Internet Way of Networking Strengthening the Internet

Mapping Intermediary Liability in Latin America

Thanks to our Chapters in Latin America, we now have a clearer map of the intermediary liability regulatory landscape across the region.

Intermediary liability answers the question, “Should Internet intermediaries (ISPs, web hosting and cloud services, social media platforms, etc.)  be liable for content posted or for actions performed by others, such as, for example, their users?”

The success of the Internet depends on intermediary liability regimes that protect Internet providers – by ensuring responsibility for user behavior is on the users themselves, not on the intermediaries upon which they rely (both at the infrastructure and content layers).

The way legal frameworks deal with intermediary liability around the world can impact the Internet way of networking in different ways.

In some countries, intermediary liability legislation is well known: the 1996 US Communications Decency Act (Section 230) and the Brazilian Internet Bill of Rights, for example. But in much of the world it is covered by other more general-purpose regulations, such as tort law, consumer protection law, and child protection law.

We asked our local community to help us map and monitor the current regimes that apply to Internet intermediaries in their countries, so that our work can ensure that policies and regulations related to the matter keep supporting a healthy foundation for the Internet.

The questionnaire we developed in partnership with Chapter leaders was responded to by people from 18 Latin American countries.[1] The responses generated country profiles with detailed descriptions of rules and regulations that can affect intermediary liability in Bolivia, Brazil, Colombia, Chile, the Dominican Republic, Ecuador, Mexico, and Venezuela.

The country profiles provide an up-to-date snapshot of the complex regulatory landscape. The majority of countries still rely on general administrative, civil, and criminal norms that apply more or less uniformly to Internet intermediaries.

Copyright regimes and editorial liability are commonly applied, even if they predate the Internet age. General telecommunications regulations can also comprise rules that apply to Internet intermediaries. Chile is a highlight due to its longstanding network neutrality rules, which impose penalties for intermediaries who interfere with the free flow of data at the infrastructure level.

Brazil is the only country among those listed above that has a specialized intermediary liability regime designed for Internet access providers and Internet application providers. The “Marco Civil” establishes exemptions to providers’ liability in relation to third-party content. Access providers are always exempt from liability for user content and behavior.

Our  mapping exercise is still underway. More country profiles produced by LAC Chapter members are expected for the upcoming months.

The process went beyond gathering up-to-date information. It has also helped us identify people who can promote and defend the importance of strong intermediary liability regimes for the Internet Way of Networking project in support of future community engagement and advocacy.

Based on what we have accomplished so far, we had some ideas on how the Internet Society can keep growing its knowledge base on intermediary liability – with the help of its global community. This could include:

  • Country or Chapter-level working groups to review and expand individual country profiles
  • Additional training and work to inspire and collaborate with other Chapters in the region
  • Additional activities and resources around the topic of intermediary liability
  • Replication of the process in other regions
  • Leveraging our community to serve as a valuable source of input to other mapping exercises, such as the World Intermediary Liability Map

Learn more about the Internet Way of Networking!

We would like to thank the following people for having committed their time and knowledge to help us with this collaborative effort: Roberto Zambrana Flores; Félix Fabian Espinoza Valencia; Flávio R. Wagner; Giovanna Michelato; Lorena Donoso Abarca; German M Fajardo Muriel; César Moliné; Alejandro Pisanty; Viviana Da Silva. Additionally, Nancy Quiros and Christian O’Flaherty contributed to this article.

We would also like to thank these people for their contributions: Graciela Mariani; Hector Ariel Manoff; José Ignacio Alvarez-Hamelin; R  Danton Nunes; Eric Alexander – Venturas; Jorge Augusto Ottoni Nobre de Oliveira; Leonardo Lins;   Miguel Medina; Willy Maurer; Mauricio Alarcón Salvador; Kelvin Atiencia; Ethel Monge de Kuri; Yesenia Granillo; Fernando Manuel Morales Rodas; Jose Anibal Silva de los Angeles; Ernesto Pineda; Sandy Karyna Palma Rodríguez;  Ana Laura Leon; Francisco Javier Huerta Gijón; Simon Perez C.; Haydee Almiron; Dra. Dámaris Mercado Martínez; Alicia Castillo; Eduardo Tomé and Jan Alvarado.

[1] Argentina, Bolívia, Brasil, Chile, Colombia, Costa Rica, Ecuador, El Salvador, Guatemala, Honduras, Mexico, Panama, Paraguay, Peru, Puerto Rico, República Dominicana, Uruguay, Venezuela.

Image by delfi de la Rua via Unsplash

Encryption Strengthening the Internet

The Internet “Just Works”: The EARN IT Act Threatens That and More

When the EARN IT Act was introduced in March 2020, technologists, civil society organizations, academics, and even a former FBI General Counsel blasted the bill as a thinly veiled attempt to prevent platforms from keeping users safe with strong encryption. The bill had implications for intermediary liability, of course, but it was clearly a play to take down the strongest digital security tool we have online.

The EARN IT Act is now a monstrous version of its previous self. It would not only weaken the ability of platforms to protect users through encryption, but fundamentally alter how platforms operate, leading to dangerous consequences for users and the global Internet.

While the new version of the bill would prevent the federal government from forcing platforms to weaken encryption to maintain their intermediary liability protection (a foundational aspect of most companies’ business plans), it would essentially allow states to pass their own version of the original EARN IT Act. This would create a chaotic patchwork of state-level laws, threatening user security across the country and creating borders for a networking system that was never meant to recognize them. This bill would not only weaken the ability of platforms to protect users through encryption, but fundamentally alter how platforms operate, leading to dangerous consequences for users and the global Internet.

EARN IT: Don’t Solve a Problem by Creating 1,000 More

Most of us use the Internet for just about every part of daily life: banking, work, entertainment, education – and we use it to communicate with friends and family about some of the most important issues our country faces.

We often take for granted that it “just works.” But that is not a certain future.

The EARN IT Act – and many other bills that have been introduced in weeks, months, and years past in an attempt to regulate content and security measures – threatens to undermine the way the Internet fundamentally operates and our ability to continue using it with the freedoms we now enjoy.

To be fair, these platforms don’t always get it right when it comes to figuring out what kinds of content  should or should not be permitted to spread online. But the benefit of keeping the onus on platforms to do their best is that we can leave if things aren’t working the way we want or expect. For example, just in the past week dozens of major advertisers have pulled their ads off of Facebook because the platform was not upholding the community’s expectations of what speech should be permitted.

And that’s the way it should be. Governments shouldn’t dictate what kind of content gets to exist online. The Internet is borderless, meaning conflicting legal obligations from different countries would force platforms to choose whose regulations to follow or to create a different Internet experience in every country. The EARN IT Act would shift the responsibility of ownership for content that should not be permitted online from individuals to platforms and make all user communications less secure in the process.

How Does the New EARN IT Act Threaten the Internet?

The new amendments to EARN IT get some things right – most importantly, its Commission of experts on online child sexual exploitation prevention would create a set of voluntary best practices that Congress would no longer have to approve. This means experts can work together to create a set of norms that companies can adapt to their own platforms.

This is a big improvement from the previous version of the bill, as it takes into consideration that large platforms have large staffs to handle complex requirements that may arise. Small platforms, new innovators, and mom-and-pop shops are lucky if they have one or two staff members handling all their tech related issues.

Unfortunately, the problems with the EARN IT Act overshadow its good intentions. Insufficient protections for encryption threaten to make all users more vulnerable to the crime it is trying to address. It also puts the digital economy at risk by taking away a key feature that has been essential for the Internet’s success: liability protection.

Although an amendment was added to the bill to provide protections for encryption, they are far from powerful enough. The protections from the amendment would be tested in state courts across the country, leaving strong encryption on unstable ground. Companies will face a choice, risk their future by implementing end-to-end encryption when it is unclear what the future holds for the legality of the technology in any of the states they operate in, or not take the risk and use less secure encryption. In an uncertain legal environment, companies will refrain from implementing end-to-end encryption, leaving all of us less safe.

On the intermediary liability protection side, this bill would lead to an incredible amount of uncertainty, especially because it does not create a solid floor for its reference to “knowledge” standards. Will platforms be held liable for content that passed over their site through secure channels that weren’t visible to the platform? Will they be held accountable only when the content is reported? Or will “knowledge” fall somewhere in the middle? These are pretty big gray areas for legislation and should be answered before a bill is passed, not after.

By our read, it seems like the bill allows a broad array of claims against platforms that fail to prevent child sexual abuse material from being distributed even if the platform had no knowledge that the content existed or was shared. This will likely ultimately lead platforms to be much more strict about any uploads to their site, which will stifle innovation, communication, and users’ ability to share important messages online.

As we’ve seen in recent weeks, these kinds of proactive filters often get it wrong – like when social media sites took down haunting photos of slaves from the 1800s because of “nudity,” not recognizing the wider context and important message those pictures presented.

This could also lock in the limited competitive marketplace we now enjoy online, as searching and filtering through all the content posted on a platform each day would be much too expensive and time consuming for new or small enterprises. The Internet is still relatively young as far as technologies go. Let’s not knee-cap it before we know what we could really create.

Too Complicated to Pass

The EARN IT Act is an attempt by policymakers to mandate an outcome, but they are doing it in a way that could seriously harm everyday users along the way. Child sexual exploitation is a horrible, heart-wrenching crime. But breaking key security and legal protections that are fundamental to how the Internet works doesn’t fix that problem. It just makes everyone more vulnerable to the crime and hate we’re trying to prevent online.

We need tech-neutral and tech-aware solutions to fix today’s problems in a way the doesn’t compromise our strongest tools to keep people – including children – safe online. We need policymakers to be thoughtful and considerate of the implications of their actions. This rushed-through markup of the EARN IT Act is neither.

Image by JJ Ying via Unsplash

Encryption Strengthening the Internet

Making Intermediaries Liable for Encrypted Content Breaks Trust and Security

In December 2018, the Indian Ministry of Electronics & Information Technology (MeitY) proposed a significant change to its intermediary rules. The draft Information Technology  [Intermediaries Guidelines (Amendment) Rules] 2018 seeks to tie tech platforms’ (e.g., social media) protections from liability to an obligation to monitor and filter their users’ content. One of the proposed obligations is to ensure the traceability of messages, even if a service is end-to-end encrypted.

India is just one of many countries around the world experimenting with the idea that Internet intermediaries – specifically social media companies, like Facebook and Twitter – should no longer have immunity from liability for the content shared by their users. Other examples include the U.S. Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020 (the EARN IT Act), and the recent U.S. Executive Order on Preventing Online Censorship.

The motivation for changing the status quo varies, from wanting traceability of messages to counter the spread of disinformation or CSEM, to stopping objectionable content from being spread on social media, to preventing political messages from being labeled (e.g., as “misleading information”). Similarly, the approaches being considered to achieve this vary, ranging from outright removal of immunity, to conditional immunity (i.e., earned immunity), to a positive “duty of care.” But, no matter the motivation or the approach, the consequences for the future of the Internet and its security remain the same.

Make no mistake, proposals to change intermediary liability to force content monitoring or traceability on end-to-end encrypted services will undermine security on the Internet. Which is why we’ve produced a fact sheet, Intermediaries and Encryption, to explain why pressuring intermediaries to weaken security through liability is harmful – and counterproductive.

Trump’s Social Media Executive Order: Legal, Ethical, Smart?
In the wake of the United States Executive Order on Preventing Online Censorship, the Internet Society will host a virtual event focused on the broader issue of intermediary liability. Join experts as they discuss what it means for the future of speech and platforms online. Register for the event, which takes place Tuesday, June 9th at 1400 UTC!

We must resist approaches that require service providers to override people’s ability to secure their information and interactions. To do so places individuals and organizations at greater risk – with no guarantee of achieving the intended outcome.

It’s especially important now that we help keep people, infrastructure, and countries secure online. And we must protect the Internet as a global vehicle for innovation, education, and social and economic progress. We can do that with strong encryption policies and practices.

Read our fact sheet, Intermediaries and Encryption, and learn more about the unintended consequences that intermediary liability reform could have on the security of the Internet.

To learn more about the ways encryption is being undermined, read our other fact sheets.

Internet Way of Networking Strengthening the Internet

Playing Politics with Section 230 Makes the Internet Weaker, Not Stronger

This opinion piece was originally published in The Hill.

Thursday the president of the United States signed an executive order that aims to address the liability regime of social media companies. A wide variety of reports have highlighted the problems with this move, but there is one problem that we find especially troubling: the danger of politicizing what is fundamentally a legal debate around party lines.

The president needs to stay out of this debate.

The Internet and politics have always had an awkward relationship. There have been numerous attempts to bring the Internet into mainstream politics over the years, most of which have been unsuccessful. The main reason is that the Internet is not a static “thing,” but a model for how networks and computers can interconnect through voluntary collaboration. A key characteristic of this model is that it’s decentralized, which means it doesn’t have a central point of control that dictates how the Internet should evolve. There is no switch that one can turn on and off, and as soon as policymakers or regulators try to impose one they inevitably chip away at the Internet itself. This characteristic has always been its most powerful asset, and the reason it has been an infinite source of innovation and growth – from the Web to ever-evolving smart devices, homes, etc. This lack of central control is a feature of the Internet, not a bug!

Trump’s Social Media Executive Order: Legal, Ethical, Smart?
In the wake of the United States Executive Order on Preventing Online Censorship, the Internet Society will host a virtual event focused on the broader issue of intermediary liability. Join experts as they discuss what it means for the future of speech and platforms online. Register for the event, which takes place Tuesday, June 9th at 1400 ET!

Most of the early legal frameworks that have been implemented in the Internet reflect this apolitical premise, albeit at different levels and to different degrees. But there is really no other law that does this as gracefully as Section 230 of the Communications Decency Act in the United States, which undergirds “intermediary liability” online.

Online intermediary liability protection first emerged in the United States in 1995 as a policy discussion regarding the scope of responsibility intermediaries should have. At the time, there was no Facebook or Twitter, so the law was aimed at services like CompuServe, Prodigy, and AOL. However, it set the tone for all future services and would later be exported to the world as one of the most positive Internet legal developments. The question was simple: should intermediaries be liable for content posted using their services or for actions performed by third parties, i.e. their users?

This question would fundamentally shape the future of the Internet. It discouraged attempts of centralized control because it did not force providers to perform functions they were never originally supposed to do. Similar to how telecommunications services are not responsible for the things phone users say over the phone, it was clear that online intermediaries and service providers would need similar commonsense restrictions on what they could be liable for.

Immunity from liability ensures a level playing field and provides autonomy to a diverse set of actors to perform their intended functions. In this context, Section 230 provided predictability in the Internet’s highly unpredictable environment. No one can predict the next innovation; the Internet is designed this way. The Internet’s highly unpredictable environment can only unfold to its full potential if it operates within a legal framework that is obvious in its intention and unsurprising in its outcomes. Section 230 does this. Politicizing it would reverse years of such predictability and could place the Internet’s future potential in jeopardy.

With this in mind, one can see how the executive order is problematic, setting in motion a dangerous precedent both for the Internet and speech. The problem is that a lot of the provisions in this order appear to be what Stanford’s Director of Intermediary Liability, Daphne Keller, calls “atmospheric” – politically driven questions that should not be part of the legal debate related to the scope of intermediary liability protections. They constitute a distraction, which could cause a series of unintended consequences for the evolution of the Internet.

While conversations about the evolving scope of Section 230 are healthy, they should not be based on fashionable political motivations. Section 230 has a historical track record of promoting innovation and creativity online. By separating it from partisan politics, we can ensure that these benefits are retained.

Image by Leon Seibert via Unsplash

Internet Way of Networking Strengthening the Internet

Intermediary Liability: The Hidden Gem

There is a law in the United States that consists of twenty-six words: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Otherwise known as Section 230 of the Communications Decency Act (CDA), it has been characterized as the law that “created the Internet.”

Only part of this statement is true. Section 230 did not actually create the Internet because the Internet was created through the collaboration of a diverse set of people around the world. What is true, however, is that the intermediary liability regime has undergirded the Internet as we know it. It has been responsible for three primary features of the Internet:

  • It has created certainty and predictability: intermediary liability rules have allowed Internet providers (both infrastructure and content) to design compliance strategies based on a limited set of laws and their Terms of Service (ToS). Because of intermediary liability, companies can design businesses that suit their needs.
  • It has created good Internet citizens: intermediary liability rules have ensured that the burden of determining whether a business is going to speak in a particular way is placed with that business.
  • It has put the responsibility for content where it belongs: it has affirmed that compliance with different types of laws that regulate content belongs to whoever produces the content and not those who host it.

The history of intermediary liability is as important as is the way the law has evolved over the years. In the early days of the Internet, the trend was that less regulation was better. However, by 1995, it looked like we were moving towards an Internet environment where either user speech would be hugely censored or companies would operate under an unpredictable framework of liability. The historical rule that emerged as part of this legal conundrum was captured in a simple, yet profound, thought: users should be able to put up whatever they wish on the Internet and the companies hosting their speech should be able to remove whatever they do not like.

Intermediary liability has a rich history of respecting the diversity of Internet companies and in setting the expectations about their roles and responsibilities; in doing so, the law captures much of what the Internet is all about. It is one of the first laws, if not the first, that acknowledged much of the Internet’s early design choices, specifically that the function of the core is dumb and, therefore, infrastructure providers (ISPs, IXPs, CDNs, Domain Name Registries, Domain Name Registrars, etc.) are not meant to monitor content. This understanding became the catalyst for a massive wave of innovative companies and business models. In fact, studies have shown that weakened intermediary liability protection is detrimental to economic prosperity and growth.

However, a lot has changed since 1995. Today’s Internet companies are bigger, engaged in more activities and offering more services. The Internet itself has also changed. It is no longer a technology separated by discernible layers, but a web of dependencies with an increasing number of players, both old and new. Despite so much change, the value of intermediary liability protection has not diminished.

The value the intermediary liability regime provides, is how it acts as a functional tool in a network system. This is mainly done in two ways: first by determining the scope of action and/or inaction an Internet company is expected to take when regulating misconduct (the behavior function); and second, by allowing the application of different liability standards depending on where in the Internet stack a company operates (the normative function). So, although we refer to Facebook, Google, and Amazon as the success stories of intermediary liability, we tend to underestimate what intermediary liability means for Internet infrastructure providers.

The Internet is a complex system and early design choices have set the boundaries on the ability of intermediaries to control information, services and applications. Architecture is an essential feature of the Internet’s evolution, innovation, and low-entry costs. If the Internet’s features – interoperability, generativity, end-to-end, among others – are to be preserved, then any intermediary liability framework needs to reflect the Internet’s architecture rather than interfere with it. This means that an intermediary liability regime needs to be “technology-aware” in the sense of fully grasping the Internet’s architecture and, “technology-neutral” in the sense of not requiring any special technology for the fulfillment of its rules.

Why does this matter to the future of the Internet? For the core features of the Internet to remain intact, any potential change to the intermediary liability regime has to continue to provide the same level of protection the original law provided to infrastructure providers. Infrastructure providers, who merely provide a technical service of transferring and/or hosting data and have come to expect to be treated as dumb pipes, know that it is not within their mandate to either have to detect or block objectionable and/or illegal content.

How governments decide to address intermediary liability in the near future is critical for users and for the Internet. There are plenty of opportunities to get this right and there are plenty of opportunities to get it wrong. The right way involves conscious choices that respect the limits, scope, diversity, and functional abilities of intermediaries. This means that the breadth of limitations for infrastructure providers enshrined in the normative and legislative framework of the original law should not change.

Learn more about the Internet way of networking.