See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/228188506 Toward an Epistemology of ISP Secondary Liability Article  in  Philosophy & Technology · June 2011 DOI: 10.2139/ssrn.1920050 CITATIONS 3 READS 51 1 author: Some of the authors of this publication are also working on these related projects: On the Sociology of Patenting View project Patents and the First Amendment View project Dan L. Burk University of California, Irvine 120 PUBLICATIONS   1,241 CITATIONS    SEE PROFILE All content following this page was uploaded by Dan L. Burk on 21 October 2018. The user has requested enhancement of the downloaded file. 1 23 Philosophy & Technology ISSN 2210-5433 Volume 24 Number 4 Philos. Technol. (2011) 24:437-454 DOI 10.1007/s13347-011-0046-3 Toward an Epistemology of ISP Secondary Liability Dan L. Burk 1 23 Your article is published under the Creative Commons Attribution Non-Commercial license which allows users to read, copy, distribute and make derivative works for noncommercial purposes from the material, as long as the author of the original work is cited. All commercial rights are exclusively held by Springer Science + Business Media. You may self-archive this article on your own website, an institutional repository or funder’s repository and make it publicly available immediately. SPECIAL ISSUE Toward an Epistemology of ISP Secondary Liability Dan L. Burk Received: 30 April 2011 /Accepted: 17 August 2011 /Published online: 24 November 2011 # The Author(s) 2011. This article is published with open access at Springerlink.com Abstract At common law, contributory infringement for copyright infringement requires “knowledge” of the infringing activity by a direct infringer before secondary liability can attach. In the USA, the “safe harbor” provisions of the Digital Millennium Copyright Act, that shield Internet Service Providers (ISPs) from secondary copyright liability, are concomitantly available only to ISPs that lack the common law knowledge prerequisites for such liability. But this leads to the question of when a juridical corporate entity can be said to have “knowledge” under the statute. Legal institutions have well-established processes for inferring the knowledge state of natural persons, but corporations are complex sociotechnical networks of human and non-human elements whose information state does not map well onto such inferential methods. This question is of course not unique to copyright liability; corporate entities may be responsible for “knowing” actions under a variety of applicable legal provisions, and the question of corporate knowledge is generally under theorized. But consideration of ISP “knowledge” in this context points the way to consideration of corporate epistemology that must be foundational to determining corporate responsibility in copyright protection. Keywords Copyright . Contributory infringement . Epistemology. Knowledge . Corporations . ISP 1 Introduction Law and legal procedure function in society as a system of formalized ethics, bestowing rights and imposing responsibilities on the entities under their jurisdiction. The responsibilities that are either undertaken or imposed on an Internet Service Provider (ISP) will frequently have their origin in such legal requirements. Philos. Technol. (2011) 24:437–454 DOI 10.1007/s13347-011-0046-3 D. L. Burk (*) University of California, Irvine, 401 East Peltason Drive, Irvine, CA 92697-8000, USA e-mail: dburk@law.uci.edu Among the legal duties and liabilities associated with provision of Internet services is some degree of responsibility for the activity of subscribers and users of the service. Across the globe, ISPs have with varying degrees of success been subjected to lawsuits, legislation, and regulation for failure to police a range of user content that includes libel, threatening speech, hate speech, and unauthorized posting or distribution of copyrighted material. It is this last type of content, and an aspect of the responsibilities imposed on ISPs for such content, that I propose to consider here. In this paper, I examine one parameter for ISP responsibility in the area of copyright, specifically, the requirement that an ISP have “knowledge” of copyright violations in order to be held indirectly or secondarily liable for the actions of its users and subscribers. I show that such responsibility is tied to the more general problem of determining the state of knowledge of an organization. I adopt the ISP “safe harbor” provisions of the American Digital Millennium Copyright Act (DMCA) as a vehicle for introducing and interrogating the characteristic of corporate knowledge. I begin my discussion by reviewing the scienter, or mental state requirements of secondary copyright liability as developed in common law, and then as defined in the “safe harbor” statutory provisions of the DMCA. I then turn to the problem of scienter as it exists more generally in regard to corporate entities, looking particularly at corporate knowledge as it has been addressed in recent securities fraud decisions, in the hope of shedding some light on how the similar requirements of the DMCA safe harbor provisions might be treated by judicial interpreters. This discussion allows me to sketch the overall parameters of the problem of corporate knowledge. I conclude with some observations about existing theoretical approaches that might be applied to the overall problem of corporate scienter. 2 Copyright Liability Copyright infringement has emerged as perhaps the leading source of legal controversy surrounding the Internet and related digital media. Present day computing technology functions by making digital copies: in computer memory, on disc drives, on DVDs, on network servers, and elsewhere. Some copies are made automatically and imperceptibly as the machine operates; other copies can be made deliberately by users of the technology. Moderately priced computer technology gives the majority of people in developed countries ready access to copying technology, and even in the poorest nations facilitates ready access to unauthorized copies. Copyright laws vary a bit internationally, but in general copyright infringement is a strict liability offense: one need not intend, nor even know that one has copied in order to violate the exclusive rights of the copyright holder. For example, in the famous lawsuit against former Beatle George Harrison for infringement of the song “He’s So Fine” by his composition “My Sweet Lord,” evidence at trial suggested that Harrison’s copying was entirely unconscious—Harrison had likely heard “He’s So Fine” as a hit radio song, and unwittingly adopted some of its distinctive structure in his own composing (Bright Tunes Music v. Harrisongs Music 1976). Nonetheless, Harrison was found to infringe, because the copyright statute does not require “knowing” or “intentional” copying for a violation to occur—any unauthorized, 438 D.L. Burk unprivileged copying constitutes a direct violation of the statute. Subconscious copying is as much a violation of the statute as intentional copying. However, this rule is relaxed somewhat where indirect violation of copyright is at issue. Copyright law has long recognized that responsibility for infringement might sometimes lie with individuals other than those directly committing acts of infringement. Indeed, some would-be infringers might seek to profit from infringement without actually copying or otherwise directly violating the exclusive rights of the copyright holder—they might instead aid or encourage others to infringe, avoiding the acts that actually define infringement. It has long been held that such assistance and encouragement to direct infringement should itself be the basis for some type of indirect liability. Such secondary or indirect liability was recognized at common law in two forms (Yen 2000; Elkin-Koren 2006). The first takes the form of vicarious liability, by which a supervisory entity is held responsible for activities of direct infringers within its control. The doctrine originated in a type of respondeat superior liability, in situations where an employee or agent of a principal engaged in unauthorized reproduction, public performance, or other statutorily excluded activity that would constitute direct infringement. For example, in the well-known “dance hall” cases, musical bands employed by dance halls or nightclubs played copyrighted music without a license (Dreamland Ball Room v. Shapiro, Bernstein & Co. 1929). Because the owner of the dance hall had engaged the band, had the ability to supervise or dismiss the band, and profited from the activity of the band, the owner was held vicariously liable for the band’s infringing activity. In effect, the actions of the band were imputed to the dance hall owner, whether or not he was actually aware of the activity. Vicarious copyright liability was later expanded beyond the traditional boundaries of respondeat superior; liability was not necessarily limited to employment situations but was applied in any situation where control over the infringing activity was or could have been exercised. For example, courts held that landowners could be held responsible for the infringing activities of business invitees on their land, given that the landowners had the right and the ability to eject invitees engaged in infringing activity. Through such cases vicarious liability evolved beyond the relationship of principal and agent into a type of formulaic default rule: any commercial situation where there was a right to supervise or control the activity became ripe for application of the doctrine, not merely those situations arising out of traditional master/servant relationships. But the hallmarks of master/servant liability live on the present doctrine. The legacy of this history is that vicariously liable infringers need not have actually known about the infringing activity in order to be accountable for it. This approach remains generally consistent with other instances of agency or respondeat superior liability. Legally, the agent is in effect an extension of the principal; as part of the same entity, awareness is assumed, just as a natural person is generally assumed to be aware of and in control of her own extremities. Of course, even natural persons may sometimes lose awareness or control of their extremities; criminal law and other areas of law recognize some defenses for involuntary action. In a sense if the body is no longer part of the person, but acting according to some other agency, then the consequences of its activity are no longer Toward an Epistemology of ISP Secondary Liability 439 imputed to the person. So too follows the law of agency; if the employee or other agent is not acting as an agent, or has some interest adverse to that of the principal, the principal is not presumed to know of the putative agent’s activity. But copyright’s secondary liability rules go beyond this, imputing to the indirect infringer responsibility for the direct infringer’s activity even if the direct infringer is no longer an agent or is acting adversely to the interests of the indirect infringer. The logic of this extension has been that the indirect infringer could have or should have become aware the infringing activity, or at least was in the best position to become aware of and prevent the infringing activity. Premising liability on the ability to control infringement creates an incentive—perhaps a burdensome incentive—to monitor and more closely supervise potentially infringing situations. An alternative form of secondary liability arises under the rubric of contributory liability. Here the indirect infringement stems not from supervision or control, but from either participation in the infringing enterprise, or from supplying the means to infringe, without actually committing any of the acts prohibited by the exclusive rights of the copyright owner. Such “aiding and abetting” of infringement might classically include preparation or support of infringement, such as advertising or financing unauthorized reproduction and distribution of infringing copies. These activities are not themselves a violation of any of the copyright holder’s exclusive rights as designated in the statute. The twin oppositional concerns in penalizing contributory infringement are to deter intentional furtherance of infringing activity, while at the same time not penalizing legitimate business activity—the advertiser or financier of unauthorized copies might be purposely profiting from infringement without making the copies herself, but might also have been legitimately supplying services that have been misdirected by the actual infringer. A more recent development in copyright secondary liability, articulated in the celebrated Supreme Court’s Sony v. Universal Studios (1984) opinion, is consideration of the somewhat different “contribution” of supplying the means to infringe—particularly, contributorily supplying technology, such as a home video recording system that might be used to directly infringe. But here again, many technologies have dual uses, some legitimate and unobjectionable while others further misappropriation of protected content. Consequently, the standard for such infringement, drawn from parallel doctrines in patent law, holds that supplying a technology with a substantial non-infringing use, even if it is sometimes abused, is not an infringement. Like its eponymous cousin in patent law, and unlike vicarious liability, contributory liability requires some degree of specific knowledge regarding infringing activity. A generalized knowledge of a particular technology’s potential for infringement is not sufficient. Most recently, a third form of secondary liability has been added, denominated “inducement” in the US Supreme Court’s Grokster opinion (2005). Drawing again upon patent law, where inducement has long been recognized statutorily as a form of indirect infringement, the Court held that encouragement or enticement to engage in directly infringing activity might also secondary liability. Unlike the companion theories of secondary liability, the inducer need not necessarily have the right and ability to control the direct infringer, nor, if he is supplying aid to infringement, need it lack a substantial non-infringing use. However, inducement necessarily involves a degree of knowledge, and indeed intent to encourage the infringing activity. 440 D.L. Burk 3 Statutory Safe Harbors The limitations on these forms of secondary liability might be expected to absolve ISPs from indirect responsibility for copyright infringement. Despite the presence of infringing activity on ISP systems, the services provided by ISPs certainly have substantial non-infringing uses, and supervision or oversight of thousands of users seems impractical. However, a series of ISP liability cases in the 1990s called into question the responsibility of ISPs to police the infringing activities of their subscribers (Religious Technology Center v. Netcom 1995; A&M Records. v. Napster 2001). These decisions relied upon cases finding that the owners of real property where pirated media was sold at “swap meets” or “flea markets” were responsible for the infringing activity. (Fonovisa v. Cherry Auction 1996) These cases found that the proprietors of the flea markets turned a blind eye to unauthorized sales of music and video media, where the land owners had policed other activities of vendors at the flea markets. Analogizing ISPs to the owners of real property, some US district courts held that ISPs might similarly be secondarily liable if they did not actively police the conduct of users on their systems. In response to such decisions, ISPs successfully lobbied for passage of statutory provisions in the Digital Millennium Copyright Act that would provide at least conditional protection against secondary liability (17 USC §512 2006). The statute provides legal immunity against secondary liability to ISPs that comply with certain statutory requirements; most notably, the statute requires that ISPs publicly designate and provide contact information for an agent who can receive notices from copyright holders regarding allegedly infringing material (17 USC §512(c)(2) 2006). Various provisions of the statute address ISP activities that were anticipated to be potential sources of secondary liability, such as indexing or search services, hypertext linking, and storage or transmission of infringing content. But immunity does not attach in cases where the ISP had either knowledge of the infringing activity, or the ability to control the activity (17 USC §512(c)(1)(A)(iii) 2006). In creating the statutory safe harbor scheme, Congress did not displace the common law definitions of secondary liability. (Perfect 10 v. Amazon 2007). ISPs could be shielded from liability either by complying with the statute or by avoiding the elements of common law liability. ISPs can rely on the statute and the common law either concurrently or in the alternative. However, the statute requires that in order to take advantage of the statutory shield, an ISP either lack knowledge of the direct infringement, or lack the ability to control direct infringement on which liability might be predicated. Since lack of these same predicates would negate common law liability, the knowledge and supervision elements of the statute and the common law appear to be largely coterminous. Consequently, a good deal of the extant litigation involving the statutory safe harbor has focused on the knowledge requirement: when and how an ISP might have knowledge that might make the safe harbor unavailable. The statute contemplates two situations in which the knowledge imputed to an ISP might negate the safe harbor: either actual knowledge or knowledge of facts and circumstances from which infringing activity is apparent (17 USC §512(c)(1) 2006). The statute does not define either type of knowledge, although the legislative history suggests that the latter type of knowledge would arise from “red flags” that would lead a reasonable person Toward an Epistemology of ISP Secondary Liability 441 operating under similar circumstances to conclude that infringement is occurring (S. Rep. 105-190, 44 1998). Most of the judicial opinions generated from disputes over the statutory knowledge requirements have unfortunately confined themselves to the narrow issue of statutory notice, that is, actual or constructive knowledge gained by the ISP as a result of the notification requirements of the statute (Ellison v. Robertson 2004; ALS v. Remarq 2001). The cases consider when and whether notice of an alleged infringement to the ISP’s designated agent imbues the ISP with knowledge that would negate the safe harbor protection, and most especially the adequacy and specificity of notice under the statute. One court has called the proper delivery of statutorily compliant notice the strongest evidence of actual knowledge under the statute (Corbis v. Amazon. com, 2004). Conversely, it declined to hold that notice of infringement by one copyright owner could create a generalized knowledge of infringement sufficient to satisfy the knowledge requirement with regard to another copyright owner. In other words, the “knowledge” required under the actual knowledge provision of the statute contemplates a high degree of specificity regarding the particular copyright alleged to be infringed. The same holds true for the constructive or inferred knowledge provision. One might imagine that the “knowledge of circumstances” provisions would frequently give rise to the necessary statutory requirement, as a wide variety of suspicious activity on an ISPs system might inform a reasonable observer of infringement. However, courts have been reluctant to hold that suspicious situations or activities could act as so-called “red flags” that should alert ISPs to the presence of infringing materials or activities (Corbis v. Amazon 2004; Perfect 10 v. CCBill 2007; UMG v. Veoh 2009). Consequently there has been little consideration of possible alternative modalities of actual or constructive knowledge outside direct, statutory notice from a copyright holder. For example, in the recent dispute between Google and the owners of copyrighted video materials over the unauthorized uploading of video to the YouTube site, Viacom and the associated plaintiffs showed evidence that the founders of YouTube were aware that copyright infringement was likely to occur on their service (Viacom v. YouTube 2010). The trial court held that such general knowledge of infringement was insufficient for liability; knowledge of specific instances of infringing works was required. The court similarly declined to hold that generalized knowledge could constitute a “red flag” regarding infringement. Yet, the opinion gives little guidance as to the quality and quantity of information that will constitute statutory knowledge. Appellate review may give further direction as to the nature of “knowledge of circumstances” liability, but a comprehensive framework is lacking. As in previous “safe harbor” cases, the trial court in the Viacom decision placed considerable emphasis on YouTube’s reaction to infringing activity once it was given actual notice of the infringement by the copyright owners. Yet the question of ISP knowledge under the statute arises not merely when statutory notice is tendered to a designated representative, but when a given employee has information regarding copyright infringement on the system, when a message or communication regarding infringement is resident somewhere in paper or electronic files under the control of the ISP, or indeed whenever infringing material is itself resident somewhere on the system. That such information goes regarded or unregarded by any particular 442 D.L. Burk individual does not seem properly determinative of the quantum of accessible information that can or should be regarded as rising to the level of legally actionable knowledge. 4 Statutory Knowledge Thus, the knowledge requirement in the liability provisions entails a fairly difficult epistemological problem. This begins with certain issues of legal epistemology. Law is often occasioned on the knowledge or other mental state of those to whom it applies; although the law sometimes imposes strict liability for violations of its formal strictures, more often some degree of pertinent knowledge or intent is required for legal liability to attach. Culpable mental states range from negligence, where fault attaches to unexcused lack of consideration, to intentional activity, where some type of directed, willful volition is required. From a utilitarian standpoint, such scienter requirements calibrate liability to the actor’s ability to acquire, comprehend, and act upon socially relevant information; from a deontological standpoint, scienter attempts to calibrate liability to the actor’s moral culpability. Anglo-American criminal law is particularly rich in commentary exploring the problems created by this system. Knowledge and information are typically distinguished in epistemological discussions; often information is regarded as prerequisite to knowledge, but the latter is viewed as requiring some additional degree of cognition, application, contemplation, or awareness beyond the simple provision of information. Without detouring into that long and often tangled discussion, we can say that the legal terminology of the statutes under consideration is roughly commensurate with this type of analytical distinction. The meaning given to the language of any particular statute is a product of the intent of the legislature enacting it and of the adjudicator parsing it, but certain terms have become relatively standard, including those indicating a culpable mental state. Statutory provisions that involve “knowledge” or acting “knowingly” as the legal requirements for mental state generally contemplate not merely possession of information, but awareness or appreciation of the information. Among the well-known problems associated with legally requisite mental states is the simple determination of the presence or absence of scienter. Determining the knowledge or intent of a natural person can be challenging as a practical matter. It is essentially impossible to gather direct evidence as to the individual’s state of mind. Even advances in neuroscience, such as MRI scanning, that have sometimes been touted as direct evidence of culpable mental states in fact offer only indicia of thought processes—the chemical traces of cognition—not direct evidence of thought itself (Brown and Murphy 2010). Since, absent the discovery of some telepathic or mind reading technique, no direct evidence of knowledge or intent in another’s mind is possible, legal institutions proceed much as the common practice of humankind proceeds, drawing inferences from outward manifestations of utterances, actions, and writings. Legal standards typically take account of these various forms of indirect evidence from which knowledge or intent can be inferred. While there of course remain epistemic Toward an Epistemology of ISP Secondary Liability 443 problems with this approach, they are familiar problems, and we have at least a working understanding of what it means for an individual to have knowledge, awareness, and volition, and thus to be held to some standard of legal responsibility. Assessing the state of mind of a natural person under the law is an exercise that is, if not straightforward, at least relatively well-defined. Consequently, the logic and implications of a secondary liability knowledge requirement seem fairly manageable when the subject of the statutory provision is a natural person, as for instance in the classic case of the dance hall owners, mentioned above. The individual who engaged the musicians either had actual knowledge of the infringing music the musicians were playing, or was in the best position to gain actual knowledge of what was being played, and so constructive knowledge of the infringement was imputed to the employer. A similar logic might apply if an ISP is a sole proprietorships, where a natural person effectively is the ISP. The dance hall logic may not “scale” well, as managing the thousands of participants on an Internet system is far more resource intensive than overseeing a dance band, but the problem of how to assess the mental state of the proprietor does not change. But I assume here that the all or most ISPs will be organized in the corporate form—it is certainly possible that an ISP could be organized as some other legal entity, as a partnership or a sole proprietorship, but business exigency is likely to push ISPs, like other business entities, towards incorporation. And this organizational form drastically changes the calculus of secondary liability—or for that matter, of any liability. Legally, the corporation constitutes a person—not a natural person, but a juridical person (Ripken 2009; Dewey 1926). This is a legal fiction intended to facilitate certain business and policy goals, most particularly to separate the personal assets of individuals who invest in the corporation from the assets, held by the corporation, that are to be placed at risk for business purposes. As a person under the law, corporations are accorded many of the same benefits and responsibilities associated with natural persons. Corporations may acquire, possess, and alienate property— indeed this is one of their main purposes for existence. Corporations may be criminally or civilly liable for their activities, or for activities conducted in their name or under their authority. Corporations even have been accorded certain “human” rights that might be thought of as constitutive of personhood, such as a right to expression or freedom of speech, and a right to due process of law. However, as non-human entities, corporations also differ from natural persons in certain important attributes. Perhaps most significantly, corporations are effectively immortal—they do not die from natural cause or injury, and only cease existence when their legal recognition is dissolved. Corporations also lack a discrete physical situs for their instantiation. Typically some jurisdiction is designated as the place where the corporation legally “resides,” but this may be an entirely separate designation from where the corporation’s headquarters, facilities, personnel, or major assets are actually to be found. The individuals and objects that comprise the characteristics of the corporation may be widely, even globally dispersed, giving the corporation the odd quality of being simultaneously everywhere and nowhere. Thus, a statutory requirement that a corporation possess “knowledge” leaves a puzzle, or perhaps a contradiction, that the corporation has no discrete instantiation to which such benefits and responsibilities might attach, or to which punishments and penalties might be applied. The corporation cannot lose its freedom by 444 D.L. Burk confinement to prison. Similarly, although the corporation can be fined, or penalized through forfeiture of property, it is not cognizant of the loss. Corporations may be criminally liable for activity ascribed to them, but there is no capital punishment for their misdeeds—the corporation may be legally dissolved, and go out of existence, but it has no way to contemplate or to fear such a penalty. As a consequence, corporate deterrence must be derivative or indirect. The corporation cannot be directly encouraged or deterred from particular actions; rather, modifications in behavior must be directed at the humans who make up the corporate association. These individuals may also sometimes be legally liable in their personal capacity, but such responsibility is considered a separate matter from the liability of the firm they represent. Often the knowledge and actions of corporate employees will give rise to both personal liability and corporate liability; the same activity may trigger liability for each. But corporate employees may be liable in their in individual capacities for the actions that arise from their knowledge, even in cases where the same activity does not give rise to corporate liability (Langevoort 2006). And, conversely, the corporation may be separately liable for legal violations based on such activity, even in cases where the employees are not. Additionally, the corporation may of course be responsible for the knowledge and activities of its officers, directors, or other employees, under a theory of respondeat superior. The activity of employees or other agents may be imputed to the principal as its own. But this is a version of the vicarious liability theory mentioned previously; no actual knowledge of the activity is necessary on the part of the corporation, as the servants of the corporation are considered to be in some sense extensions of their master. 5 Aggregate Knowledge A much more difficult and distinguishably separate question is presented when the knowledge and activities of the officers, directors, or employees of the corporation is considered as indicative of the knowledge of the corporation itself. In its simplest form, the knowledge of a corporate agent and the knowledge of the corporation may be coterminous: if a given, single agent possesses legally requisite knowledge, then what that given agent knows is what the corporation knows. The problem becomes more difficult when the knowledge is distributed and no given agent possesses enough accessible, operative information to individually possess legally requisite knowledge. But the corporation is not coterminous with a given agent, and it may nonetheless be the case that if partial knowledge from several agents were aggregated and attributed to the corporation, that the corporation could be said to possess knowledge that no single corporate agent possesses. Indeed, this problem might be taken one step further to include the informational content of non-human as well as human corporate constituents. The corporation might be said in some senses to consist of the tangible and intangible assets that constitute its holdings: equipment, land, securities, cash, buildings, trademarks, paperclips, vehicles. To the extent that the corporation is defined by its assets and holdings, the data storage chattels within the control of the organization may form an additional repository of information that could be added to the tally of aggregate Toward an Epistemology of ISP Secondary Liability 445 knowledge. And this is in fact the problem scenario that presents itself most often in the case of ISP liability, where some type of infringing data or information exists on the ISP network, and some human agent is actually or potentially aware of its presence in such a way that the aggregation of human and non-human status adds up to corporate knowledge. The information content of such an organization is a study in complex sociotechnical relationships. Some information will reside in technical artifacts, such as documents, computer media, or even the arrangement of furniture and partitions within the spaces where corporate workers conduct their business. Other information will reside in the memories of individual workers within the organization. A further dimension of organizational information will reside in the social structure of relationships between workers. These repositories are porous and somewhat fluid, so that information may migrate between silicon memory, cellulose inscription, and carbon memory; or become reflected and reinforced in overlapping instantiations among artifacts, relationships, and individuals. Consequently, although some corporate knowledge may be formally codified as print text, or sequences of bits, much of the knowledge held by an organization will be tacit knowledge that goes uncodified, and is carried as electrochemical potentials in the brains of the personnel who make up the organization (Burk 2008; Gorga and Halberstam 2007). The corporate organizational structure itself may be yet another repository of tacit knowledge, as may the organization of physical spaces controlled by the firm, or the arrangement of equipment, furniture, and other objects within the firm’s physical environs. Legal imperatives are integral to this knowledge architecture; facilitating certain organizational arrangements, channeling information into codified or tacit repositories, and prompting the acquisition or divestiture of informational resources. In a similar vein, if we were to take a page from Actor Network Theory, we might describe the corporation as a network of physical and human resources that in becoming legally reified as a juridical “person” has effectively been transformed into a sociotechnical “black box” (Law 1992). Complex interactions occur within the boundaries of the box, but the law largely regards it as a discrete, monolithic entity, as for example in requiring it to have “knowledge” under certain statutory provisions. However, assessing knowledge typically requires us to look inside the box at the activities, status, and interactions of the network—we look at the e-mail or memoranda that circulate within the corporation, or at the statements or actions of personnel who populate the corporation. These are human and non-human actants that comprise the corporation, but it is the relationships between them that constitute the entity we call the corporation, and that determine the state of knowledge within that entity. The same might of course be said of natural persons, but in the case of humans, the box tends to be far more tightly closed. We have already observed that tracing the interactive relationships between components of the brain yields only the inference of thought, and such scrutiny of a natural person is the exception rather than the rule. The constitutive network of components that comprises the individual tends to be the subjects of physical and physiological scrutiny, rather than social and legal scrutiny. While we may sometimes infer the knowledge or intent of a natural person from the disposition of their legal relationships—the state of items or resources under their 446 D.L. Burk control, the authoritative statements from social institutions about their status—we typically do not think of the natural person as constituted of components that entail their own legal and moral agency. It is the corporate juridical person that typically invites informational scrutiny via decomposition into its discrete elements. Certain dimensions of this problem are already well known. It is reflected in legal precedent involving analog storage of information, in media owned or controlled by a corporate entity. For example, in the landmark decision Smith v. California (1959), the US Supreme Court held that the burden of legally requiring a decompositional examination was incompatible with the goal of free speech under the First Amendment to the Constitution. In that case, a bookseller had been criminally charged with possessing as part of his sales stock a book that was deemed obscene; the store owner was unaware of the offensive nature of the book until it was called to his attention by local law enforcement officials. The Court held that the bookseller could not be charged with an obscenity violation for merely possessing illegal materials somewhere among his business assets; until he as a natural person knew or had reason to of the nature of the printed material, he was not responsible for the informational content. To hold otherwise, the Court reasoned, would impose on the distributors and sellers of print media the burden of searching a large volume of printed information for obscenity, which would impeded the free flow of information protected under the Constitution. This rationale could similarly apply in the case of ISP liability; in the case of secondary copyright liability, it has been suggested that the burden of monitoring network content constitutes a burden on conduits of speech comparable to the burden found impermissible in Smith v. California (Yen 2009; Tushnet 2009). This argument seems doctrinally sound, and underscores one practical difference between corporate and individual knowledge; the composition of knowledge within a corporate entity entails a burden of introspection not typically associated with natural individuals. But it also highlights key differences between two types of information storage within the corporation—that instantiated via inanimate objects and that instantiated in human grey matter—and how the legal liability for knowledge need not be coterminous with its repository. While recognizing the difference, the doctrine leaves us with no general rule as to how and when such repositories might either together or separately constitute corporate “knowledge.” 6 Alternative Examples This problem of corporate knowledge is of course by no means confined to the legal requirements for Internet Service Providers or to the field of intellectual property; the problem is far broader and deeper than that. Legal responsibility, and hence potential liability, for corporate entities arises in myriad contexts, including activities that are regulated under environmental law, employment law, various areas of commercial and business law, personal injury, and even criminal law. Many statutes in these and other areas articulate a standard of knowledge, or intent, or other mental state in order to be applicable. Although some statutes are written with corporations in mind, often the statutes apply to both natural and juridical persons. The ISP liability provisions are fairly typical in this respect. Toward an Epistemology of ISP Secondary Liability 447 If the DMCA safe harbor provisions are unexceptional in requiring a corporation to have knowledge in order to trigger a statutory provision, then the lack of judicial scrutiny of this particular requirement might seem to be less of an issue. Many statutes incorporate a knowledge provision; all such knowledge provisions entail some conception of corporate knowledge. The solutions reached under those provisions might at least inform, and perhaps be entirely grafted onto the DMCA safe harbor analysis. Thus, one might anticipate simply applying to the ISP liability statute the standards or methodology common to many other such statutes, and reaching a result that indicates what “knowledge” might mean in the context of the specific statute under consideration. But, surprisingly, little or no consideration has been given to this problem in the context of any statute. Although there was some dispute at the beginning of the 20th century over whether a corporation could have a separate personality, or was merely the aggregation of individual personalities, that discussion largely disappeared without resolution (Ripken 2009; Dewey 1926). Instead, the law has as a practical matter assumed that corporate knowledge must be imputed to the corporate entity from the knowledge held by its officers and agents (Mizzaro v. Home Depot 2008; Apollo Fuel Oil v. United States 1999). Knowledge of a corporate employee is not necessarily imputed to the corporation; rather a legally recognized agency relationship is required (Fletcher Cyclopedia §789 2011). Such relationships arise where the agent has authority to contractually bind the corporation; mere employment by the corporation is not enough. Any knowledge imputed to the corporation from the agent must be obtained both within the scope of the agency, and in instances where the agent is acting as an agent (United States v. Josleyn 2000). Much of the reasoning behind imputing an agent’s personal knowledge to the corporate entity is based on the fiction that, because agents have a duty to inform their principal of information obtained while acting as an agent, the agent would “inform” the corporation of such knowledge (Fletcher Cyclopedia §793 2011). Conversely, courts cannot impute to the corporation knowledge outside the scope or activity of the agency because they cannot presume the agent would inform the corporation of such information. Casually acquired information may be imputed to the corporation if obtained in close temporal or substantive proximity to the agent’s area of authority, on the theory that the agent would remember it when returning to the agency (Fletcher Cyclopedia §791 2011). However, when a third party explicitly provides an agent with information, even if the agent is not acting as an agent in the area to which the information pertains, courts may impute such information to the corporation. This conceptual separation of agent and principal is pervasive in the law of corporate scienter. In a similar vein, where the agent with knowledge has an adverse interest to that of the corporation, the agent’s personal knowledge is not imputed to the corporation, on the rationale that a court can no longer presume that an agent will communicate information to the principal when its interests are adverse to that of the principal (Fletcher Cyclopedia §790 2011). But courts have recognized an exception to this rule when the agent has sole responsibility for a particular matter. In such instances the fiction breaks down; even if the agent’s interests are adverse to that of the corporation, when the agent is solely responsible for a transaction on behalf of the corporation, the agent is in effect the principal, and so unaccountable to anyone else (Fletcher Cyclopedia §827 2011). 448 D.L. Burk Some movement toward a truly corporate notion of corporate knowledge emerges from examination of recent cases under the Private Securities Litigation Reform Act. This statute governs procedures for corporate shareholders to bring class actions under federal laws prohibiting corporate fraud (17 C.F.R. §240.10b-5 2010; 15 U.S.C. §78j 2006). The underlying corporate fraud statutes prohibit corporations from attracting investment by making a misleading statement or omission of fact. The misrepresentation must be accompanied by scienter, by a state of mind that includes knowledge that the act or omission was misleading (15 U.S.C. §78u-4(b) 2006). Typically, congruent with the general rules of corporate knowledge described above, courts have required that plaintiffs pleading such cases show that a particular individual, acting as a corporate agent has made the statement or omission with the requisite scienter. However, courts have in some cases recognized or adopted a theory of collective knowledge that aggregates acts and knowledge from different corporate actors, and imputes this combined status to the corporation. For example, where corporate spokespersons assert that the company’s product is safe, and the CEO of the corporation knows that the product is unsafe, even though the CEO made none of the statements about safety, the statements by one corporate agent may be combined with the knowledge held by the CEO to meet the requirements of the statute (City of Monroe Employees Ret. Sys. v. Bridgestone 2005). Similarly, certain courts have allowed “group pleading” in such fraud cases, whereby statements made on behalf of the corporation need not be identified with particular natural persons, but rather may be considered an act of the corporate entity (Wool v. Tandem Computers 1987). This stance is controversial, and some courts have rejected it outright in favor of the familiar rule that only natural persons can have a state of mind, even if that state of mind is imputed to the corporation they represent (Southland Sec. Corp. v. INSpire Ins. Solutions 2004). Several other courts have held the door open for aggregate action and corporate scienter, holding that such collective status is in theory permissible, even if not satisfied in the immediate case before them (Makor Issues & Rights v. Tellabs 2008; Glazer Capital Mgmt v. Magistri 2008). This recognition of the potential for corporate scienter, together with the few cases actually adopting the rule suggest that the law may be evolving toward recognition of something like corporate knowledge. But there is as yet no underlying theory of how such knowledge exists, and where it resides, let alone how to recognize it, that might guide the development of such law. 7 Defining a Framework Before the law can properly account for the “knowledge” of an ISP regarding the potentially infringing activity of its subscribers or users, there needs to be some more general understanding of corporate knowledge. The cases regarding private securities litigation suggest that the courts in that area are groping toward some concept of aggregate or communal knowledge, but there remains a deficiency of guiding principles or framework to facilitate such a project. Consequently, I suggest here two existing frameworks that seem to me promising in their potential for delineating the corporate boundary and the relationship of information within that boundary to the “knowledge” state of the corporation. These seem to me to offer the Toward an Epistemology of ISP Secondary Liability 449 potential for a conceptual foundation upon which a coherent legal doctrinal structure might be erected. The first of these approaches arises out of the thinking of John Searle, who in his recent work has begun examining the nature of social concepts and institutions, including the nature of the corporation. Searle has spent a good part of his career expanding and refining the theory of illocutionary or performative statements first articulated by Austin. Most recently, Searle argues, not surprisingly, that reified social concepts such as money, marriage, or a corporation, are brought into being and given form as speech acts (Searle 1995, 2010). Searle suggests that corporations and similar social structures take their social substance from performatives of the category that he has labeled the declaration. That is to say, a declaration in the form of a charter or articles of incorporation, asserting that a corporation now exists, imposes a certain status function on a collection of people and assets, where no such status existed before. According to Searle, declarative speech acts impose a type of collective recognition of status on a collection of people and objects, such as those that comprise a corporation (Searle 2010). This recognition confers on the collection of items a social status that it would not otherwise have by virtue of their items’ physical properties. Emerging out of a collective intention to recognize the formation of a new social entity, such a status state entails a collection of rights, responsibilities, and entitlements that define character of the social entity. In the case of the corporation, such “deontic powers” include the trappings of legal personification discussed above. Searle has been criticized, perhaps justifiably, for seeing speech acts in almost every conceivable human interaction—not only utterances and symbolic indicia but gestures, motions, and other intentional actions have some semantic content, and so seem to qualify as performative in some sense (McGinn 1997). The underlying complaint is a failure to credibly distinguish a speech act from any other type of act that may be intentional, but not necessary illocutionary, or even communicative. Searle’s articulation of speech act theory seems to lack a robust definition of its central principle that would allow us to determine exactly when the semantic content of a particular action distinguishes it from routine or non-performative acts. Searle’s approach, in other words, consistently seems to prove too much. But even if Searle has sometimes overstated the case for the provenance of speech acts, this does not negate the case for considering his framework where plausible, under better-defined circumstances, and, in particular, for considering his argument in the case of corporate definition. Certainly, a charter or articles of incorporation implement a collective recognition of status for the elements of a corporate entity. Perhaps more importantly, the subsequent actions of individuals representing and treating with the corporation might be said to entail semantic content that asserts or at least assumes that a corporation exists with certain attributes, including certain informational content. The knowledge content of employee performatives could be considered indicative, or even definitive, of corporate knowledge, particularly when such activity is considered in the aggregate. Indeed, the courts considering statements and actions of corporate employees in the securities cases reviewed above appear to be groping their way toward just such a distinction. 450 D.L. Burk This suggests that the concept of corporate performativity may be best viewed from the bottom up, beginning at the stratum of individual agent’s performances. Like a fractal pattern that displays the same repeated configuration at increasingly fine levels of resolution, the corporate entity may be comprised not merely of a grand, definitive speech act at the macro level—that is to say, by the articles of incorporation or other declaration that brings the organization into legal existence— but comprised of speech acts at the micro level. In other words, the fiber of the corporation may be comprised of myriad accumulated actions from which one can determine, either directly or indirectly, the information content of the corporate entity. Searle may offer a framework that allows us to define an organization as a composite performative object; once we know the character of such an object, we can begin to recognize its boundaries. A second, and perhaps even more promising avenue of research may lie in the application of information ethics to the question of corporate epistemology. Information ethics as a school of philosophical thought arises largely out of the work of Luciano Floridi, his collaborators, adherents, and critics. Under this framework, the world is considered in terms of its informational content; the totality of existence is contemplated as a combination of informational objects or processes (Floridi 1999). Objects, whether material or immaterial, are viewed as data clusters operating within an information environment, or infosphere, behaving, reacting, and interacting with other stimuli from the environment or from other informational objects. The informational content of an object defines its state, including its identity and its attributes. Such attributes may a range of functions including moral agency. This view of informational agents within an informational environment presents a promising approach to the present problem in part because its proponents have explicitly contemplated application of the framework to non-human entities. Information ethics thus constitutes a broadly applicable framework for agency and responsibility (Floridi and Sanders 2004). When described informationally, the class of active and moral agents need not be confined to human agents, or even to living systems. Important to the program suggested here, Floridi has argued that corporations and other organizations may constitute information agents within the infosphere, although this aspect of the framework remains largely nascent or unrealized (Floridi 1999). However, the challenge is not simply to explain the agency of the corporate entity. Under the law, the corporation functions not merely an agent, but as a juridical person. Some have supposed that the application of information ethics to non-human persons must await the advent of strong AI or other autonomous artificial entities, but the corporation immediately presents an example of a non-human, juridical person that begs for application here and now. Indeed, as suggested by the discussion of agency above, corporate entities pose a possibly counter-intuitive situation; rather than non-human agents such as robots or software agents, acting in the service of humans, corporate agency assumes human agents acting in the service of a non-human entity—the corporation. What I have outlined here suggest that the tenets of information ethics may be applicable at several levels to resolve conceptual problems I have suggested above. Considering the corporation as an informational agent may allow us to address the first fundamental problem of corporate knowledge by defining the informational Toward an Epistemology of ISP Secondary Liability 451 boundary of the corporation. In order to do so it will be necessary to give an account of information objects wherein some information constitutes the entity, and other information is processed, contemplated, or “known” by the entity. Some information comprising an information object, including informational agents, will be status information that defines the character and structure of the object—the spin of electrons, the bonding of molecules, the encoded information of DNA, the structural folding of proteins, the density of bone mineral, the signaling of autonomic neurons. In the case of sentient agents, other information will be cognizably accessible for action or contemplation. A key component of such the program I suggest will be developing a framework to differentiate such information. Collective entities, such as an organization or corporation, present a special configuration of status and cognizable information, as some cognizable information, such as that held by a given employee, will be accessible by the sentient components of the entity, but not necessarily by all sentient components of the entity. Other information that comprises corporate status information, particularly uncodified information, may be either inaccessible or unaccessed by the sentient components of the entity. The accessibility of status and cognizable information and should determine the entity’s knowledge state at any given time, as for example when information regarding copyright infringement is resident on an ISP’s system. A methodology for assessing the knowledge status of an organization at such moments would provide a foundation to build on in order to develop legal theories of agency and, ultimately, liability. 8 Conclusions As matters stand now, Anglo-American law provides little in the way of a conceptual framework for addressing its own doctrinal requirements for corporate knowledge. Even without such a framework, courts can and do muddle along, applying knowledge-based statutory provisions of the DMCA to the situations before them. But this leaves ISPs in substantial uncertainty as to when and whether information regarding copyright infringement will rise to the level of “knowledge” under either the statutory safe harbor provisions or the common law definitions of secondary liability. As I indicated at the outset of this essay, I have focused on one American statute as emblematic of the problem. But the difficulty I have identified is neither geographically nor substantively isolated. ISP responsibility based on imputation of corporate knowledge extends beyond copyright liability, not only to other forms of intellectual property infringement, such as trademark and counterfeit goods, but to liability for violations of privacy, hate speech, and defamation. Given the global nature of ISP operation, liability in these many substantive areas may lie under the law of multiple jurisdictions. To choose only one recent, prominent example, Google executives were recently held criminally liable for privacy violations due to a video, uploaded to YouTube, depicting harassment of an autistic school child (Sartor and de Azevedo Cunha 2010). Certainly, the three executives being held criminally liable had no actual awareness of the video; neither did the employees responsible for removal of 452 D.L. Burk the video have actual knowledge of its presence until Italian police requested it be taken down, which occurred within a few hours of the notice. The thus case hinges on how much knowledge or awareness regarding the video is ascribed to the corporation—and, by imputation, to its officers—in the weeks between upload and notification. A conceptual framework of corporate epistemology such as that suggested here could be applied not merely in the copyright context, or in the American context, but as a foundation toward resolution of a variety of international situations, such as the Italian privacy case. Application of the framework in any given jurisdiction will require doctrinal development regarding the indicia of corporate knowledge: burdens of proof, standards of admissibility, and the like. But courts are equipped and accustomed to developing such implementations once they have the framework, and I hope here to have enabled the first steps toward such a framework. Although we cannot expect to shoehorn a comprehensive theory of corporate epistemology into a brief article such as this one, I hope to have fairly laid out the problem and charted some tentative course toward a solution. That beginning will perhaps provide both a basis and some impetus toward further work defining ISP responsibility in situations of copyright infringement and beyond. Acknowledgments The author wishes to thank James Chang for helpful research assistance and two anonymous reviewers for helpful remarks. Open Access This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited. References 15 U.S.C. §78j (2006). 15 U.S.C. §78u-4(b) (2006). 17 C.F.R. §240.10b-5 (2010). 17 U.S.C. §512(c)(1) (2006). 17 U.S.C. §512(c)(1)(A)(i) (2006). 17 U.S.C. §512(c)(1)(A)(iii) (2006). A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001). ALS v. Remarq, 239 F.3d 19 (4th Cir. 2001). Apollo Fuel Oil v. United States, 195 F.3d 74 (2d Cir. 1999). Bright Tunes Music v. Harrisongs Music, 420 F.Supp. 177 (S.D.N.Y. 1976). Brown, T., & Murphy, E. (2010). Through a scanner darkly: functional neuroimaging as evidence of a criminal defendant’s past mental states. Stanford Law Review, 62, 1119–1208. Burk, D. (2008). The role of patent law in knowledge codification. Berkeley Technology Law Journal, 23, 1009–1034. City of Monroe Employees Ret. Sys. v. Bridgestone Corp., 399 F.3d 651 (6th Cir. 2005). Corbis v. Amazon.com, Inc., 351 F.Supp.2d 1090 (W.D.Wa. 2004). Dewey, J. (1926). The historic background of corporate legal personality. Yale Law Journal, 35, 655–673. Dreamland Ball Room, Inc. v. Shapiro, Bernstein & Co., 36 F.2d 354 (7th Cir. 1929). Elkin-Koren, N. (2006). Making technology visible: liability of internet service providers for peer-to-peer traffic. New York University Journal of Legislation and Public Policy, 9, 15–71. Ellison v. Robertson, 357 F.3d 1072 (9th Cir. 2004). Fletcher’s Cyclopedia Corporations (2011). Vol 3. Eagan, MN: West Publishing. Floridi, L. (1999). Information ethics: on the philosophical foundation of computer ethics. Ethics and Information Technology, 1(1), 33–52. Toward an Epistemology of ISP Secondary Liability 453 Floridi, L., & Sanders, J. W. (2004). On the morality of artificial agents. Minds and Machines, 14(3), 349– 379. Fonovisa, Inc., v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996). Glazer Capital Mgmt., LPv. Magistri, 549 F.3d 736 (9th Cir. 2008). Gorga, E., & Halberstam, M. (2007). Inputs, legal institutions and firm structure: towards a knowledgebased theory of the firm. Northwestern University Law Review, 101, 1123–1205. Langevoort, D. (2006). Reflections on scienter (and the securities fraud case against Martha Stewart that never happened). Lewis & Clark Law Review, 10, 1–17. Law, J. (1992). Notes on the theory of the actor-network: ordering, strategy and heterogeneity. Systems Practice, 5, 379–393. Makor Issue & Rights, Ltd. v. Tellabs Inc., 513 F.3d 702 (7th Cir. 2008). McGinn, C. (1997). Contract with reality. In Minds and bodies: philosophers and their ideas (pp. 191–195). Oxford: Oxford University Press. MGM Studios, Inc. v. Grokster, Ltd. 545 U.S. 913 (2005). Mizzaro v. Home Depot, Inc. 544 F.3d 1230 (11th Cir. 2008). Perfect 10 v. Amazon, 487 F.3d 701 (9th Cir. 2007). Perfect 10 v. CCBill, 488 F.3d 1102 1112 (9th Cir. 2007). Religious Technology Center v. Netcom On-Line Communications Services, Inc., 907 F.Supp. 1361 (N.D. Cal. 1995). Ripken, S. K. (2009). Corporations are people too: a multi-dimensional approach to the corporate personhood puzzle. Fordham Journal of Corporate & Finance Law, 15, 97–177. S. Rep. 105-190, 105th Cong., 2d Sess. (1998). Sartor, G., & de Azevedo Cunha, M. V. (2010). The Italian Google-case: privacy, freedom of speech, and responsibility of providers for user-generated contents. International Journal of Law and Information Technology, 18, 356–378. Searle, J. (1995). The construction of social reality. New York: The Free Press. Searle, J. (2010). Making the social world: the structure of human civilization. Oxford: Oxford University Press. Smith v. California, 361 U.S. 147 (1959). Sony Corporation of America v. Universal City Studios, Inc., 464 U.S. 417 (1984). Southland Sec. Corp. v. INSpire Ins. Solutions, Inc., 365 F.3d 353 (5th Cir. 2004). Tushnet, R. (2009). Power without responsibility: intermediaries and the first amendment. 76 George Washington Law Review, 76, 101-131. UMG v. Veoh, 665 F.Supp.2d 1099 (C.D.Cal. 2009). United States v. Josleyn, 206 F.3d 144 (1st Cir. 2000). Viacom International, Inc. v. YouTube, Inc., 718 F.Supp.2d 514 (S.D.N.Y. 2010). Wool v. Tandem Computers, Inc., 818 F.2d 1433 (9th Cir. 1987). Yen, A. C. (2000). Internet service provider liability for subscriber copyright infringement, enterprise liability, and the first amendment. Georgetown Law Journal, 88, 1833–1893. Yen, A. C. (2009). A First amendment perspective on the construction of third party copyright liability. Boston College Law Review, 50, 1481–1501. 454 D.L. Burk View publication statsView publication stats