Internet intermediaries / Security

On malicious webpages, hosting providers… and the myth of technological neutrality!

computer virus

In an article covering the issue of malicious webpages and what techies call ‘drive-by-downloads’, Huw Fryer, Tim Chown and myself suggest that one solution might lie in the imposition upon hosting providers of precautionary duties involving the systematic scanning of the websites they host on their platforms. [The article will be published soon but is on file with the author if you would like to be sent a preview copy].

The article starts with the following observation:

“The perception that malware only resides on ‘suspect’ sites such as file sharing sites, or those carrying pornography is now far from reality. Commonly, an attacker will seek to compromise an otherwise legitimate website and use that to distribute malware. They may also attempt to place malware on a cheap throwaway domain name, but it is harder for ISPs or authorities to take measures against a legitimate website, and it also increases the probability of a potential victim visiting it. Where the target is a website on a trending topic, the risk of exposure is even greater. With the rise of blogging and similar content creation, there is also a significant risk of vulnerabilities in common blogging platforms, such as WordPress, exposing visitors to such sites to potential drive-by malware”. […which did not prevent us from using WordPress ooops!]

This imposition of a precautionary duty should not deprive hosting providers from being able to benefit from Article 14 of the e-commerce Directive, however, since, to use the language of the Court of Justice of the European Union (CJEU) in L’Oréal and Others, it should not be possible to infer that a service provider acting as a diligent economic operator and scanning its hosting platform to detect malware was thereby also in a position to identify all types of unlawful content on its platform. Why are we arguing that hosting providers should be made to systematically scan their platforms? Well, Huw found out that a few players in the field were starting to offer such a service but they were too few to make a difference, as there was not enough incentives for others to follow. Furthermore, legally speaking, it makes more sense to rely upon hosting providers to bear this duty, than to impose it upon end-users or other intermediaries such as Internet service providers (understood as Internet access providers) or search engines.

This makes me think that the EU horizontal regime for Internet intermediaries’ liability exemptions to be found in the e-commerce Directive is far from being satisfactory […as unsatisfactory as the breadth of the US section 230 of the Communications Decency Act, I have to say].

One of the reasons lies in the fact that since Advocate General Maduro issued his opinion to the CJEU in the Google v Vuitton case of 2010, it is believed that Internet intermediaries – such as mere conduits (i.e. Internet service providers acting as Internet access providers), caching providers but also hosting providers – are passive actors and should remain passive actors in order to benefit from these immunities. [Truly the e-commerce Directive does not really help. See Recital 42, although this recital seems to only concern mere conduits and eventually caching providers].

The recent decision of the CJEU in the case of Papasavvas and others decided on 9 September 2014 is no exception to this finding. Paragraph 40 reads as follows:

“It follows, moreover, from recital 42 in the preamble to Directive 2000/31 that the exemptions from liability established in that directive cover only cases in which the activity of the information society service provider is of a merely technical, automatic and passive nature, which implies that that service provider has neither knowledge of nor control over the information which is transmitted or stored”.

This case [a defamation case] was an easy case as the provider at stake was a newspaper publishing company distributing an online version of the newspaper on its website. The CJEU held that as such a provider “has, in principle, knowledge about the information which it posts and exercises control over that information, it cannot be considered to be an ‘intermediary service provider’ within the meaning of Articles 12 to 14 of Directive 2000/31, whether or not access to that website is free of charge”.

But is an Internet service provider (acting as an Internet access provider) really a passive actor when it implements systematic deep packet inspection practices, e.g. for purposes such as preventing the diffusion of child pornography, preventing copyright infringement, trade mark infringement, traffic management, or even network security? Is a hosting provider a passive actor when it does regulate the behaviour of its users on the basis of its terms and conditions by, for example, suspending or terminating their accounts?

Besides, ironically the very assumption that Internet intermediaries are passive actors is expressly undermined by the possibility to enjoin these intermediaries to implement technological measures to prevent the future diffusion of unlawful activities. And this is exactly what Articles 12, 13 and 14 of the e-commerce Directive provides for, not least to speak of Article 8 of the information society Directive and also Article 11 of the IP rights enforcement Directive.

As a result, if Internet intermediaries benefit from a light-touch liability regime for third-party content, this is first of all [for good or bad] because deciding otherwise would be too costly: too costly for them to screen everything and acquire the resources to assess the lawfulness of third-party content. [Notably for a newspaper publishing company and its own website the costs are relatively low, hence the inapplicability of the exemption]. But when it becomes possible to alleviate part of these costs by e.g. identifying beforehand infringing content or websites for these intermediaries, they are then required to step in.

Wouldn’t it be better to finally acknowledge the active role of Internet intermediaries and to be slightly more sectorial by making Internet intermediaries’ duties vary in relation to the type of content at stake? It might also be that a Good Samaritan provision could become useful… [even if Samaritans are not very popular these days…]

Sophie Stalla-Bourdillon

3 thoughts on “On malicious webpages, hosting providers… and the myth of technological neutrality!

  1. I would be very interested in reading your article, Sophie.

    Does it take into account the commercial impact of imposing an increased regulatory burden on the operators of web hosting services in terms of such scanning? An economic impact assessment would be critically important in determining whether such an obligation would be proportionate.

    However, I suspect it would be a moot point anyway, unless also imposed on access providers, since it would be incredibly difficult to impose the obligation on overseas hosting providers, and would likely just equate to an additional burden on domestic providers, making them less competitive. Similarly, given how trivial it is to run one’s own web server, I wonder whether we would not just see a move from commercial hosting providers to the connection of own servers to the Internet, behind a reverse proxy to make changing the public-facing address very easy.

    In terms of a model for liability for service providers, I personally favour the Singaporean model: no liability, even with knowledge. This seems a far more appropriate position than gradually (or even quickly) eroding the notion of the intermediary liability shield!

    • The paper is on its way! I see your point re the liability shield, but the paper only concerns malware and when it comes to malware and measures adopted to address these issues by private actors, it is very difficult to make the market function properly.

  2. Great – I look forward to reading it. Thanks, Sophie.

    This has been a live issue for me for some time now, bringing in interesting points about the current state of interception law too, given the actions in question.

    See you soon,


Leave a Reply