Never having to say sorry

Andrew Charlesworth looks at criminal liability in the fourth of his series on Internet law. What should or should not be published, what is or is not obscene, and what the general public have or do not have the right to know, are naturally divisive issues. Thus it is no surprise that the development of the World Wide Web has led to sweeping statements by ill-informed media pundits about the absolute freedom of speech, and freedom from censorship, in cyberspace.

It is true that the Internet in general, and the Web in particular, has made it unprecedentedly easy for individuals to publish material. It is also true that the criminal law and those who enforce it have taken some time to come to terms with the implications of that change. However, from the increasing number of Internet related criminal prosecutions in the UK and abroad, it would seem that the initial shock is now wearing off.

Existing laws can and will be applied to the Web where the courts think it appropriate, and it would be wise for educational institutions to understand where potential criminal liability might lie, and to warn their officers and members accordingly.

The actual degree and nature of computer crime, particularly as it affects the WWW, is extremely difficult to gauge. Surveys such as Opportunity Makes a Thief: An Analysis of Computer Abuse, the fifth triennial report of the Audit Commission on the extent of computer abuse and fraud in the United Kingdom (1994, HMSO Publications) suggest that while computer crime is clearly on the increase, the majority of it is committed by individuals against their employers in a business environment. On the Web, crime and criminal liability have so far played a fairly low key role.

What might be described as webcrime can be divided into three categories. First, Web server and Web page owners may commit an offence in providing illegal material for display or downloading via a Web page or a link from a Web page. Second and more surprising is the risk that even those merely browsing the Web may be guilty of the display or downloading of illegal material. Finally, there is the issue of hacking. This might include illegal access to a Web server, the unauthorised altering or deleting of material on a Web server, or the illegal interception of communications such as credit card numbers.

The most obvious (at least, it seems, to journalists) crime that might be carried out via the Web is the distribution of computer pornography. This is covered by a number of legislative provisions including section 43 of the Telecommunications Act 1984, the Obscene Publications Act 1959, and with regard to child pornography, new legislation in the form of sections 84-87 of the Criminal Justice and Public Order Act 1994. The relevant provisions of this Act, which amend other legislation including the Protection of Children Act 1978, are aimed specifically at computer generated and distributed pornography.

Despite this impressive array of legislative weapons, when one looks behind the media hype the figures suggest that, at least until recently, computer generated and distributed pornography has not been a major problem. In the period 1991-93, of the 976 obscenity cases handled by the Crown Prosecution Service, only 11 involved computer pornography and only seven of those went to court (The Guardian September 1994). That having been said, the Web was only in its infancy in 1993, and there now seems to be no end to the number of articles such as the one entitled "Computer going down" (The Guardian August 24 1994) which noted that a University of Wales computer was put out of action for two days by an overload caused by a student downloading pornography from the United States.

Those placing pornographic material on the Web can largely be divided into two categories: people who are maintaining small personal collections of pornography, which can be accessed at no charge, and commercial Web sites which contain large amounts of pornography but which charge for access to all but a very small amount of it. The latter appears to be the major area of growth. Those in the former category are usually individuals who have Net access through their university, their employer or a service provider (ISP).

Universities, employers and ISPs are not usually willing carriers of such material. Most Web sites, particularly those based at academic institutions, are keen to avoid any problems with hard or soft core pornography. A great deal of control can be exercised without the aid of the law, even where the law of the country involved does not forbid such material. For instance, Web servers at the University of Delft in the Netherlands (hard and soft core) and the Conservatoire National des Arts et Metiers in France (soft core), which carried such pictures downloaded by automatic newsfeed from Usenet groups, were both forced to remove the offending material by pressure from their governing bodies. But a powerful secondary reason for the removal appears to have been the fact that the machines on which the material was placed could not be used for university purposes owing to the sheer volume of requests.

Pornography is not the only form of published information which may result in criminal liability. It has been suggested that publishing material that might be used in order to breach computer security, or to facilitate unauthorised entry into computer systems, will be caught by those provisions of the Computer Misuse Act 1990 that deal with the issue of conspiracy to commit an offence under the Act. This is supported by the recent conviction of Christopher Pile, the so-called Black Baron, who admitted 11 charges under the Computer Misuse Act 1990 of writing and distributing computer viruses, and one charge of inciting others to spread computer viruses. It is unclear how far this could be extended to other potentially undesirable types of information, such as explosive making manuals. Equally unclear is the potential liability of an institution that carries hacker-related newsgroups such as alt.2600 on its Usenet newsfeed.

The Public Order Act 1986, which outlaws racist propaganda, may also be relevant. The Act says that an individual who publishes or distributes written material which is abusive, threatening or insulting to the public, or to a section of the public, or who has such material intending it to be displayed published or distributed, will be guilty of an offence if that person intends to stir up racial hatred, or if, in the circumstances, racial hatred is likely to be stirred up. However, as yet, little use appears to have been made of this law in electronic forums or anywhere else.

Unauthorised access and alteration to Web servers, and the interception of information collected by Web mechanisms, would appear to be covered by existing criminal law, particularly sections 1-3 of the Computer Misuse Act 1990, and the Interception of Communications Act 1985. In such cases, the education institution which plays unwitting host to a hacker is unlikely to be held liable for his actions.

Nevertheless many universities, formerly easy access points to the Net for would-be hackers because of slack network security, have taken action to severely restrict or deny guest user access to their systems. They have made it very clear to users that where unauthorised access to other computer systems from university systems is discovered, it will be dealt with severely.

To avoid criminal liability for the content of Web pages, the solution is similar to that discussed in an earlier article for libel. Education institutions may impose their own rules to govern the content of both institutional and personal Web pages. By this means they can explicitly forbid certain material being published, accessed, or downloaded, on pain of expulsion from the system and perhaps even the institution.

As was mentioned in the first article of this series, the Joint Academic Network (JANET) Acceptable Use Policy is very clear that "the creation or transmission (other than for properly supervised and lawful research purposes) of any offensive obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material" and "the creation or transmission of material which is designed or likely to cause annoyance, inconvenience or needless anxiety" are forbidden.

Institutional rules can be justified as being required to meet that institution's obligations under the JANET membership agreement. Equally, the Telecommunications Act 1984 section 43 states that it is an offence to send "by means of a public telecommunications system, a message or other matter that is grossly offensive or of an indecent, obscene or menacing character".

As most external Web services will involve the use of public telecommunications services at some point, institutional rules should emphasise the fact that criminal proceedings could result from abuse of the system.

Finally, it is important to remember that a Web page is usually accessible world-wide, and when offering either institutional or personal pages on the Web, it is worth considering who may view them. While there are jurisdictions that in some respects are more liberal than our own, such as the US where freedom of speech is protected by the First Amendment, there are many that are not.

With no international agreement over Net jurisdictional issues, it seems unlikely that a Web page on a machine at an education institution in the UK, considered offensive or obscene by nationals of another country, would result in a successful criminal prosecution and a penal sanction actually applied, either there or in the UK. But it might harm other activities of the institution, such as overseas student recruitment and research ventures.

As national law enforcement agencies world-wide develop new co-operative agreements to combat criminal activities such as child pornography, we are likely to see more organised multi-jurisdictional investigations. Jurisdiction hopping, to find the most favourable national venue for a successful prosecution, may become more prevalent.

In such a co-operative climate, Web page owners must be prepared either to deal sympathetically with the laws and values of countries other than their own, as the traditional print publishers have had to do, or to consider restricting the accessibility of their material to specific Internet domains.

AVOIDING LIABILITY

The main steps to avoid liability are : * maintain some effective form of access control over who can use computer facilities, particularly Internet access.

* have a policy on the correct use of its Internet facilities, which is publicised widely to users.

* ensure the policy takes account of the institution's obligations with regard to its service provider concerning the content of Web and other Internet communications.

* ensure the policy takes account of existing United Kingdom criminal provisions, and states that the institution's authorities will ensure that, in the event of a breach of the law being detected, the appropriate enforcement agencies are notified.

* ensure the policy is both effectively and publicly enforced.

Legislation * Obscene Publications Act 1959, s1-4. Defines and criminalises publication of obscene material or having obscene material for publication.

* Protection of Children Act 1978, s1. Concerns the taking and distributing indecent photographs of children.

* Telecommunications Act 1984, s43. Concerns the sending of offensive communications over a public telecommunications network.

*Public Order Act 1986, s17-23. Contains provisions criminalising the inciting of racial hatred.

* Criminal Justice Act 1988, s160. Concerns the possession of indecent photographs of children.

* Computer Misuse Act 1990, s1-7. Criminalises unauthorised access and attempted unauthorised access to any computer, unauthorised access with intent to commit a further offence, modification of the contents of any computer and conspiracy to perform any of the above.

* Criminal Justice and Public Order Act 1994, s84-87. Updates the child pornography laws to take into account electronic storage and distribution of pictures, and pseudo-photographs (pictures electronically altered to portray an indecent image of a child, even where created from non-indecent material).

COMMON LAW PROVISION * The Law of Blasphemy. While this does not appear to have any recent statutory grounding (see the discussion in R v Lemon [1979] 1 All ER 898), and applies only to the Christian religion, it has been used successfully in a prosecution as recently as 1979.

Andrew Charlesworth, (email a.j.charlesworth@law.hull.ac.uk) is director of the information law and technology unit at the University of Hull Law School.