Holding Internet Service Providers Accountable: Would Indirect Liability Reduce Costly Cyberspace Externalities?

Article excerpt

INTERNET SERVICE PROVIDERS (ISPS) ARE LARGELY immune from legal liability for the various forms of online malfeasance to which they contribute. America Online, for example, paid Matt Drudge $3,000 a month to write an online gossip column; but when Drudge used the column to accuse Clinton appointee Sidney Blumenthal of spousal abuse, a federal judge ruled that AOL bore no responsibility for the smear. Similarly, Verizon Communications today counts among its subscribers an untold number of peer-to-peer pirates, yet the firm faces no financial liability for copyright infringement online and, indeed, does almost nothing to help copyright holders defend their work.

This is surprising. After all, while it surely would be unwise to punish 1sps for every bad act committed by their subscribers and it would be equally foolish to force service providers to play policeman in instances where the costs of doing so would overwhelm any plausible benefits, legal liability can take more modest forms. With respect to copyright infringement, for instance, why not require ISps to deliver warnings to accused subscribers? Infringers are anonymous Internet Protocol (IP) addresses to copyright holders, so copyright holders have a hard time delivering warnings themselves. But an ISP can easily match an accused IP address to a real-world name and billing address, and thus an tsp can easily deliver a warning that would remind an accused subscriber that piracy is illegal and that "the complaining copyright holder might take his evidence to court, where we will be forced to reveal your identity and provide further evidence of your alleged bad acts." Imagine the shiver that would go down an infringer's spine upon finding that note in his mailbox, complete with a specific accusation that he downloaded Madonna last Tuesday at midnight from his bedroom computer.

The copyright and defamation immunities to which I allude have been in place for years and would be difficult to displace. I therefore want to focus instead on what is shaping up to be the next immunity battle: the recent push to immunize Internet service providers for their role in the propagation of worms, viruses, and other forms of malicious computer code. Drawing analogies to copyright and defamation, com'ts have in recent years read the relevant statutes and interpreted common law principles such that ISps are today almost entirely unaccountable for issues of cybersecurity. But, as I will argue here, immunity in this instance is hard to defend on policy grounds and it is sharply inconsistent with the conventional logic of indirect liability.


Indirect liability is said to attach in instances where the law holds one party liable for a wrong committed by another. A familiar setting is the employment relationship, where an employer can be held liable for torts committed on the job by his employees. But other examples abound. Bars are sometimes held liable when bartenders serve alcoholic beverages to patrons who later harm others while driving under the influence. A motor vehicle owner can be held to account if a driver to whom he loans his car ends up causing an accident. Landlords are sometimes on the hook if they take inadequate precautions against criminal activity that harms tenants. Even product liability law has this same basic structure: A buyer might use a dangerous product in a negligent manner and cause injury to a third party; if the victim can show that the accident would not have occurred had the manufacturer employed better product design, the victim might be able to recover from the manufacturer instead of (or in addition to) the buyer.

LIABILITY BY CONTRACT Conventional economic analysis suggests that an explicit rule imposing indirect liability is not necessary when two conditions are simultaneously met: first, the relevant direct actors are subject to the effective reach of the law, which is to say that the employees, drivers, and criminals discussed in the previous examples are easy to identify and have assets that are sufficient to pay for any harm caused; and, second, transaction costs are such that the direct actors can use contract law to shift responsibility to any party that might otherwise be an attractive target for indirect liability. …