Content liability is perhaps the first legal issue that comes to mind when analyzing the use and abuse of Tor. A recent example dates back to 2012 when Austrian police raided the flat of William Weber in Graz and seized the computer hardware located there, which he had used to control Tor exit nodes physically located abroad. Some unknown users of Tor had used his exit nodes for downloading child pornography. The authorities suspected Weber of doing the downloading himself, presumably because they were not aware that the exit nodes were not the final destination of the files. Weber was ultimately convicted on 30 June 2014 to a three-month jail term suspended for a three-year supervision period for aiding and abetting the distribution of child pornography. Although this was only the verdict of a lower court, Weber decided not to appeal it, citing financial and personal reasons, so the case will not undergo further juridical scrutiny.
In Austria, the intent is a necessary element of criminal responsibility for aiding and abetting. In the judgment, the regional criminal court in Graz accepted several quotations by the defendant from a chat saying ‘you can host child porn on our servers and ‘if you want to host child porn … I would use Tor’ as the proof of the defendant’s indirect intention to aid an unknown perpetrator in the distribution of child pornography, despite Weber’s claims that these quotations were taken out of context. The court’s decision ‘highly depended on the special circumstances of the case [and] cannot be seen as a general ruling against Tor services,’ said Maximilian Schubert, general secretary of the Austrian Association of Internet Service Providers.
The Weber case thus highlighted but left unanswered a very interesting legal question with an EU- wide significance: is the Tor exit node operator protected from civil and criminal liability by the clause on ‘mere conduit’ from Article 12 of the E-Commerce Directive?
A Tor exit node operator easily fulfills the conditions listed under Article 12 paragraph 1(a) to © of the E-Commerce Directive. In a standard situation, the node acts as a true relay, and the operator does not interfere with the transmission. However, we must examine two additional conditions from paragraph 1: is the Tor exit node operator a ‘service provider’? And is the provision of a Tor exit node an ‘information society service’?
Article 2 of the Directive defines ‘service provider’ as ‘any natural or legal person providing an information society service’ and ‘information society services’ by reference to Article 1 paragraph 2 of Directive 98/34/EC162 as amended by Directive 98/48/EC as ‘any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services…’.
The definition provides a detailed interpretation of three of its conditions, which are easy for a Tor exit node to fulfill. Still, the wording ‘normally provided for remuneration’ remains difficult to interpret for Tor, which is by its nature a free service. In a judgment from 11 September 2014 (C‑291/13), the Court of Justice of the European Union (CJEU) provided only a limited interpretation by stating that ‘the concept of “information society services,” within the meaning of that provision, covers the provision of online information services for which the service provider is remunerated, not by the recipient, but by income generated by advertisements posted on a website.’ This explanation is fully in line with previous European Commission statements, but it does not help determine Tor exit nodes’ legal status.
In an ongoing case, the CJEU (7 O 14719/12)165 has been requested to assess what is meant by ‘service normally provided for remuneration. The judgment of the CJEU is hard to predict, but it will certainly affect how Tor is seen as a service provider. If the CJEU decides that mere conduit cannot be applied to free services, even by analogy, then a question arises about the viability of free services, whose providers would then be responsible for the transmitted data. This would put the EU in an awkward position by comparison to the US, where safe harbor rules for all ISPs are well-established. As a possible solution, a study commissioned by the European Commission’s Information Society and Media Directorate-General recommends adopting a different criterion if the ambiguity would not be resolved by case law. However, this would require changing the Treaty on the Functioning of the European Union, which contains a cross-cutting definition of ‘service’ in Article 57,168, so it may yet take considerable time.