Monday, June 07, 2004

One needs to look at the fundamental reasons for initially employing filtering or blocking systems on a private network. These mechanisms are not implemented for the mere sake of it. They render a critical service in protecting and managing proprietary information systems from external interference.
The common threats that face proprietary information systems are viruses and bulk unsolicited commercial email (spam). The harm that viruses can cause is self evident, but the more contentious issue relates to spam. It is widely believed that spam can, and does, cause harm and presents a nuisance. Uncontrolled levels of spam entering a proprietary information system poses substantial risks to the operational stability of the information system and furthermore results in both direct and indirect costs to the company.
The nuisance of spamAlthough not illegal per se there are certainly legal, moral and ethical issues around spam. It is a well-established and widely accepted practice to follow the rules of Netiquette when dealing with third parties on or through the Internet. According to a Canadian Superior Court decision (Ontario Inv. v. Nexx Online Inc  - 1267632) Netiquette is an unwritten code that has evolved based upon good neighbour principles for the orderly development of the Internet, and to prevent potential Internet abuse. According to Wilson J in the above decision “… it appears clear that sending out unsolicited bulk e-mail for commercial advertising purposes is contrary to the emerging principles of Netiquette."
Further international case law illustrates the legal attitude towards spam. In the American decision CompuServe Inc. v. Cyber Promotions Inc (No. C2-96-1070 / S.D. Oh. Feb. 3, 1997), the court concluded that the practice of sending unsolicited e-mails to the plaintiff’s subscribers was an unwanted intrusion into the plaintiff’s computer systems.  The court found that the defendant’s practice commanded the disk space and processing power of the plaintiff’s computer equipment, diverting its resources away from paying subscribers.  The value of the equipment was thereby diminished, even though it was not physically damaged.  The court also found the defendant’s practice to be harmful to the plaintiff’s business reputation and goodwill. The court further held that the high volumes of e-mail slowed down data transfer between computers connected to the Internet and congested the electronic paths through which they travel.
 Lastly, in another American case concerning bulk e-mailing, Parker v. C.N. Enterprises (No. 97-06273 / Tex. Travis County Dist. Ct. Nov. 10, 1997), the court held that the unauthorized use of the plaintiff’s e-mail address constituted a common law nuisance and trespass and granted a permanent injunction against the defendants.
The above raises interesting questions. Can a company take precautionary measures to protect itself against the overwhelming burdens of bulk spam, and in doing so to provide a safe networking environment for it employees and critical operations? Would a company that is operationally dependent on email, or one that administers a public information system, be regarded as negligent if it did not take precautionary measures against spam?   
Precautionary measuresA common precautionary measure that businesses take is to use local blocking or filtering mechanisms on their proprietary networks. Certain businesses that are largely email driven, if compelled to remove these blocking and filtering mechanisms, could expect a substantial increase to their “hard” operating costs, not to mention further drawbacks such the need for further staff to process these communications, operational inefficiencies and the increased risk of Denial of Service attacks (DOS attacks), viruses and the like.
Apart from maintaining their own local filtering and blocking systems, businesses may elect to subscribe to 3rd party Realtime Black Hole Lists (RBLs) in order to block emails from “reported” spammers and/or open relay systems notorious for routing spam and viruses. Perhaps this is where the real contentious issue lies. Depending on the blocking policies of the RBL administrator, sender’s names are unilaterally added to these lists, thus creating the opportunity (however remote) that names are added with malicious intent. Most RBL administrators however have started implementing strict policies of how and when a sender’s name is to be added to an RBL. It is however undeniable that RBLs still present substantial opportunities for abuse.
Of possible relevance to this discussion is section 86 of the ECT Act 25 of 2002, which reads:
(1) Subject to the Interception and Monitoring Prohibition Act,1992 (Act No.127 of 1992), a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence.
(2) A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.
(5) A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence.
Section 89 sets out the penalties as follows:
(1) A person convicted of an offence referred to in sections … 86(1), (2) or (3) is liable to a fine or imprisonment for a period not exceeding 12 months.
(2) A person convicted of an offence referred to in section 86(4) or (5)… is liable to a fine or imprisonment for a period not exceeding five years.
Furthermore, section 16 of the Bill of Rights  (Constitution of the Republic of South Africa 1996 Chapter 2) guarantees freedom of expression, and reads:
(1)    Everyone has the right to freedom of expression, which includes a)    freedom of the press and other media; b)    freedom to receive or impart information or ideas; c)    freedom of artistic creativity; and d)    academic freedom and freedom of scientific research.
(2)    The right in subsection (1) does not extend to a)    propaganda for war; b)    incitement of imminent violence; or c)    advocacy of hatred that is based on race, ethnicity, gender or religion, and that constitutes incitement to cause harm.
Again the above again poses interesting questions: Is it a company’s right to deny or filter data entering its own information systems? Is   
Conclusion       Blocking and filtering systems are more robust then what most commentators make them out to be. These systems can be configured to suit the specific needs of the company, and the rules governing what should be blocked or filtered is determined by the company based on its own operational requirements. It is seldom a matter of “take it or leave it” for the company.
Most companies will exercise prudent restraint in determining what rules will govern the blocking of email messages. This has the effect that the company will fault on the conservative side and only emails that exactly match the blocking criteria will be blocked. And even then most systems will inform both sender and receiver that the message was blocked, and that the message can be released on request from the addressee. This would indicate that the message has entered the information system of the addressee and that it is capable of being retrieved and processed by the addressee.
In summary it is a companies right, and I believe in some instances its duty, to take reasonable steps to ensure that its information systems are protected from outside harm. In this regard the exasperation with blocking or filtering systems out of principle is shortsighted. These systems provide a very valuable and effective tool in the arsenal of businesses in combating external electronic dangers. As with everything it is not a matter of what you use, but rather how you use it.     
Civil liability resulting from filtering and blocking messages  The Electronic Communications and Transactions (ECT) Act 25 of 2002 deals with the civil liability that may result from the use of blocking and filtering software.  In law and commerce, the exact time an e-mail was received (or the questions whether it was received at all) is, for a number of reasons, of crucial importance - for example, tender documents normally should be submitted on or before a certain time and date, options should be effected on or before specific dates, some contracts determine that evidence on money transfers should be e-mailed on or before a specific time and date, most commercial quotes and offers are only valid for a specific time, and so on.  It is easy to imagine the liabilities that may be incurred if an e-mail containing date and time sensitive information is blocked - for example, Company A may award a tender to Company B because Company C’s e-mailed tender application was blocked, notwithstanding the fact that it was sent four days before the close of the tender period.  Section 23 of the ECT Act deals with the time an e-mail is presumed to have been received. It states that an e-mail (being a ’data message’) is regarded to be received by the addressee when such an e-mail enters the information system of the addressee and is capable of being retrieved and processed by the addressee. This ’time of receipt’ presumption will only apply if the parties to the e-mail did not agree otherwise.  The implication of the abovementioned presumption is that an addressee is presumed to have received an e-mail notwithstanding the fact that the e-mail was blocked by the addressee’s blocking software - the server running the software is part of the addressee’s "information system" and it is reasonably possible to retrieve the message. An argument claiming that it is totally impossible for an addressee to retrieve a blocked e-mail will probably not be accepted by the courts (or myself), as a mere phone call to the systems operator will make it possible to release the message and retrieve it.  If blocking a message is an allowed excuse to deny the receipt thereof, everybody will use that excuse:  "The reason I did not pay your invoice is because I never received it. Our system must have blocked and deleted it - sorry. Please send it again and if our system does not block it again I will pay it."  The implications for commerce and law would be ridiculous.   Constitutional concerns  Content filtering and blocking amounts to nothing less than a new form of corporate censorship that conflicts with free speech rights in any democracy. In most applications the filtering and blocking rules are determined through an undemocratic and one-sided process that is not open to review or challenge - a specific software developer’s sense of the ’immoral’ or ’pornographic’ is forced on every message sent to a system that employs the product, resulting in the censoring of content that is not only legal but also constitutionally protected.  As detailed above, some products rely on the absurd assumption that every image in an e-mail or attachment should be blocked. Immoral, illegal, pornographic content can only be determined by an examination of the context and not through the identification of single words or phrases.  Although it is not my intention to criticise any specific product or to generalise, it is a proven fact that the use of content filtering and blocking may have absurd results like the following:  * Most blocking products will block an e-mail containing the word ’Middlesex’, because ’sex’ (in any context whatsoever) is a pre-determined keyword.  * Products that block content that includes the word ’pornographic’ will block not only this article but also communications from the user’s human resources department detailing the communications policy of the user.  * Filtering software installed in Utah schools was found to also block the Bible, anti-drug information, HIV information, safe sex information, the US Constitution and most of Shakespeare’s works.  * The use of blocking software has been found to have unequal results and enforce prejudice based on race, homophobia and the like.  To frustrate the effectiveness of filtering software, adult content is distributed with spelling mistakes or other identifiers such as ’p*rnography’ and ’s@x’.  Numerous courts in the United States, including the Supreme Court, held that the installation and use of filtering and blocking software at public places such as libraries and schools, are unconstitutional.  If presented with a similar question, blocking software will probably also not survive scrutiny by the South African Constitutional Court because the use thereof infringes on the constitutional rights of free speech, the right to information and equality. 
Hein KaiserBureau HeadMarcus Brewster Publicity JHBTel:  011-783 8222Fax: 011-783 8252Cell: 082 520