How OFCOM can stop the abusive trolls?

In recent weeks there has been a lot of discussion about how to deal with trolls making repeated threats of violence or rape via social media. In particular, the stream of abuse targeted at Caroline Craido-Perez and Stella Creasy MP on Twitter following the announcement that Jane Austen was to be the next person to be represented on the UK £10 note , thus being the only woman depicted on any bank note other than the Queen, has significantly raised this issue.

Most of the discussion has concentrated upon use of the criminal law to stop trolls, but there are problems with that approach. For example, the 32 year old man arrested in Bristol on 7 August 2013 in connection with tweets to Caroline Craido-Perez and Stella Creasy is reported to have been arrested under the Protection from Harassment Act 1997. This deals with a course of conduct against another person. What if the troll only sends one or two harassing communications to each target, but sends hundreds of communications?

In this post I suggest that the regulatory tools exist to tackle trolls, were the problem of trolling considered to be sufficiently serious for regulatory action.

The one body the has so far not entered the debate or been questioned about its response to trolling is Ofcom, the regulator for electronic communications networks and services in the UK. This is a surprise, given that one of the sections of the Communications Act 2003, for which Ofcom is the proper enforcement body, seems at first glance to be an anti-trolling provision. The section concerned is section 128 of the Communications Act 2003, the first section under the cross-heading ‘Persistent misuse of networks and services ‘. The provision includes:

(5)  For the purposes of this Chapter a person misuses an electronic communications network or electronic communications service if—

(a)  the effect or likely effect of his use of the network or service is to cause another person unnecessarily to suffer annoyance, inconvenience or anxiety; or

(b)  he uses the network or service to engage in conduct the effect or likely effect of which is to cause another person unnecessarily to suffer annoyance, inconvenience or anxiety.

(6)  For the purposes of this Chapter the cases in which a person is to be treated as persistently misusing a network or service include any case in which his misuse is repeated on a sufficient number of occasions for it to be clear that the misuse represents—

(a)  a pattern of behaviour or practice; or

(b)  recklessness as to whether persons suffer annoyance, inconvenience or anxiety.

Given that these statutory clarifications on what is meant by ‘misuse’ and ‘persistent misuse’ in the 2003 Act pre-date the modern social media concept of trolling, they are not a bad description of what trolling is. Section 128 describes a neat regulatory set of powers for Ofcom to give notice to a persistent misuser to stop misusing, with additional sections setting out how the notice can be enforced. This includes Ofcom having the powers to impose penalties of up to £5,000 as well as seeking a court injunction against a person ignoring a notice (so breach of that injunction would be a contempt of court, with penalties including a fine of up to £2,500 and imprisonment for up to 2 years – section 14 Contempt of Court Act 1981).

However, how can Ofcom serve a notice on a troll (who will typically be anonymous)? It would be perfectly possible for Ofcom to use its information gathering powers, rather than go to court to obtain a Norwich Pharmacal Order for each troll. These are set out at sections 135-146 of the Communications Act 2003, under the cross-heading ‘Information Provisions’. Of interest here is that Ofcom can seek information from parties in addition to communications providers. In particular, section 135(2)(f) allows Ofcom to request information from “a person not falling within the preceding paragraphs who appears to OFCOM to have information required by them for the purpose of carrying out their functions under this Chapter.”

There is no reason why this could not include Twitter UK Ltd, even though, as Twitter UK Ltd was at pains to point out in a statement to the Leveson Inquiry, it has technically nothing to do with the Twitter service. Twitter UK’s registered office is 100 New Bridge Street, London EC4V 6JA, the same address as the international law firm Baker & McKenzie. If Baker & McKenzie are Twitter UK’s solicitors, I am sure they could advise Twitter that Ofcom’s information gathering powers are broad and do come with some teeth, so that eventually Ofcom would be able to get the information it required. Even so, given the current interest in addressing trolling via Twitter, it would be a further PR disaster for Twitter UK to be seen to avoid information requests from Ofcom on the grounds that the Twitter services was nothing to do with it, the UK entity, but only a matter for the US Inc.

So, using section 135 information requests, Ofcom could obtain the IP address of trolls via Twitter and UK ISPs, and contact details for that IP address. With that information a section 128 persistent misuse notice could be served, and the troll told to behave or be cut off.

This route could also address the question of trolling via multiple accounts and/or different social media platforms. The notice is not limited to one account on one communications platform; the misuse must be by one person. Section 128(7) states:

For the purpose of determining whether misuse on a number of different occasions constitutes persistent misuse for the purposes of this Chapter, each of the following is immaterial—

(a)  that the misuse was in relation to a network on some occasions and in relation to a service on others;

(b)  that different networks or services were involved on different occasions; and

(c)  that the persons who were or were likely to suffer annoyance inconvenience or anxiety were different on different occasions.

It would therefore catch a person trolling using multiple accounts on Twitter, Facebook etc. to different targets.

However, there is a potential gap in this approach. What if the target of the trolling is, as recent examples have shown, on the receiving end of an avalanche of abuse or is being flamed? The avalanche could be the result of a mass of single communications from individual persons, each of whom may not be persistently misusing.

The radical answer, which may not stand up to regulatory scrutiny, is to suggest that it is possible to serve the persistent misuse notice not on the individual trolls, but on the person providing the platform upon which the trolling occurs. There is no precedent for this extended use of section 128, which to date has been used by Ofcom to shut down the misuse of automatic calling systems generating abandoned or silent calls (eg section 128 notice on HomeServe plc). The Ofcom argument would have to be that the notice recipient, by providing a platform with no effect monitoring or abuse notice and protection systems to protect users from unnecessarily to suffer annoyance, inconvenience or anxiety, is the person upon whom a section 128 notice can be served. The Ofcom notice could demand that a proper anti-trolling and/or abuse notice system be put in place, as in section 129 it states:

(2)  OFCOM may give the notified misuser an enforcement notification if they are satisfied—

(a)  that he has, in one or more of the notified respects, persistently misused an electronic communications network or electronic communications service; and

(b)  that he has not, since the giving of the notification, taken all such steps as OFCOM consider appropriate for—

(i)  securing that his misuse is brought to an end and is not repeated; and

(ii)  remedying the consequences of the notified misuse.

In practice, however, I don’t expect Ofcom to go anywhere near the trolling controversy. Regulation of networks and services is carried out by that part of Ofcom that can trace its roots back to Oftel. From the earliest days of telecommunications regulation, telecommunications (now electronic communications) regulators have sought to distance themselves from any requirement to regulate content.

Facebook and Data Protection

So what other information does Facebook have about me, other than the profile picture and my account name used to generate this Facebook badge?  Maybe I should ask? Would Facebook tell me if I did?

I was recently asked if it would be possible to make a subject access request to Facebook under the Data Protection Act 1998 (DPA 1998).  In simple terms, ignoring some important exemptions, section 7 of the DPA 1998 gives anyone the right to ask someone whom they believe has personal information about them, to disclose that personal information and to state why they have it.  The Information Commissioner publishes guidance to the public on how to do this.  However, my immediate thought was that Facebook was an American entity, outside of the jurisdiction of the UK, with no UK presence.

Out of curiosity, I then had a look at Facebook’s Statement of Rights and Responsibilities – in effect their terms and conditions.  I was particularly taken by section 17.2 in the Definitions clause:

By “us,” “we” and “our” we mean Facebook, Inc., or if you are outside of the United States, Facebook Ireland Limited.

Facebook also states in its Privacy Policy:

Defined Terms. “Us,” “we,” “our,” “Platform” and “Facebook” mean the same as they do in the Statement of Rights and Responsibilities.

This suggests that for those of us not in the United States, Facebook is a service provided by, and under the privacy policy of, an Irish company.  Checking up on the Irish Companies Registration Office website shows that there is indeed a Facebook Ireland Limited (Company Number 462932) registered in Ireland, with registered office at Hanover Reach, 5-7 Hanover Quay, Dublin 2.

Why is this interesting?  There are a number of reasons, but let’s stick to the subject access question.

The DPA 1998 is the UK implementation of the Data Protection Directive 95/46/EC.  Every member state of the European Union should have implemented this Directive into local laws.  This can easily be checked on a European Commission Justice and Home Affairs webpage dedicated to showing the status of implementation.  The webpage also give links to member states’ data protection laws, so that it can easily be discovered that in Ireland, section 4 of their Data Protection Act 1988 (as amended) gives the same access rights as the UK section 7 DPA 1998.

So the surprising conclusion must be that any Facebook user not based in the United States can write to Facebook Ireland Limited (address above) and request a copy of all personal information that Facebook holds about them.  Facebook can, under Irish regulations, make a charge to supply the information, but to a maximum of €6.35.

Facebook may argue that it is a service provided by Facebook, Inc and that its terms and conditions (or Statement of Rights and Responsibilities) are subject to the laws of the State of California, but this is not how this would be viewed in the EU.  In the plain terms of the Statement of Rights and Responsibilities, Facebook means Facebook Ireland Limited.  Facebook Ireland Limited, as an entity in the EU, cannot by a choice of law in consumer terms and conditions deny a consumer a right the consumer would otherwise have.  It is immaterial that the personal information collected by Facebook Ireland Limited may be stored and processed by Facebook, Inc in the United States.  In the terms of the Data Protection Directive, Facebook Ireland Limited is the controller and Facebook, Inc the processor of users’ personal information.  There are arguably other consequences of Facebook being provided by Facebook Ireland Limited, as Irish laws may have implemented certain other EU consumer protection legislation to make unilateral changes in the provision of services, such as with the recent changes in privacy settings, in consumer contracts unlawful.

Facebook Ireland Limited, in addition to reading up on the Irish Data Protection Act 1988 as amended (in particular, section 16 and regulations made under it), may therefore also wish to consider the Irish laws implementing, amongst others, the Electronic Commerce Directive 2000/31/EC, Unfair Terms in Consumer Contracts Directive 93/13/EEC and Rome Regulation (Rome I) 593/2008/EC (in particular, Article 6).

PCC against Facebook journalism

There is increasing guidance being given by bodies such as the Information Commissioner about the dangers of posting photographs to social networking sites. Clearly, posting photographs risks having those photographs put into the public domain eventually.

However, the Press Complaints Commission has laid a marker down that it does not consider the use of social networking photographs to be justified where this requires the press to circumvent privacy settings, unless there is a public interest justification. To do so would be a breach of Clause 3 (Privacy) of the Editors’ Code of Practice.

This is the result of the PCC upholding a complaint against the Scottish Sunday Express by parents of survivors of the Dunblane shooting in 1996. The Scottish Sunday Express had published photographs and other material about the children to claim that their normal teenage behaviour “shamed” the memory of the deceased.

The only negative aspect to this story is that as the PCC is a self-regulatory body which has been given limited powers by the newspapers it governs, the only result of having a complaint upheld is that the relevant newspaper has to publish in a prominent manner a report of the PCC adjudication. The PCC has no fining powers or the ability to award compensation.