System Operator Liability: What Have We Learned?
by Eric Goldman
In the early 1980s, Thomas Tcimpidis operated a bulletin board system in Los Angeles. In 1984, Tcimpidis was arrested because a user had posted stolen telephone credit card numbers onto the BBS and Tcimpidis was charged with the misdemeanor of "knowingly and willfully" publishing the stolen numbers. Although the charges were eventually dropped, his arrest received national press coverage and drew attention to the potential liabilities faced by system operators ("sysops") for the actions of their users. Some sysops chose to shut down their system rather than face this liability.
We now have accumulated 13 years of experience regarding the issues faced by sysops for the content they make available on their system. As we might expect, many issues have been clarified in the intervening time, while many other issues have remain unresolved. Although there are many interesting issues related to sysop liability for their own actions and statements, the more difficult and complicated issues arise with respect to the liability faced by sysops, including Tcimpidis, for the activities and content of their users. Few sysops fully appreciate the extent to which their users’ or content provider’s activities or content can create liability for the sysop. This article focuses on some of the conclusions reached--and issues remaining --with respect to sysop liability for the statements and actions of third parties.
Liability for Third Party Actions and Content is Not Unprecedented
It is often assumed that sysop liability for third parties actions and statements is somehow unique or unprecedented. In fact, there are a wide variety of legal situations where one party shares liability for a third party’s actions, many times without any wrongdoing on the part of the non-acting party. The following illustrate some situations where a party is liable for the statements or actions of third parties:
* there are numerous situations where the principle of "vicarious liability" applies. Vicarious liability means that one party, regardless of conduct or intent, is liable for third party conduct. For example, an employer is vicariously liable for its employees’ conduct performed in the course of employment. Therefore, if an employee is required by his or her job to drive a truck, and the employee causes personal injuries to a pedestrian, the employer will be liable for such injuries even if the employer did nothing wrong. Similarly, partners in a partnership are vicariously liable for all partners’ actions performed in the course of the partnership.
* Parents can be liable for the conduct of their children. Sometimes liability does not accrue unless the parents were negligent in supervising their children; however, there are circumstances where the parent will be liable even if they were not negligent.
* Property owners may be liable for the environmental problems on their property, even if the problems were caused by a prior owner.
* Closer to the sysop situation, newspapers and other "publishers" are liable for the content they publish, even if the content is provided by third parties. Therefore, if a newspaper publishes an article written by a free lance journalist or a news wire service, the newspaper ordinarily will be liable for the harm created from the article (as discussed above, if the article were written by a staff reporter, the newspaper would have been vicariously liable).
* Also, copyright law is a "strict liability tort," meaning that intent to violate is not a prerequisite to infringement. Therefore, film processors have been found liable for copyright infringement merely by processing rolls of film delivered by customers. Furthermore, there is a vicarious liability doctrine in copyright law which has held the proprietors of "dance halls" vicariously liable for the copyright infringements committed by bands that play at the venue.
The above list is certainly not complete, but it illustrates the principle that there are many existing situations in a wide variety of legal doctrines where third parties can create liability for another. Therefore, perhaps sysop liability for third party actions and statements is not unprecedented. Of course, concluding that such sysop liability is a good thing is a different conclusion altogether.
The Law of Sysop Liability
The body of law relating to sysop liability continues to grow in an ad hoc fashion as cases in various disciplines are decided without cross-reference or integrating analysis. Therefore, this section discusses cases on sysop liability for copyright, defamation and obscenity/pornography. A brief mention of trademarks is also made.
There have been three United States cases reported on the issue of sysop liability for copyright infringement committed by their users.
Playboy v. Frena, a 1993 case from a federal court in Florida, involved a situation where photos from Playboy had been scanned, digitized and uploaded to a bulletin board system in Florida called Techs Warehouse. George Frena, the sysop of Techs Warehouse, was sued by Playboy for copyright infringement (and trademark infringement and unfair competition, but these claims will not be discussed in this article).
Playboy moved for summary judgment in its favor, which the court can grant if there are no material issues of fact in dispute. Frena argued that there was a material issue in dispute, since he claimed that his users were responsible for uploading the digitized photos to the system (although in the court’s discussion of trademark infringement, the court seems to believe that Frena himself had uploaded the photos--although the court was not permitted to make this factual determination in response to a summary judgment motion).
The court granted Playboy’s motion for summary judgment, concluding that whether Frena or his users had uploaded the files was irrelevant. The court concluded that Frena violated Playboy’s right of "distribution," arguing that "[t]here is no dispute that Defendant Frena supplied a product containing unauthorized copies of a copyrighted work. It does not matter that Defendant Frena claims he did not make the copies itself." In thinly worded analysis, the court also concluded that Frena violated Playboy’s right of "public display."
The court concluded its analysis by reiterating why Frena’s assertion that he did not load the files was irrelevant: "There is irrefutable evidence of direct copyright infringement in this case. It does not matter that Defendant Frena may have been unaware of the copyright infringement. Intent to infringe is not needed to find copyright infringement. Intent or knowledge is not an element of infringement, and thus even an innocent infringer is liable for infringement...."
Sega v. MAPHIA, a case from a federal court in Northern California, was initially decided in March 1994, closely after the Frena case. (A subsequent decision is discussed below; the initial decision is referred to as Sega I). In the Sega case, the defendants ran a bulletin board system called MAPHIA. Users of the MAPHIA BBS were able to get Sega game software which had been removed from the game cartridges and uploaded to the BBS. The defendants also sold "back up units" designed to allow users to copy Sega game cartridges; in connection with sales of such units, or on a standalone basis, defendants would permit buyers to download Sega games from the BBS. The defendants would also allow people who uploaded Sega games to the BBS the right to download other games.
The Sega I court found that the games had been uploaded to the BBS by users. The court made no conclusion that the sysops/defendants had uploaded the infringing material. Nevertheless, as in the Frena case, the Sega I court concluded that the defendants had directly infringed Sega’s copyrights because the defendants had made unauthorized copies.
The Sega I court further concluded that the defendants had contributorily infringed Sega’s copyrights. A contributory infringer is "one who, with knowledge of the infringing conduct of another, induces, causes or materially contributes to the infringing conduct of another." The defendants could properly be deemed contributory infringers because they had actively promoted the BBS as an exchange of copyrighted material and had encouraged it through selling and bartering the rights to make downloads.
The Frena and Sega I conclusions that sysops are directly liable for copyright infringement by their users has produced widespread criticism, but some policy makers have endorsed the result. The Clinton Administration appointed a task force to examine copyright issues in cyberspace, and in a 1995 "White Paper," the task force endorsed direct liability for sysops. Some discussions have been had within Congress to implement this endorsement legislatively. Also, at the World Intellectual Property Organization meetings in December 1996 in Geneva, a worldwide treaty was proposed (and rejected) to make sysops directly liable for copyright infringement.
In December 1996, the Sega court rendered a second ruling that clarified the first ruling. Based in part on the Netcom decision (discussed in the next paragraph), the Sega II court concluded that since the sysop did not upload the games to the BBS, he was not directly liable for copyright infringement. However, due to his encouragement of unauthorized uploads and participation in the general scheme, he was found contributorily liable.
The third case involving sysop liability for copyright infringement is Religious Technology Center v. Netcom, an opinion issued by a federal court in Northern California. The Netcom case involved potential liability for an infringing USENET posting made by a user. The user, Dennis Erlich, was a subscriber of a North Hollywood BBS called "support.com," operated by defendant Tom Klemesrud, who used Netcom as the BBS’s Internet service provider.
Erlich posted a message containing the copyrighted material of plaintiffs, which are entities associated with the Church of Scientology. The message was sent by Klemesrud’s BBS to Netcom’s servers, which forwarded the message on to other USENET servers and made the posting available to Netcom’s subscribers. Plaintiffs contacted the defendants and asked them to take various steps, including in Netcom’s case to remove the posting from their USENET servers. Most of the plaintiff’s requests were denied, and Erlich’s posting remained on Netcom’s USENET server until it was deleted in the ordinary course of purging old USENET postings 11 days later.
Religious Technology Center sued Erlich, Klemesrud and Netcom under a number of theories, including copyright infringement. In an opinion issued in late 1995, the court dealt with Netcom’s and Klemesrud’s liability for copyright infringement.
The court found that Netcom and Klemesrud were not liable for direct infringement of the Scientology texts by forwarding the work to other USENET servers and by displaying the work to USENET readers on their services. Although their servers made copies of the materials, neither Netcom nor Klemesrud had done nothing volitionally: "Only the subscriber should be liable for causing the distribution of plaintiff’s work, as the contributing actions of the BBS provider are automatic and indiscriminate." Further, if the court did find Netcom or Klemesrud liable as a direct infringer, then USENET would necessarily be shut down because each server would be directly infringing--a result the court did not think was necessary: "The court does not find workable a theory of infringement that would find the entire Internet liable for activities that cannot reasonably be deterred."
In refusing to hold Netcom and Klemesrud directly liable for copyright infringement, the Netcom court declined to follow the results reached in Frena and Sega I holding the sysops directly liable for their users’ actions.
With respect to contributory infringement, the court noted that Netcom and Klemesrud were given notice of the existence of infringing material on its servers before the posting was automatically flushed. As a matter of law, the court concluded that "[w]here a [sysop] cannot reasonably verify a claim of infringement, either because of a possible fair use defense, the lack of copyright notices on the copy, or the copyright holder’s failure to provide the necessary documentation to show that there is a likely infringement, the operator’s lack of knowledge will be found reasonable and there will be no liability for contributory infringement for allowing the continued distribution of the works on its system." By implication, therefore, if the sysop receives a valid and adequate notice of copyright infringement occurring on its servers and fails to act, the sysop could be contributorily liable. The court reserved the issue of whether or not Netcom and Klemesrud had sufficient notice for further argument by the parties.
The court also addressed whether Netcom should be "vicariously" liable for Erlich’s behavior. In copyright law, vicarious liability accrues when a party has sufficient "right and ability to control" behavior and receives a direct financial benefit from the behavior. Although the court could not make a factual determination about Netcom’s right and ability to control Erlich, the court found that Netcom did not directly benefit financially from Erlich and therefore was not liable. (Klemesrud’s vicarious liability was not thoroughly addressed because of a procedural error made by the plaintiffs).
Finally, the Netcom court addressed whether Netcom’s behavior was excusable under the "fair use" defense. "Fair use" is a defense to claims of infringement and can be found by analyzing four factors: the purpose and character of the use, the nature of copyrighted work, the amount and substantiality of the portion taken, and the effect of the use on the potential market for the work (all four factors are considered, although the last is considered the most important). Although Netcom did copy the entire work in some cases, the court noted that Netcom only copied the amount of the work necessary to act as a USENET node. The court reserved as a factual matter whether or not Netcom’s use was fair.
The Netcom case was a well-reasoned case and it tells us a lot about the latest thinking on sysop liability for copyright infringement. Although the case was not a clear victory for Netcom or Klemesrud, it is fairly clear that they were unlikely to face liability for acting as a USENET node. However, Netcom and Klemesrud were potentially subject to liability because they were informed that their system contained infringing material and they failed to act. Even in this case, the court seemed sympathetic to Netcom’s argument that it should not be forced to remove infringing material just because it receives an unsupported assertion that the material infringes. Therefore, unlike the Frena and Sega I cases, which effectively held sysops strictly liable for any copyright infringement on their systems, the Netcom court established some meaningful thresholds on possible sysop liability. For better or worse, we will never know how the Netcom court would finally resolve the issues; in Fall 1996 Klemesrud settled for $50,000 and Netcom settled under a cloak of confidentiality.
There is a fourth U.S. case that warrants brief mention. The 1994 case U.S. v. LaMacchia involved David LaMacchia, a 21 year old M.I.T. student who set up a BBS (which actually was misappropriated space on M.I.T.’s servers) and encouraged people to upload copyrighted "warez" to the system. LaMacchia was prosecuted under criminal copyright statutes and, under the statutory definitions, found not liable. However, the copyright owners presumably had a winning civil case against LaMacchia for contributory copyright infringement under the reasoning of Sega I and Sega II. Such an action was presumably not brought because LaMacchia probably had no assets to pay a judgment.
Finally, an international copyright case is worth mentioning. In the case Scientology v. Providers, a decision rendered by the District Court of the Hague in March 1996, the Church of Scientology sued 22 Internet service providers ("ISPs") and one Internet user (who had a home page containing Church of Scientology material) for copyright infringement and trade secret misappropriation, seeking an injunction against further infringement. The claim against the user failed because the user had already modified her page to delete some materials and had retained only those materials that had been published before (and therefore were not trade secrets), and the remainder were subject to the Danish equivalent of fair use. As for the ISPs, the court concluded that the ISPs had no knowledge of what their users do and no ability to influence such actions. Therefore, "there is no reason to hold them responsible for wrongful acts of users, e.g., copyright infringements by third parties." However, the court might have reached a different result if the ISP knew of the users’ actions and further knew they were unequivocally wrongful.
There have been two reported cases in the United States that have addressed sysop liability for defamation.
The first case is Cubby v. CompuServe, a 1991 decision from the Federal district court in New York City. In this case, CompuServe, an international online service, contracted with Cameron Communications for Cameron to manage CompuServe’s Journalism Forum. Cameron in turn contracted with Don Fitzpatrick Associates for Fitzpatrick to supply its periodical "Rumorville USA" to the Journalism Forum. In addition to being CompuServe subscribers, Rumorville readers had to contract with Fitzpatrick for the right to read the periodical. CompuServe’s only compensation related to Rumorville was for the time its users spent online reading Rumorville; it received no share of the subscriptions paid to Fitzpatrick nor made a separate subscription or access fee charge to readers.
In 1990, Rumorville USA published some statements that the plaintiffs alleged were defamatory, and the plaintiffs sued CompuServe and Fitzpatrick for libel, business disparagement and unfair competition. In the case, CompuServe asked for the court to dismiss CompuServe from further proceedings.
At issue is whether CompuServe was a "publisher" of Rumorville or a "distributor" of Rumorville. The law accords special protection to distributors, because to impose excessive liability on them would force them to review all content they distribute, which is an impermissibly heavy burden under the First Amendment. The court concluded that "CompuServe . . . is in essence an electronic, for-profit library . . ." and noted that once CompuServe (or, in this case, its independent contractor) decides to carry a publication, it will exercise little editorial control over the contents of that publication.
Therefore, CompuServe could be liable for the contents of Rumorville only if it knew or had reason to know of the allegedly defamatory statements. Since CompuServe did not review the contents of Rumorville before it was published, and did not otherwise have any reason to know of defamatory statements in Rumorville, CompuServe was not liable for Rumorville’s statements.
The court also rejected vicarious liability on CompuServe’s part for the actions of Cameron and Fitzpatrick, noting that CompuServe had delegated management of the Journalism Forum to Cameron. The court rejected arguments that CompuServe’s requirement that Cameron manage the forum in accordance with CompuServe’s standards, CompuServe’s training of Cameron and the indemnity from CompuServe to Cameron were sufficient to give CompuServe control over Cameron.
For many years lawyers and industry members believed that the Cubby case was the definitive statement regarding sysop liability for the statements or actions of its users. Indeed, until the Frena case, the Cubby case was the only reported case on the subject. Furthermore, the standard articulated in Cubby--that CompuServe was liable only if it knew or had reason to know of the allegedly defamatory statement--provided a reasonably well-defined, relatively high threshold for insulating sysops from liability.
Thus, the industry received a rude shock from Stratton Oakmont v. Prodigy, a decision handed down by the New York Supreme Court (the lowest court in New York) in May 1995. The case involved postings to Prodigy’s Money Talk forum that allegedly defamed Stratton Oakmont and its president. These postings were made from an inactive account held by a former employee, and therefore the poster was effectively anonymous. Again, the issue was whether Prodigy was a "publisher" of the statements and therefore subject to a higher standards of potential liability for defamation.
Throughout the early 1990s, Prodigy had aggressively marketed itself as the family-oriented online service. In particular, Prodigy had claimed to exercise editorial control over its contents and had repeatedly analogized itself to a newspaper. To accomplish its objectives, at one time Prodigy had deployed dozens of employees who prescreened and reviewed every public posting before it was made public. Prodigy also used a number of techniques to control the content made publicly available on its service: using software that prescreened for a proscribed list of words; promulgating user guidelines which prohibited messages that were insulting, harassing, in bad taste or grossly repugnant to the community, or harmful to a harmonious community; using "Board Leaders" to enforce these guidelines; and making available technical tools for Board Leaders to delete offensive messages.
The court concluded that Prodigy was a publisher as a matter of law, and therefore subject to liability for defamation as a publisher, for two primary reasons. First, Prodigy had held itself out as exercising editorial control. Second, the use of prescreening software and Board Leaders to enforce subjective guidelines meant that Prodigy was making decisions about content.
Furthermore, the court held that the Money Talk forum’s Board Leader was an agent of Prodigy, and therefore Prodigy was vicariously liable for the Board Leader’s actions. Despite rather clear language in Prodigy’s agreement with the Board Leaders disclaiming an agency relationship, the court found that by requiring the Board Leaders to enforce Prodigy’s guidelines and by requiring Board Leaders to seek guidance from Prodigy, Prodigy had "managed" the Board Leaders such that they were considered agents as a matter of law.
The Stratton Oakmont case was widely criticized when it was issued, in part because of the sweeping implications of the court’s ruling and in part because of its inability to be easily reconciled with the Cubby case. Indeed, by 1994 (the time of the postings at issue in Stratton Oakmont), Prodigy was no longer attempting to control the content on its system in a meaningfully different way than was AOL or CompuServe. However, there is no doubt that the Stratton Oakmont result can be explained in part by Prodigy’s very public assertions in the early 1990s about its exercise of editorial control--assertions that came back to haunt Prodigy (although the case ultimately settled without Prodigy having to pay any money to Stratton Oakmont).
As discussed below, the Stratton Oakmont case may no longer be good law. However, a few lessons can still be learned from it. First, any marketing campaign must be carefully considered in the context of the legal environment that the company operates in. Prodigy may very well have been able to persuade the judge to follow the Cubby reasoning if Prodigy did not have all of its declarations from years past to explain away. Second, although manipulation of user content is necessarily required in the process of making it publicly available, the more manipulation performed, the more than a technologically-challenged judge might consider it to be a form of editorial control. Therefore, despite the many advantages to automatic word filters, these filters can support a claim of editorial control and therefore should be used advisedly. Third, user agreements regarding the posting of content should be drafted extremely carefully, so that "subjective" standards are minimized. Typically, a clause requiring users not to make any illegal postings is sufficient to restrict most noxious conduct--without creating the opportunity for the sysop to be perceived as applying "subjective" standards that look like editorial control.
Obscenity and Pornography
Although there have been many cases involving sysop liability for obscene or pornographic material, none of these cases have involved sysop liability for user postings.
However, the Communications Decency Act (the "CDA"), a portion of the Telecommunications Act of 1996, deals squarely with sysop liability for "indecent" postings by their users. Generally, the CDA prohibits users from knowingly sending content that is "obscene, lewd, lascivious, filthy or indecent, with intent to annoy, abuse, threaten or harass" another person or sending content that is obscene or indecent knowing that the recipient is under 18. The CDA also prohibits knowingly sending or displaying content to persons under 18 any content that, in context, depicts or describes, in terms patently offensive as measured by contemporary community standards, sexual or excretory activities or organs.
In both cases, a person that knowingly permits any "telecommunications facility" under their control to be used for such activities, with the intent that the facilities be used for such activities, is also liable.
There are many defenses described in the CDA, and mapping out the contours of these defenses is beyond the scope of this paper. However, in many cases such analysis is currently moot: almost all of the operative provisions of the CDA have been enjoined in the much-heralded case ACLU v. Reno. The ACLU case is currently pending before the U.S. Supreme Court, and a ruling is expected in mid-1997.
Nevertheless, one defense enumerated in the CDA is particularly important: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." The legislative history on this provision says "[o]ne of the specific purposes of this section is to overrule Stratton Oakmont v. Prodigy and any other similar decisions which have treated such providers as publishers or speakers of content that is not their own because they have restricted access to objectionable material."
This section raises as many questions as it answers. On its face, it appears to negate many forms of sysop liability for third party actions or statements, resolving many of the ambiguities discussed in this paper. On the other hand, there are several questions:
* Will courts give effect to this provision if the remainder of the operative provisions of the CDA are permanently struck down as unconstitutional?
* Will courts give effect to this provision if the sysop is not trying to restrict access to objectionable materials but is merely exercising a more general form of editorial control?
* Will this language be extended to cover sysop liability for copyright infringement, which does not use the term "publisher" or "speaker" but instead uses the terms "reproduce," "distribute," and "publicly display"?
The Frena and Sega cases both addressed sysop liability for trademark infringement. However, in both cases the sysop was the party taking the actions resulting in trademark infringement. In Frena’s case, Frena had inserted his own proprietary rights notices into the GIFs; in the Sega case, the sysop had developed file descriptions and hierarchies which used Sega’s trademarks. Therefore, these cases contribute little to our understanding of sysop liability for third party trademark infringement.
However, a decision somewhat relevant to this topic was reached in Panavision v. Toeppen in a decision reached in November 1996 in a federal district court in Los Angeles. In the case, the domain name registry Network Solutions, Inc. ("NSI") was sued for negligent interference with prospective economic advantage for giving the domain names panavision.com and panaflex.com (both of which are registered trademarks owned by Panavision) to Dennis Toeppen, a notorious domain name hijacker. The tort of for negligent interference with prospective economic advantage is a relatively nebulous one and therefore courts are reluctant to extend liability too far--therefore, defendants must have a "special relationship" with plaintiffs in order to be liable. The Panavision court ruled that such a special relationship did not exist between NSI and Panavision. NSI did not know that Toeppen’s actions were intended to interfere with Panavision’s rights, and "NSI is under no general duty to investigate whether a given registration is improper." Although this language is context-specific to the general duties of registries for negligent interference with prospective economic advantage, the reasoning of the case might apply to insulate sysops for trademark infringements committed by their users.
So What Have We Learned?
There are no clear trends about whether or not we really want sysops to act as the guarantor for the harms caused by their users. The Frena, Sega I and Stratton Oakmont cases very liberally imposed liability on sysops. Other cases, such as Netcom and Cubby, have imposed significant hurdles on finding sysops liable. The legislative trends have been no more clear. The rumblings made in Congress and at the WIPO conference towards increased sysop liability are ominous; but the CDA, roundly criticized as a horrendous law, seems to absolve sysops for many types of liability.
In the midst of the confusion, however, one phrase comes up repeatedly: did the sysop "know or have reason to know" of the harmful conduct? This standard requires that the sysop had actual knowledge or deliberately ignored the problem before imposing liability on the sysop. On the other hand, it does give harmed third parties, like copyright owners or defamed parties, the opportunity to limit their harm by forcing the sysop to take action when the harmed party informs the sysop of the problem. This solution avoids a legal regime of liability so chilling as to drive sysops out of the business, without permitting anarchy to reign on the Internet.
Nevertheless, there is no promise that the rules to be developed regarding sysop liability will strike any balance at all. As more cases are decided by judges who do not understand the technology, and as more sweeping and broad legislation is introduced by legislators who do not understand the technology, the only predictable results are chaos, confusion and long battles to preserve the emerging cyberspace industry.