As a website design and development company we host websites and services for our clients, some of which can, directly or indirectly, be used to send bulk email.
In Australia we have the Spam Act 2003 to tell us what is or isn’t acceptable in relation to sending bulk emails.
What I’m not clear on is the extent of OUR liability IF one of our clients is in breach of the Spam Act while using the hosting and software services that we’ve provided?
Obviously we don’t like spam (who does, apart from the people making money of it!), and are very happy to attempt to educate our clients about what is or isn’t deemed ‘spamming’. Additionally, we know that we’re liable to get one of our IP addresses - or a block of our IP addresses - blocked if one or more of our clients is flagged as a spammer by one or more of those anti-spamming services. In other words, we’ve no interest in seeing or assisting our clients to engage in spamming. And yet, if they do, to what extent can or should we be ‘policing’ this activity?
Fyi: I have just emailed ACMA about this question and will happily share here what I get back. But just was interested to hear other experiences/opinions on this issue in the meantime.
fyi, my understanding of the iiNet case (which is vaguely related to this issue) is that that the prosecution argued that iiNet were advised repeatedly (over a course of a year, I think) of copyright violations that were occurring across their network, but they did nothing about it. iiNet won the initial case on the basis that they are not required to be the policeman, and that view was agreed to by the judge, but it’s gone to appeal, I think.
I haven’t studied the actual law but my understanding is that if they do it wothout your knowledge then you (as messenger) are not liable. If they continue to do it after you find out about it then you are then liable as you have the means to stop them and by not doing so you are assisting them. There is at least the possibility of your ending up in court in those circumstances with your being accused of assisting in spamming by not shutting them down when you found out.
If you examine any Terms of Service for email/web hosting/ISP you will find a clause in each that allows the provider to shut down their service if they breach the conditions of the ToS and one of the conditions is that they do not engage in sending spam.
I agree from a “right thing to do” perspective. What I’m really interested in is more of a legal question that, I assume, relates directly to Australian law in the form of the Spam Act 2003. My question is to what extent we, “the provider” are legally liable if one of our clients engages in spamming?
Why do I ask the question? Well, the more risk of us being legally liable as the provider, the more rigorous we’ll be in policing and enforcing any rules that we might have, or put, in place. That’s not to say we’ll be slack otherwise.
I’m guessing the answer to the question is similar’ish to the iiNet court case where, in a nutshell, iiNet were found not guilty of copyright infringement on the basis that you can’t shoot the messenger, i.e. if people choose to breach copyright law then it’s not the fault or responsibility of the company who provided the systems that allowed those people to break the law.
fyi, I just received this reply from ACMA that I’m happy to share. The boldng is mine, not theirs:
Thank you for your enquiry regarding the mailing house aspect of your business and its obligations under the Spam Act 2003.
The Australian Communications & Media Authority (the ACMA) is only able to
provide general advice and any specific advice regarding your situation should
be attained by the way of appropriate legal counsel.
I will firstly refer to the Spam Act 2003 Part 2, Section 16 (1) which states
“A person must not send, or cause to be sent a commercial electronic message”, particular note should be taken when looking at the wording of the Spam Act as this wording is also in Section 17 and 18 of the Spam Act. The use of the words sent or cause to be sent means as a mailing house you can be held responsible for breaches of the Spam Act as you are involved in the sending of commercial electronic messages.
The Spam Act does not outline obligations as such only that a person (being
individual or organisation) should not send or cause to be sent commercial
electronic messages that do not meet the consent, sender identification and
unsubscribe requirements of the Spam Act.
So, the way I read it, potentially the company who facilitates the sending of spam - even if they didn’t actually send it themselves - could be held in breach of the (Australia) Spam Act 2003.
Here’s a list of anti-spam actions taken by ACMA, fyi:
I left my last ISP because someone asked me a question via my web site and I replied to that question. They were using AOL where the spam button is right next to the save button and they presumably accidentally hit the spam button. About a month or so later the ISP blocked my internet access for three hours for spamming.
Now apart from the fact that the particular email wasn’t spam and I could actually prove that it wasn’t, applying such a block only makes sense if it happens straight away when the spam is first being sent out. Plus they could have easily seen just by looking at the email itself that it wasn’t spam.
It makes sense for an ISP to prevent your being able to send emails if it looks like you are sending spam (even without needing to go to court) provided that they do it in a timely manner - ie when you are actually sending the bulk emails that they think are spam. Anyway, in Australia at least the definition of spam emails is faily clear - if you have a relationship of some sort with the person then the email isn’t spam and so any email replying to one from them or where you can prove they opted in to a mailing list or purchased something from you isn’t spam - everything else is spam. One of the easiest ways of identifying a lot of spam is that a lot of spam emails contain a sentence claiming that the email isn’t spam.
A more appropriate action was taken by my hosting provider when they received several spam reports about spam emails being sent from my web site. Their first action was to send me an email about it including both evidence that it had originated from my site as well as the subject line that the spam emails were using. That was sufficient information for me to identify which script on my site had the security hole that was being exploited so as to amend that script to prevent further spam from being sent. I disabled the web page myself until I had the time to implement the fix and no further action on the part of the hosting provider was required.
The same sort of thing could be applied if there a report of your breaching copyright they could send you a “please explain” request asking you to prove that you have permission for that content. That would allow them to take appropriate action without necessarily needing to go to court. Also if they obtain proof from you that you do have permission then they can forward it to whoever is making the accusation. That saves getting the court involved at all in cases where there is legitimate proof and the copyright holder simply forgot that they gave permission. It may also mean it doesn’t need to go to court where the accusation itself is false since it demonstrates to the accuser that there is proof that can be presented in court that they are in fact not the owner of the copyright.
While it can end up in court no matter what you do, having the right to take appropriate action in the Terms of Service and acting to try to resolve the issue prior to it going to court may eliminate the need for you to spend money defending your position in court as you may be able to resolve the issue without needing the court involved.
The actual key issue of the iiNet case is that the judge ruled that the act of determining whether copyright infringement took place is a matter to be decided only by a court. Hence just because the movie studios made accusations of copyright infringement, it was deemed unfair for iiNet to actually act on mere accusations.
This is a key argument against many of the new laws being pushed through in other countries, like the Digital Economy Bill in the UK. It seems very unfair for a copyright holder to make an accusation of infringement against an ISP customer and then have the ISP simply switch off that user based on a pure accusation. Instead, the copyright holder should go to court first and have them agree that copyright infringement did indeed take place, then go back to the ISP.
The parallels with spam are interesting, because again, who determines what is spam? Spam is usually based on an accusation of a third party, but they could be lying or just forgetful - perhaps they did actually subscribe to receive those emails? However, if many reports come in, then it is more clear cut. However, you could argue that again, the ISP would require a court order to act.
That’s my understanding of the case too. Had they taken action to prevent the copyright violations when they became aware of them then they probably wouldn’t have ended up in court having to defend their position. iiNet is pretty big so they could afford to go to court. If you can’t afford the court costs then taking immediate action as soon as you become aware is likely to reduce the chance of your being taken to court by the copyright owner but may result in your being taken to court by the ‘supposed’ thief - which is why you need the ToS to allow you to take such action where appropriate. Specifying how they can appeal the decision may also increase your chances of resolving such issues outside of court.