The legalities of Snooping
Recently, a long-winded discussion started on TMC's administrative ethics forum about snooping and privacy on MUDs. As usual, the debate was heated, revolving about "rights", "obligations" and "expectations" for privacy, player rights, administrator rights, human rights, you name it (Old Usenet rule #7 comes to mind: "Go not to UseNet for counsel, for they will say both `No' and `Yes' and `Try another newsgroup'"). At the time of this writing, the debate still goes on, by the way.
An interesting issue which was only partially raised was about the legal aspects of snooping. So I went back to my search engines and had a look at the available jurisprendence.
As usual, I am no lawyer, and hence this page does not constitute valid legal advice. So I recommend you take my opinions with a grain of salt.
Let me first state that, as a casual immortal, I think of snooping as an administrative tool, just like a who command tracing the IPs of all users. Personally, I use it for debugging purposes (I never reached the privilege required to perform "non-voluntary" snoops anyway).
This being said, the whole debate in the ethics forum was focussed on the need for privacy for players, while some people contended that snoop was necessary anyway, especially when related to potential harassment and other forms of abuse.
My research focusses (again) on the liabilities of admins, related to harasment cases. My findings are therefore closely linked to that situation.
In my reading of current US laws (note that this does specifically not apply to UK laws), a mud admin could probably successfully claim immunity if a complaint or lawsuit is brought against him concerning the actions of one player on the MUD (See USC 47 § 230: "No provider or user of an interactive computer service shall be treated as a publisher or speaker of any information provided by another information content provider.").
This clause, tested in court and now known as the "Zeran" case, has been interpreted in ways which don't hold the provider of a medium of communications liable for the communications between users.
The above-mentionned law has not been often tested nor challenged in court, in fact, there are, to my knowledge, only two other cases who dealt with similar issues, and both concluded that the provider could not be held liable for the actions of their users. In other words, the immunity clause has been upheld in all three cases.
The above-mentionned case (Doe v. AOL) merits some additional considerations, though.
The background to the case is the following:
In 1994, an AOL user lured three minors to engage in sexual activities with him. Activities which were videotaped by this user, who then advertised those tapes in various chatrooms (yeah, it is all quite disgusting).
Doe's mother filed suit against the AOL user and against AOL directly, on the basis that AOL not only should have known that its service was abused for this kind of crimes, but further failed to act by removing the offending content once notified of its existence.
The case went up through three instances, and all ruled to uphold the immunity clause, despite the fact that criminal activity was involved (a quick reading of USC47§230 shows that there is an explicit disclaimer about criminal laws).
The interesting part here is that the appeals court, altough upholding the immunity, held the case alive by raising three questions to the Supreme Court of Florida.
The question pertaining to this research was:
"[...]whether a computer service provider with notice of a defamatory third party posting is entitled to immunity under section 230 of the Communications Decency Act?".
In march 2001, the Florida SC issued an opinion which we will examine in some detail.
The majority opinion in this case ponders at length if AOL is subject to the immunity clause by analyzing if AOL was a publisher or a disctributor of the content. It concludes that AOL is a publisher of content spoken or published by another one and hence entitled to immunity.
In this, the majority, perhaps predictably, just followed the jurisprudence formed by the Zeran case.
Note that the majority opinion was 4:3.
Also, with the lack of other cases, it is almost granted that the next court will revert to both the majority and dissenting opinions in this case. And finally, the dissent raises some serious issues, which are related to snooping in MUDs.
The dissent states the following:
Congress' intent in enacting USC 47§230 was to protect Service Providers from liability when they took actions to block or remove offending content. Instead, Zeran and the majority in Doe have interpreted the law as providing a blanket immunity even in the case the provider fails to act upon notification of criminal material.
Quoting the dissent's interpretation of the immunity clause:
"What conceivable good could a statute purporting to promote ISP
self-policying do if, by virtue of the court's interpretation of this
statute, an ISP which is specifically made aware of child pornography
being distributed by an identified customer, may [...], with impunity,
do absolutely nothing and reap the economic benefit flowing from the activity?
The dissent concludes that the immunity clause should not be used for providers who fail to act when they do know about abuse or criminal conduct on their service.
These are the conclusions I draw from this case:
- The dissent raises a very valid point, which may be considered in future
court decisions: Immunity should not be applied to a failure to act upon
notification of wrongdoing.
Copyright by Alastair, Winter 2002.