Tuesday 25 May 2010

Q: When is a fine not a fine? A: When it’s legal fees.

Although she is late off the mark with this, Matron can’t help being somewhat irked about the level of cross-cultural misinformation surrounding the German Supreme Court’s decision on open wi-fi networks. A number of commentators, including Outlaw and the SCL Editor’s blog reported that the court has "fined" the owner of a wi-fi network because he did not secure it with a password and it was used to download music without the copyright holder's permission. Even though Outlaw then makes it clear that the “fine” consisted in the payment of legal fees, this does little to divert from the sense of uproar instilled by the article’s headline. So what actually happened?

A musician had sued the owner of a (private) unsecured wi-fi connection because his connection was used to illegally download that musician’s music. The owner of the wi-fi network could prove that he had been away on holiday at the relevant time and was understandably upset at being held responsible for that unlawful activity. As far as Matron could ascertain (the full decision has not yet been published), the musician sued the owner on two counts: (1) for payment of damages in respect of the unlawful use of his music and (2) for omission of the behaviour that enabled the unlawful activity to take place (that is, leaving his wi-fi open). The claimant's lawyers, who had been instructed to enforce the claim, also requested payment of their legal fees, incurred in relation to the sending of the letter requesting payment of damages and omission.

The court held that:

1. The owner of an open wi-fi network did not have to pay damages unless the claimant could prove that the owner himself was involved in the unlawful activity (rather than just enabling it by leaving his wi-fi network unsecured).

2. The owner of an open wi-fi network was under an obligation secure his wi-fi network by taking the technical steps deemed adequate at the time of installation.

3. The owner of an unsecured wi-fi connection was liable for the legal fees of a claimant who could prove that this enabled behaviour that damaged the claimant’s rights. However, the court capped the fees that a claimant can claim in this respect at 100 Euro.

There has been a lot of huffing and puffing about this decision from all corners of the internet with many predicting that this is going to be the thin end of the wedge as far as online copyright enforcement is concerned. But before we all jump to that conclusion, lets put the judgement into its proper legal and cultural context.

To start with, the fact that the defendant in this case was not found liable to pay damages to the claimant is surely a positive and well-reasoned step in the right direction. The owner of a wi-fi network may be under an obligation to secure that network, but he will not become vicariously liable for any unlawful activity that other people use it for. Claims that the court has created a new intermediate liability for private individuals are therefore wildly exaggerated.

Of course, the decision is not without its problems. In this particular case, the defendant could prove that he was on holiday when the illegal activity took place. But what happens in cases where that isn’t possible? What level of proof will be required from the claimant? Might there even be, heaven forbid, a reversal of the burden of proof whereby the owner of an unsecured wi-fi network will have to exculpate himself? For the answer to those questions we will have to wait for the next judgement, I’m afraid. But stranger things have happened at sea and in German case law and we would do well to keep a watchful eye on developments.

Secondly, the German court has unequivocally stated that he who runs a wi-fi network must secure it. This is the point that many find disturbing, but given the existence of certain longstanding private law concepts (in particular the concept of “Störerhaftung”), it will not come as a surprise to anyone qualified in German law. “Störerhaftung” effectively means that if you create or operate something that is likely to infringe the rights of a third party, then that third party has the right to request you to stop creating or operating that something (the right to claim an omission).

Other examples for this type of claim include the right of a property owner to stop someone from building a factory next door which emits dangerous fumes or preventing the owner of a neighbouring property to set up a building that blocks all his light or television reception. In relation to online activity, this concept has long been the basis of intermediary liability of ISPs, website hosts and platform owners (whose liability is then in turn limited through the provisions implementing Articles 12 to 14 of the E-commerce Directive). We may not appreciate the end result, but like the courts in other countries German courts must enforce and interpret statute law (in this case section 1004 of the German Civil Code), and with a lot of interpretative history in this area, it is relatively easy to see why the Supreme Court decided as it did.

At the same time, one could argue that the court has also set the bar for avoiding this sort of liability fairly low. All it requires is that, at the time of installation, owners install the most recent form of security (which should normally be what the router comes with anyway) and change the factory-set password to a personal one. If they do that, owners can run the thing for as long as they want, security measures can improve vastly during that time, but they are under no obligation to upgrade or even check it. They only have to do it once.

Now, this comes as no relief to:
  • people like Matron’s mother who would not know how to install security if it hit her in the face with a large stick (fortunately the nice man from Deutsche Telekom did it for her, and Matron expects that ISPs will take this judgement as an opportunity to widen their service offerings in this area),
  • cafes and other outlets who run open wi-fi systems (although the question here is whether the court will accept other ways to secure those networks, like an additional requirement to sign in), or
  • individuals who believe in open wi-fi.
However, maybe we should put our preconceptions aside here for a bit and ask ourselves whether, all things being equal, it is not a fairly rational demand to ask people to secure their wi-fi? Matron is all for an open network, but the fact of the matter is that that network can be used for good or ill. We are not only talking unlawful downloads here, but other things like the organisation of criminal networks, terrorist activity and the distribution of child pornography (and if readers could please take a moment here to comprehend Matron’s pain at having to play the kiddie porn card).

It is very nice that we may want to share. Sharing is good and fun and kind and we should all do it more often. But if we left our car unlocked with the keys in the ignition, knowing that any passer-by could help himself to it, would we really expect to escape liability if that passer-by turned out to be someone without a driving licence who then causes an accident? Of course we wouldn't! We accept that we are expected to take certain precautionary measures, both to protect our own property (and lets not forget that an unsecured wi-fi is also an open door to our own information) and that of others. Why should things be different online? Go on folks, move with the time!

Finally, let us turn to the small question of the “fine”. Of course, if you categorically believe that owners should be allowed to run unsecured wi-fi networks, then having to pay someone else’s legal fees just adds (financial) injury to (ideological) insult. However, those of us who see some wisdom in a requirement to secure a wi-fi network must try to evaluate this part of the judgement more reasonably. For this Matron has to dig a little deeper into the way German lawyers are paid.

Lawers’ fees are generally calculated on the basis of the “case value”. A fee table exists which sets out the amount a lawyer can charge for a particular action (for example, sending a letter before action or serving a writ) relative to the case value. The way that case value itself is calculated is relatively easy in cases like debt collection (the amount of the debt owed) but more complicated in relation to other situations. Before 2008, the way in which the case value of copyright cases was calculated had more to do with the premise of “what-can-I-get-away-with?” than any comprehensible tabulation and the courts in fact accepted case values of 10,000 Euro (proposed by the lawyers for the claimant, of course) for relatively minor infringements. This meant that potential infringers of copyright who received a lawyer’s letter requesting them to cease their infringing behaviour were, at the same time, asked to pay hundreds if not thousands of Euro in legal fees for the pleasure. This, is turn, led to something that can only be described as “fee-farming” with law firms sending hundreds of similarly phrased letters to people accused of infringement (for example, if they displayed photographs of a protected mark on eBay to sell their old household goods) just for the money it brought in. In September 2008, a new law was adopted to counteract this practice. It limited the fee that lawyers can charge for such letters to 100 Euros. The “fine” the court imposed in our wi-fi case was therefore nothing more than the application of a new law that was brought in specifically for the purpose of consumer protection.

This doesn’t change the fact that 100 Euro is still a lot of money for some people. But it beats the hell out of the threatening effect that a bill for 1,000 Euro would have had. And - Matron must come back to this fact - it can be avoided by taking a few simple security measures when you first set up your wi-fi network.

So here we are then. Was this a scary and dreadful judgement? Matron doesn’t think so. In an ideal world we could of course all leave our windows open and our front doors unlocked while we swan off for a three-week holiday in the Caribbean. But that ideal world we have yet to create. Back in the real world, we make damn sure that we have left our car in a secure car park, engaged our five-lever mortice locks and switched on the alarm. It’s common sense, really, and maybe we could do with a bit more of that online.


  1. Matron enquires: "But if we left our car unlocked with the keys in the ignition, knowing that any passer-by could help himself to it, would we really expect to escape liability if that passer-by turned out to be someone without a driving licence who then causes an accident?"

    If we were in England, yes indeed we really would. Anglo-Saxon common law has no equivalent to “Störerhaftung”, a general liability for not preventing others from using ones possessions to cause harm. There are limited rights to sue for nuisance and under the rule in Rylands v Fletcher, but no general responsibility.

    So perhaps this helps to explain some of the dismay at the German court's judgment.

    Meanwhile, perhaps we should write to the Highways Agency to demand that it takes steps to secure public roads in order to prevent criminals from using them to get away after burgling us; and it would be nice if our lawyers could claim £100 a letter for making this demand.

  2. "Anglo-Saxon common law has no equivalent to “Störerhaftung”, a general liability for not preventing others from using ones possessions to cause harm. [...]
    So perhaps this helps to explain some of the dismay at the German court's judgment."

    Indeed it may. Admittedly German law is a lot more paternalistic. Which is why Germans will be liable in civil law if they DON'T shovel the snow off their drive and someone breaks a leg (rather than if they DO, as seems to be possible over here) and why they risk criminal liability and a prison sentence of up to one year if they see someone bleed to death in a ditch, but just walk by without offering reasonable assistance.

    At the risk of coming over all "Big Society" on this issue, isn't there some merit in invoking individual as well as collective responsibility for preventing harm to others (and I am not necessarily talking about preventing filesharing here, the lawfulness of which is a completely separate issue that should, of course be resolved in other ways, like collective licencing schemes and extended private use exceptions)?

    Of course, it would be nice, if people took that sort of responsibility of their own accord without being legislatively or judicially coerced. But it doesn't always seem to work. So in the absence of a viable carrot, is a the use of a small stick really such a problem?

  3. To impose general civil or even criminal liability for omissions, especially for omitting to prevent unknown third parties from causing harm through the misuse of ones property, doesn't seem to me a small stick at all. It seems an unlimitedly large one.

    If there is to be liability for omissions, it ought to be limited in scope to clearly foreseeable cases where the social benefit justifies the burden. I take this to be the basis of the English law exceptions to the general rule against liability for omissions.

    I for one find this greatly preferable to a paternalistic general rule imposing liability.

    And I am all for the ability to use the Internet anonymously as we can the mail, the roads or the railways. In each case, some crime is harder to detect or prevent as a result, including some serious crime. That's the price of the freedom in question.

  4. Nicholas Bohm said...

    "To impose general civil or even criminal liability for omissions, especially for omitting to prevent unknown third parties from causing harm through the misuse of ones property, doesn't seem to me a small stick at all. It seems an unlimitedly large one."

    Except that, in the German case, it is not unlimited - in the sense that there is a clear 'cap' of 100 Euro on the wifi network owner's liability. For instance, suppose the unauthorised user of that network commits 10,000 Euro-worth of fraud... there is no suggestion that the network owner has any liability for that.

    There's an equivalent, I think, in the model which has evolved since the late 90s regarding the liability associated with operating a public key Certification Authority (CA). Initially, potential operators of CAs were scared off by the idea that they might end up bearing liability for all losses arising out of misuse of certificates they issued... for instance, with relying parties suing them for the cost of fraudulent transactions.

    In relatively short order, the business model developed so that the CA had a carefully circumscribed set of responsibilities (for instance, to ensure that their own "signing" keys are adequately secured, and that incoming public keys are robustly certified), but liabilities arising out of subsequent *use* of such certificates were outside the scope of the CA's liability.

    Now, I acknowledge that this is no more than an analogy (there are distinctions of contractual vs statutory duties, privity of contract and so on), but it does suggest that there can be practical ways of sub-dividing and allocating liability - which is what the German example appears to me to achieve.

  5. The CA liability model is contractual (or tries to be), not imposed by law. It's just another example of a standard form contract (and not one whose terms a worth a dud halfpenny, in my view, but that's utterly beside the point here).

    The interesting question is whether more people bleed to death in ditches ignored by passers by in England than suffer that fate in Germany as a result of the imposition of liability.

    Does Matron know?