On 5 November 2014 a co-ordinated international law enforcement operation shut down approximately 27 online marketplaces where customers could, among other things, purchase drugs, procure child pornography, solicit prostitution and even orchestrate assassinations. The significance of these marketplaces was not their illicit product but rather that they were located on the "Darknet", a portion of the Internet only accessible through specialised software such as the anonymising TOR network.
TOR, an abbreviation for The Onion Network, has experienced a surge in popularity following Edward Snowden's disclosures concerning the American intelligence community's ability to monitor Internet traffic. TOR allows its users to mask their identity and browsing patterns, obscuring their Internet activities from surveillance agencies or prying employers. TOR has accordingly attracted the interest of individuals who wish to avoid any government 'snooping', be it reporters in oppressive regimes or criminals seeking to avoid law enforcement.
While the technical details of TOR are complex, TOR relies on volunteers to run what is known as Relays, through which all Web traffic on the TOR network is directed. These Relays are not only hosted in large server farms, but are also hosted on family computers and other personal devices. When a TOR user accesses illegal content, this content will be transmitted through a Relay before being accessed by the end user. The question is, whether the ISP (or person) facilitating the TOR browsing session faces any liability?
In South Africa, the transmission of electronic information is regulated by the Electronic Communications and Transactions Act 25 of 2002 ("ECTA"). Chapter XI of ECTA limits the liability of service providers, provided that they have merely acted as a mere conduit for the data they have transmitted and are members of a representative body. Given the commercial impossibility of service providers monitoring every client's Internet usage, ECTA limits the liability on service providers, for their users' Internet usage provided that certain criteria are met.
The limitations of Chapter XI apply only if (a) the service provider is a member of the representative body; and (b) the service provider has adopted and implemented the official code of conduct of that representative body. In South Africa there is currently only one such representative body - the Internet Service Providers' Association, colloquially known as ISPA.
Unfortunately, in requiring ISPs to become members of representative bodies, South Africa has deviated from international best practice (including from the European Union and the United States of America).
While the requirement of membership with a representative body may, at first glance, appear to be a reasonable requirement, it exposes individuals and entities who are not members to massive potential liability. A typical example is Telkom, which is not a member of ISPA and is thus potentially liable for the conduct of its users. Given the scale of Telkom's infrastructure (it services almost every Internet user in South Africa, be it as an ISP or the provider of physical infrastructure), this is clearly an irrational situation.
The effect of ECTA in this regard is chilling. An ISP is forced to either join ISPA (and comply with the ISPA's rules) or potentially face liability for the conduct of its customers. Furthermore, unless private individuals join ISPA (and submit to its rules), they will benefit from the ECTA liability exemptions - something to remember when allowing a guest or customer access to your WiFi network.
Should an ISP customer (or a guest on a WiFi network) access the Darknet (through TOR or similar software) the ISP or network owner may potentially face liability. The goods and services available on the Darknet range from child pornography to orchestrating assassinations to narcotics, and it is clearly a harrowing experience dealing with the authorities in relation to criminal charges in these instances.
ISPs (and any individuals hosting networks or servers) are unfortunately left with two options: - to either join ISPA and benefit from the safe harbour granted by ECTA, or petition parliament to amend Chapter XI of ECTA.
Questions should be asked as to whether the conditions of being a member of ISPA are appropriate. To the extent that ISPs are required to comply with additional requirements found in ISPA's code of conduct, these could instead be incorporated into legislation as direct obligations on the ISPs themselves.
Such an approach would protect persons potentially acting in a similar manner to ISPs but who are not members of a representative body. These persons would be able to benefit from protections provided by ECTA, including the safe harbour provisions.
Share