Hosting providers play a critical role in managing the vast volume of content that flows through the internet. Operating under the protection of ‘safe harbor’ laws, these providers are expected to offer a platform for freedom of expression and innovation. However, “Safe Harbor: Implications for Hosting Providers that Ignore Malicious Content’ examines the challenging position these providers face when dealing with malicious content. This blog touches on the complexities of ‘safe harbor’ provisions, the nuanced concept of ‘actual knowledge’, and the expectations for prompt action. Through this examination what has become clear is that hosting providers are in a delicate position: maintaining the balance between protection and liability. Failure to appropriately manage and address malicious content can lead these providers into a zone of significant legal consequences. Ultimately what are aiming to understand is the responsibilities and potential liabilities that come with hosting content for paying 3rd parties.
We compose this blog in light of the fact that, on any given week, we find ourselves issuing numerous website takedown notices—ranging from a handful to hundreds—to a diverse array of hosting providers, both prominent and obscure. While the majority of hosting providers are inclined to act ethically and safeguard consumers, a troubling number persist in turning a blind eye. These outliers not only neglect the protection of consumers but also inadvertently offer a haven for malicious entities and cybercriminals, thereby undermining the collective efforts to maintain a safe and trustworthy digital environment.
What is safe harbor?
Safe harbor refers to legal provisions that offer protection to internet service providers (ISPs) and hosting companies from liability for user-generated content hosted on their platforms. This legal concept, primarily embodied in laws like Section 230 of the Communications Decency Act (CDA) in the United States and the E-Commerce Directive in the European Union, is designed to encourage the free exchange of information and ideas on the internet by shielding these entities from the impossible task of monitoring all user content. However, this protection is conditional and requires that the hosting provider does not have actual knowledge of illegal content or, upon acquiring such knowledge, acts promptly to remove or block access to such content. The essence of safe harbor provisions is to strike a balance between internet freedom and the responsibility to prevent the spread of unlawful or harmful content (Source: “Section 230 of the Communications Decency Act,” Cornell Law School, Legal Information Institute). Australia also has specific safe harbor provisions for hosting companies, which are outlined in Schedule 2, Part 2, Division 2 of the Broadcasting Services Act 1992. These provisions offer certain legal immunities to internet service providers (ISPs) and internet content hosts under specific conditions, similar to the safe harbor provisions in other jurisdictions like the United States and the European Union.
Does safe harbor provide total absolution?
Hosting providers generally enjoy a ‘safe harbor’ from liability for the content their users publish, these protections are not absolute. The safe harbor provision mandates that the hosting provider must not have actual knowledge of the illegal activity or, upon obtaining such knowledge, acts expeditiously to remove or disable access to the content. The failure to act upon receiving credible notice of such activity can lead to a shift from immunity to liability.
Cases where the safe harbor provisions did not protect the hosting provider typically involve scenarios where the provider either had actual knowledge of the malicious content and failed to act promptly or contributed to the creation or development of the unlawful content. For example, In , the court held that Moniker, a domain name registrar (a type of hosting provider), could be held liable for contributory trademark infringement because it had specific knowledge of and control over domains used for counterfeit operations and did not take timely action to suspend those domains.
When a hosting provider is notified of illegal or infringing content on their platform, they are typically required to take prompt action to remove or disable access to that content. Failure to do so can lead to liability. The transition from a position of protection to one of liability hinges significantly on the concept of ‘actual knowledge.’ Hosting providers, upon being notified of the presence of illegal content on their servers, are confronted with the duty to act.
A notable case to this point is ALS Scan, Inc. v. RemarQ Communities, Inc. (2000). ALS Scan notified RemarQ of the infringing copyright material. However, RemarQ did not take immediate and effective action to remove the specific infringing content or to prevent its reappearance. For context, copyrighted material posted by users on the newsgroups hosted by RemarQ Communities, Inc., an Internet Service Provider. ALS Scan, Inc., a provider of adult-oriented content, alleged that its copyrighted images were being distributed without authorization on newsgroups hosted by RemarQ. The court noted that while ISPs are generally not liable for user-generated content due to the safe harbor provisions of the Digital Millennium Copyright Act (DMCA), these protections are conditional. To enjoy immunity, an ISP must respond expeditiously to remove or disable access to the material when informed of the infringing activity under the DMCA’s notice-and-takedown procedure. The court denied RemarQ’s motion for summary judgment, indicating that RemarQ could be held liable for copyright infringement because it did not act expeditiously upon being notified of the infringing material. The case was settled before a final verdict, but the court’s denial of the motion for summary judgment highlighted that ISPs might lose their safe harbor protection if they fail to act appropriately upon receiving actual knowledge of infringement.
Courts have also been increasingly inclined to interpret ‘actual knowledge’ in broader terms, considering not just direct notifications but also other circumstances under which a reasonable entity should have been aware of the illegal activity. In the case, Perfect 10, Inc. v. Amazon.com, Inc. (United States, 2007), the Ninth Circuit Court of Appeals dealt with the concept of “actual knowledge” under the DMCA. The court held that “actual knowledge” or “awareness” of specific infringing material did not require a formal notification. The knowledge of the likelihood of infringement on the site could impose a duty on the service provider to locate and remove the infringing material. Courts have said that “actual knowledge” doesn’t always require a formal complaint or direct notification. If there are clear signs of illegal activity on a platform and the hosting provider ignores them or doesn’t look into them, the provider might be considered to have “actual knowledge” of the illegal content.
'Prompt Action' Expected, But Not Defined
Once a hosting provider has actual knowledge of malicious content, the expectation is not just to take note but to act — and to do so promptly. Safe harbor protection typically requires that the hosting provider takes prompt action to remove or disable access to the unlawful content upon receiving a proper notice. If a hosting company is notified about a phishing site hosted on their servers and fails to act expeditiously to take it down, they might lose their safe harbor immunity for that instance of content. The notion of ‘prompt action’ is, however, not universally defined, leading to a gray area. Legal challenges often arise over what constitutes a ‘reasonable’ timeframe and the adequacy of the measures taken. Hosting providers are thus under increasing pressure to develop and implement effective and swift mechanisms for responding to notices of illegal content.
Liability for Inaction: A Rising Trend
IThe legal landscape surrounding hosting providers and their responsibilities for content on their platforms is evolving, with courts and legislatures worldwide increasingly narrowing the scope of safe harbor protections. This trend reflects a growing expectation for these providers to play a more proactive role in monitoring and managing the content they host. Notably, in the European Union, legislation like the General Data Protection Regulation (GDPR) and the forthcoming Digital Services Act (DSA) underscores a commitment to stricter content management, demanding quicker removal of illegal content and improved transparency. Similarly, in the United States, amendments like FOSTA-SESTA to Section 230 of the Communications Decency Act have made it clear that providers can be held liable for facilitating certain types of illegal content, such as sex trafficking.
Court decisions have also played a crucial role in shaping this trend. For instance, cases like L’Oréal SA v. eBay International AG in the EU and ALS Scan, Inc. v. RemarQ Communities, Inc. in the US have highlighted circumstances where hosting providers can lose their safe harbor protections if they fail to act expeditiously upon receiving actual knowledge of illegal content. In Australia, the Online Safety Act 2021 demonstrates a similar commitment to stricter content regulation, granting authorities enhanced powers to mandate the blocking of websites hosting illegal content. These developments across various jurisdictions signify a global shift towards greater accountability for hosting providers, aiming to ensure a safer and more responsible digital environment by leveraging the unique position of these providers to swiftly address and mitigate the spread of illegal and harmful content.
The subject of safe harbor and it’s protection assurance has shifting (legal) interpretations and evolving legislative landscapes. Debates around issues like misinformation, digital privacy, and intellectual property rights continually test the boundaries of these protections. Moreover, global variations in laws mean that a hosting provider’s safe harbor in one country may not shield it from liability in another. For businesses and individuals relying on these services, this creates a landscape where due diligence, awareness of local laws, and an understanding of a provider’s policies are crucial. While safe harbor provisions offer significant protection, they are part of a complex, dynamic legal and regulatory environment that demands cautious navigation.
brandsec is an Australian domain name management provider that offers online brand management solutions to corporate and government organisations. Our services include domain name management, domain name security, domain name policy development, dispute management, monitoring, and enforcement services. Additionally, brandsec offers a comprehensive online brand protection service that covers various platforms such as websites, social media, email, and online marketplaces. The service addresses issues related to counterfeiting, fakes, copyright infringement, intellectual property (IP) matters, piracy, and other intellectual protection-related issues.