presumptively wrong to hold one person accountable for the acts of another. Courts should pause -- and I suggest, pause permanently -- before extending these old doctrines. Their principles do not hold up in the new context. Children are not legal persons, and so we understand their parents are held liable: there is no one else, practically, to sue. Employers truly act only through their employees, and principals by definition literally act through their agents. So we will hold the employer, the principal, responsible for his agent's acts. But those relationships do not describe the relationship between ISPs, Web site hosts, universities, or other site managers, and their users and advertisers. The use of doctrines of indirect liability in these contexts is unprincipled and must be abandoned. That is why, as we have seen, they do not work.
The infliction of indirect liability is a result, if not of principle, then one of fear. It is the fear of anonymity on the Internet. We are afraid the miscreant will do his mischief and then just disappear into the ether, to rise again under another skin and name, and repeat the evil deed. We are uncertain on suit against an alias, or a handle; but we can sue established companies, we know where they are and how to serve them with court papers. We are afraid to move against the shadows; better to pick a company with a physical address as our target. But the problem of anonymity is not well handled by suing the ISP for the user's message, or the university for the student's posting, or a Web site for a client's advertisement. The transgressor will still find another route to the Internet.
There is another fear, too. It is the fear of ubiquity. At the flick of a single wrist, users can spam a million e-mail accounts, attack a thousand systems, make uncounted copies of copyrighted material. It seems unreasonable somehow, and beyond the capacity of a victim to manage. The power of the individual to commit crimes and inflict civil wrongs is no longer a function of his physical prowess, or his accessibility to physical locations; in some ways, it is not a function of anything at all but the ubiquity of targets. With so many potential evil-doers in such a target-rich environment, it seems better to head them off at the pass, as it were, sue the ISP -- or at least make someone else responsible for their actions, which is, in fact, the only true consequence of indirect liability. Suing a site because a user committed a wrong just transfers the burden of policing to the ISP and away from the victim; it does not solve the burden of policing.
Increasing automation implies that those who operate Web sites and ISPs do not, in fact, have knowledge of all the actions of their users; it implies a loss of control. To be sure, one may hire a million omnibudsmen and spend much money to reassert a meaningful supervisory position -- but that defeats the original purposes of automation. It is no better than using pen and paper to check the results of a payroll program: it can be done, but then why the program?
The venerable doctrine of indirect liability takes account of real knowledge, and real control, in the context for which it was developed; the doctrine followed and played off, but did not create, that knowledge and control. We ought not to stretch it to a doctrine that demands a reallocation of resources to make that knowledge and control where it does not exist.