Record company executives the world over may not be enduring quite so many sleepless nights now, but the dreaded N-word continues to have profound implications for those involved in the music industry and the delivery of on-line digital media.
Despite the best efforts of the United States Court of Appeals for the Ninth Circuit and the Recording Industry Association of America, the real legacy of Napster is not that conventional copyright protection has been upheld. It is rather than a new music format, and the means to deliver and share that format, has gained immediate acceptance with a world-wide audience. Sony et al would rather you bought CDs from them; upwards of 60 million uses, not all of whom were Californian college students attempting to subvert the moral fabric of the Universe, felt otherwise. Music will continue to exist on hard drives, therefore, and will continue to travel between these hard drives via the Internet.
ISPs, for whom liability for the actions of their customers and users is already a key issue, are now looking for reassurance that they are protected form the legal implications of Napster-style activities. This article outlines the extent to which such protection is currently available in the UK and how forthcoming legislation is likely to affect them.
Source of Liability
As, logically, an ISP can only face potential liability for the activities of its users where those users are liable for copyright infringement, the first step is to determine what liability, if any, a Napster-style service and a pure peer2peer file-sharing service might face in the UK.
In respect of Napster, ISPs face two potential sources of liability:
for the acts of Napster itself;
for the acts of Napster's users.
Conceivably, the same ISP would host both the service and the service's customers, and for the purposes of this article it is convenient to assume that this is the case.
The first of these potential sources of liability falls away for those companies who simply supply the software to enable peer2peer file-sharing to take place but then take no active part in the activities of their users; if, for example, they do not store search requests on their central server (as is currently the case with Fasttrack and Gnutella). Unlike Napster, these companies tend to be unconnected with the file-sharing activity that their software facilitates. However, in the case of suppliers of peer2peer software such as AudioGalaxy Satellite (where search requests remain in the software provider's database indefinitely) there may well be a liability on similar grounds as Napster might face.
Why would a copyright holder seek to enforce its rights against an ISP rather than the individual directly responsible for the infringement? First there is the issue of identity. ISPs tend to be fixed corporate entities with registered addresses and a generally established presence and profile. Users, particularly of peer2peer file-sharing software, are invariably individuals who can be difficult to trace, particularly if the infringing material is stored on a laptop or PDA. Secondly, the ISP is more likely than the individual user to have the financial resources to meet any judgement made against it; you stand a far better chance of getting your money from AOL or Netcom than you do from an individual file-sharer.
Napster and UK law on copyright
Napster, to recap, created software allowing Internet users logging on to its website the ability to search and obtain MP3 files of music held on the computers of other users also connected to the Napster site at the same time. Napster does not receive, copy or store these files itself on its own server. But it does provide search capabilities and hyperlinks to its users' computers. As part of this search capability function, Napster contains a list setting out all the MP3 files stored in any user's hard drive that is connected to the Napster site at any one time. This provides Napster's users with the ability to locate a particular MP3 file relatively quickly and thus download and duplicate that file onto their own hard drive, from where it can be further copied to any of the established analogue or digital carrier formats. It is this function that could prove critical in assessing Napster's liability under current UK copyright law.
The Copyright Designs Patents Act 1988 ("the CDPA")
The CDPA is, at the time of writing, the core legislative provision in the United Kingdom concerning copyright, copyright protection and copyright infringement. It sets out:
how a work qualifies for copyright protection;
who the rightful copyright holder is;
the specific acts in respect of a copyright work that only that copyright holder (or their authorised delegate) is authorised to undertake; and
how copyright infringement can arise in respect of the protected works.
MP3 music files generally include 3 such works (as defined under Section 1 of the CDPA) that are entitled to copyright protection:
Copyright in the musical composition of the song;
Copyright in the lyrics of the song as a literary work;
Copyright in the sound recording of the performance of the music and the lyrics.
Sections 9-11 of the CDPA establish who the copyright owner is in a particular work. Section 16(i) sets out a list of the primary acts in respect of the copyright work that are the exclusive domain of the copyright holder. In summary these are:
the right to duplicate the work;
the right to distribute the work;
the right to perform the works in public;
the right to broadcast the work; and
the right to include the work in a cable program service.
Where these acts are carried out without the consent of the copyright owner then this amounts to "primary infringement". Where an offence of primary infringement is alleged, it is immaterial that the infringer had no knowledge that the acts they were performing were infringing acts.
Given, as we have seen, that Napster does not copy, store, distribute or broadcast copyright works itself, it would appear at first sight that it is not in the business of primary copyright infringement.
However, copyright will also be infringed where a person authorises the acts set out in Section 16(i) without the consent of the copyright owner. Case law suggests that authorisation arises from one who has, or purports to have, authority as a copyright owner themselves or of the genuine copyright holder - simply encouraging or facilitating infringement without that authority is not generally held to be sufficient to establish primary infringement (as per Whitford J in CBS Inc. v Ames Records & Tapes Limited  CH.91 at 106, approved in Amstrad Consumer Electronics Plc v The British Phonographic Industry  FSR 159 CA and CBS Songs Limited v Amstrad plc  A.C. 1013 HL).
Therefore there is an argument, consistent with the judgments given in these cases, that simply providing software that enables file-sharing to take place will probably not amount to authorisation. This will be particularly so if, as with Napster, the standard notices are included on the software provider's site purporting to require users to obtain the consent of copyright owners as a condition of use.
However, I think that a Napster-style service can be distinguished from these cases. The subject matter of Amstrad Consumer Electronics plc v British Phonographic Limited and CBS Songs Limited v Amstrad plc was dual cassette recorders. The allegations made were that such recorders would be used to make copies of copyright protected sound recordings. The House of Lords held that while twin cassette recorders had the potential to be used for infringing purposes, they might equally be used for other substantially non-infringing purposes. Not all the material duplicated on a dual cassette recorder would be copyright protected, and even if it were, then the owner of the copyright would in all likelihood be the person duplicating that work.
Additionally, Amstrad was held not to be a joint infringer with those who used the machines to make unlawful copies since it was shown that they had no control over the uses to which these machines were put. Where Napster may be distinguished from Amstrad is that Napster retains on its server the ability to locate MP3 music files on the hard drives of its users currently on-line and provides links to these files. Indeed, it was this very technology that the US District Court relied on when, in its judgment, it instructed Napster to find offending files and block them to prevent further copies being made.
Moreover, in a practical sense, whilst it remains very easy to record directly on to an analogue audio cassette, the quality of such recordings tends in general not to be of a particularly high standard. That quality would be further compromised by repeated duplication as analogue signals degrade with each copy made. Napster exists in the digital world. While it is becoming progressively easier to record on to a digital format without the need for sophisticated recording techniques and tools, it nonetheless remains a more difficult process compared to that of simply pressing "play and record" on a cassette tape machine and speaking into the condenser microphone located in the machine itself.
In practise, therefore, there will be a number of people who will make home recordings of their own music or speech in a digital format and be very happy for these recordings to be launched into cyber space for all and sundry to acquire. The commercial reality, however, is that the overwhelming uses to which file-sharing will be used will be for copying commercially available, copyright protected works. In other words it would, I feel, be hard for Napster to show that its product has similar substantial non-infringing uses to those successfully argued by Amstrad.
These distinctions are not necessarily fatal to Napster's defence of its activities under UK Copyright Law (had the matter ever been put to the test) and certainly the arguments raised by the cases set out above should always be borne in mind. However, given that the highly visible net effect of Napster software is the duplication of copyright works and given also the fact that Napster itself could be shown to have a degree of control over these MP3 files to the point where this may be considered authorisation for the purposes of the CDPA, then it cannot be safe to say that the conclusions of the House of Lords in the Amstrad case could necessarily be applied to Napster.Secondary Infringement
In addition to primary infringement, CDPA allows for "secondary infringement"; invariably these are acts in respect of dealing with infringing copies, and unlike primary infringement, require some evidence of knowledge on behalf of the infringer. The provisions regarding secondary infringements of copyright are set out in Sections 22 to 27 of the CDPA. Of these, Napster would most likely fall foul of the provisions set out in Section 24 ("Secondary Infringement: Providing means for making infringing copies").
Section 24 (1) provides a cause of action against persons dealing with articles specifically designed or adapted for making copies of a work, knowing or having reason to believe that it is to be used to make infringing copies. This will always be a matter of evidence - it would have to be proved that the intention of the "device" (in this case file-sharing computer software) was that it should be used for the purpose of making infringing copies of copyright works. Ironically, the very notices that Napster posted on its website warning potential users of the dangers of copyright infringement and requiring users to obtain the consent of the copyright owners as a condition of use could be interpreted as evidence that Napster did believe, or had good reason to believe, that its software could be used for the purposes of making infringing copies.
So would Napster be guilty of primary infringement for authorising infringing acts or secondary infringement under Section 24(i)? Until tested in the courts, there can be no sure answer to this question. But it might be argued that there is a clear inconsistency where a provider of software used universally and frequently for the purpose of duplicating copyright material remained outside the scope of legislation designed to protect such copyright works.
Fortunately the position governing Napster users is much clearer. To make use of the file-sharing service, a user has to place a copy of the copyright work first on their hard drive and then make it available for onward transmission over the Internet.
It is an infringement of the CDPA for anybody to make or acquire a copy of a copyright protected work (for example, a CD) for any purpose, even where that person has purchased the CD and simply wishes to have it on another more convenient format (for example, a cassette). This is known as "space-shifting" and in this respect, United Kingdom copyright law is currently fundamentally different to that of the US and parts of Europe. Indeed, part of Napster's defences in the US was that file-sharing is simply the natural extension of "space-shifting", a practise recognised by US copyright law.
In the context of Napster, space shifting occurs when a user downloads MP3 music files in order to listen to music he already owns on CD. In The Recording Industry Association of America (RIAA) v The Diamond Multimedia Systems Inc [180F.3d 1072 (Ninth Cir. 1999)] it was held that the Rio MP3 player did not infringe copyright as it merely allowed portable or space shifted copies to be made of music purchased by a user in the form of a CD and copied (legitimately) onto that user's hard drive for non-commercial personal use. In a later case concerning video recordings (Sony v Universal City Studios [464 US 417 (1984)]) it was held that time shifting, where a video tape recorder owner records a TV show for later viewing, was personal use.
Napster's argument that file sharing equated to "space shifting" was rejected by the US Courts, on the grounds that the method of space shifting in the Diamond and Sony cases did not simultaneously involve distribution of the copyrighted material to the general public - in other words, copyright material that had been space shifted still remained within the control only of the original user. With Napster, once an MP3 is made available on one user's hard drive then the file is available to all other Napster users then currently on-line.
This judgment is relevant to United Kingdom law. There is a curious anomaly here, in that section 70 of the CDPA permits "the making for private and domestic use of a recording of a broadcast or cable programme for the puropse of enabling it to be viewed or listened to at a more convenient time". The CDPA does not, however, recognise space-shifting as a permitted use. In other words, you are perfectly within the law if you make a copy of a TV programme that you have not paid for provided this is for personal use, but you are breaking the law in copying a CD that you have paid for, irrespective of the intended use.
Fortunately, the forthcoming European "Copyright and Related Rights Directive" - currently in its finalised draft form - may correct this seeming inconsistency. According to Article 5:
"Member States may provide for exceptions or limitations to the reproduction right provided for in Article 2 [which confirms that Member States shall provide for the exclusive right to authorise or prohibit direct or indirect reproduction of copyright work to the copyright owner] in the following cases:
...(b) in respect of reproductions on any medium made by natural person for private use and for ends that are neither directly not indirectly commercial, on the condition that the right holders receive their compensation which takes account of the application or non-application of technological measures referred in Article 6 to the work or subject matter concerned."
In other words, provided that the copyright holder receives a fair reimbursement, an individual who has purchased music in one format in entitled to transfer that music to another format for his or her own personal use. Such reimbursement may take the form, as is already the case with blank videocassettes, of levies placed upon the sale of blank audiocassettes, recordable CDs and recordable mini-disks.
From a practical point of view, this new Copyright Directive raises an interesting issue for ISPs. MP3 files do not exist on a stand alone hard format, such as a blank CD or mini-disc; they exist on your hard drive. The value is not in the format; it is in the content. Consequently, consumers do not buy blank discs or chips on which to record MP3 files, so the question arises as to how "compensation" can be provided to satisfy the provisions of the new Directive and, more importantly, from whom it will be collected. Contenders could either be the manufacturer of the computer hard drive (where the file will originally be stored), the manufacturer of the specific component of that hard drive that will hold the MP3 file, the software manufacturer providing the package that enables the music to be converted to an MP3 file in the first place or indeed the ISP where that file is stored.
The importance of the US judgement against Napster is that it confirms the view that, although the duplication of copyright material on to a hard drive may or may not be a breach of copyright legislation (as either practised in the US or envisaged in the UK), onward transmission of that protected work most certainly is.
Peer2peer File Sharing
Some peer2peer file-sharing systems play no further part in the file-sharing process once the original software has been downloaded. If they are to face any liability for copyright infringement under existing UK laws, then it must be where it can be shown that they are either authorising infringing copies to be made or providing devices to enable such infringing copies to be made. Other peer2peer file-sharing systems bear a similar resemblance to Napster in that they maintain search facilities of files on their users hard drive and accordingly, they too may face liability under the authorisation provisions.
Users of such peer2peer file-sharing systems will of course face a similar sort of liability to users of Napster.
Thus far we have examined whether Napster or any peer2peer file-sharing system will incur liability on the behalf of either the supplier of the relevant software, or the system's users. If we now assume that such liability is established against these bodies, the next stage is to examine how that liability impacts upon the ISP.
Again, under current UK law, ISPs will only be liable for copyright infringement if they are in breach of the CDPA. In brief, I think this can be summarised as follows:
1. The Duplication Right
On a purely peer2peer system, there is no reason why a copy of the music file has to sit on the ISP's server. If it does, it will have been placed there not by the ISP, but by the user of the peer2peer service. So it is unlikely that the ISP can be shown to have infringed the duplication right itself.
2. The Distribution Right
The CDPA regards distribution as being distribution of "tangible copies" of copyright works, albeit possibly those in an electronic form. This is where the issue that MP3 files exist not as a format in the accepted sense of the word but in terms of content is particularly important. MP3 files are electronic copies, but not in a tangible form. Again, liability for infringing the distribution right is unlikely to fall on an ISP as in peer2peer file-sharing no physical product changes hands.
3. The Public Performance Right
The CDPA stresses the need for any performance to be "public"; but it is debatable if delivery on the Internet is a public activity where, as is usual, the target audience is comprised generally of private individuals in domestic situations. If a court is persuaded that an ISP's activities cannot come within the definition of "public" then that ISP would not be liable for infringement of this particular right (although no case law has established precise limits of liability).
4. The Broadcasting Right
Broadcasting is defined as transmission by wireless means, but computers are generally connected by cables at some point. There is also the criteria again that the work must be receivable by the public at large. Again, therefore, establishing liability for infringement of the broadcasting right would be difficult.
5. Inclusion in a cable programme service
This is relatively complex provision of the CDPA and one with potential implications for ISPs.
A cable programme service is defined by the CDPA (Section 7 (i)) as a service which consists wholly or mainly in sending visual images, sounds or other information by means of a telecommunication system otherwise than by wireless telegraphy. It must be for reception either at two or more places (either simultaneously or at different times in response to requests by different users) or for presentation for member of the public. The latter public element creates the same obstacles as in the public performance rights. But a website which contains copyright works and which makes those works available to users and is accessible for numerous places via the Internet clearly falls within the first option.
Although there is no English law to confirm this hypothesis, this proposition was considered and accepted by the Scottish Courts in the case of Shetland Times v Wills  F.S.R 604.
Section 7(2) of CDPA contains a number of exceptions to the definition of cable service programmes, the most important of which relates to interactive services:
" A service, or part of a service of which it is an essential feature that while visual images, sounds or other information are being conveyed by the person providing the service, there will, or maybe sent from each place of reception, by means of the same system or (as the case may be) the same part of it, information, other than signals sent for the operational control of the service (for reception by the person providing the service or other persons receiving it)."
[CDPA s 7(2)(a)]
Signals sent for the operational control of the service are expressed not to be included in the exception. Therefore, even if a website requires users to send a request for material on-site then that does not exclude it from the definition of a cable programme service. However, clear interactivity on a website will fall within the exception. Accordingly, a service which acts as host enabling users to exchange information or material, such as musical files, is likely to be exempted. Nonetheless, it is important to realise that it is only the interactive part of the cable programme service which is capable of exemption under sub-paragraph (a) above. Inclusion of a music track in such a service may still amount to an infringing act. The risk of liability is lessened but is not removed.
Based on the analysis set out above in respect of Napster and the concept of "authorisation", it would appear unlikely that an ISP could be seen to be authorising copyright infringement unless, having been notified that its service was so being used, the ISP took no further action to prevent such use.
In other words, accepting that your service contains copyright infringing works, that these copyright infringing works are being exchanged between users and having been notified of this fact, not actively taking steps to prevent this exchange may be interpreted as holding oneself out as having the authority of the copyright owner for their works to be used in this way.
Again, with secondary infringement, the analysis set out above in respect of Napster will I believe apply equally to ISPs.
The conclusion therefore is that under the CDPA it would be unlikely for an ISP to be liable for the acts of either a Napster-style service or for the peer2peer file-sharing activities of that ISP's customers, but the matter would be arguable. On this basis, therefore, ISPs would generally require some greater protection, either through the contractual terms and conditions upon which they provide their service to customers, or through more certain statutory provisions.
This legislative protection may come about in the UK through two European Directives whose implementation is anticipated in the near future. Fundamentally, these Directives are in recognition of the fact that the Internet does not operate in the same manner, or under the same conditions, as other markets and that it is inherently difficult for an ISP to monitor continuously the activities of its users. However, the Directives do not abrogate entirely the responsibility of an ISP for infringing material (or indeed any material that may be considered to unacceptable). The defence to liability that they provide ISP is neither absolute nor permanent. There comes a point when an ISP does face responsibility for the actions of its users.
1. The E-Commerce Directive (2000/31 EC).
This Directive, which came into force on the 8th May 2000 but has yet to be implemented into UK law (and is not required to be implemented into UK law until the end of January 2002), insulates ISPs from liability save in specifically defined situations. In general it lays down that where an ISP does not vet or modify content it will not be liable for that content even where that entire content is in breach of copyright, provided the offending material is removed once brought to the attention of the provider.
Specifically, the Directive makes the following provisions:
(i) Article 12 - the "mere conduit" argument
When an ISP is acting as a conduit then the ISP is not liable for mere transmission of information or storage for such a period as is necessary to perform a transmission unless it has a specific input. An ISP acts as a conduit where it does not initiate the transmission, nor select the receiver of the transmission, nor select or modify the information contained in the transmission. The exemption from liability extends to the automatic, intermediate and transient storage of information, provided that it is not stored for any period longer than reasonably necessary. Unfortunately, the Directive does not define what constitutes a reasonable time period nor give any guidelines as to how this may be interpreted. This is left to the individual Member States to provide for, presumably to allow them consistency with their existing copyright and relevant provisions.
(ii) Article 13 - "Caching"
Caching occurs where information is automatically stored for onward transmissions to other recipients on request. Again, the Directive makes it clear that the ISP is not liable initially for this information. The ISP must ensure that it does not modify the data, must act "expeditiously" (another undefined definition of time) to remove or disable the information once the ISP has actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network. Moreover, the exemption will only extend to storage of information that is performed for the sole purpose of making the onward transmission of the information to other recipients more efficient. A national regulatory body, acting in accordance with a Member State's legal system, can require the ISP to terminate the service to a specific user or to prevent an infringement
(iii) Article 14 - "Hosting"
An ISP will not be liable for hosting information provided they do not have actual knowledge that the activity is illegal and, on obtaining such knowledge, act quickly to remove it. So a determination has to be made as to whether the ISP had actual knowledge of the illicit nature of the content in question. Again, the Directive provides no guidelines as to the kind of timetable that would be considered reasonable for the removal of such notification once the ISP has received notification of its presence. And, again, a caveat exists that although exemptions provided for may protect the ISP from liability, the service provider may still be made subject to a court injunction to terminate or prevent access to infringing material.
(iv) Article 15 - No Duty To Monitor
Under Article 15, ISPs are not under any general obligation to monitor content. Moreover, the article provides that Member States of the European Union may not impose a general obligation on ISPs to monitor the information or data transmitted through their services. ISPs are given further protection as this article stipulates that they are under no obligation actively to seek facts or circumstances indicating illegal activity. However, a Member State may require an ISP to promptly inform relevant public authorities of any alleged illegal activities undertaken on their service. Furthermore they may also provide legislation to oblige an ISP to notify a relevant authority at that authority's request about information enabling the identification of recipients of the service with whom they have service agreements. So it is conceivable that an ISP may be required to co-operate with an authority in the tracking down of one of its service users in respect of that service users use of the service.
What the Directive does is provide protection for the innocent ISP in recognition of the inherent difficulties involved in policing Internet usage. It does not contradict any of the provisions of the CDPA and indeed in stressing the importance of knowledge and notification goes someway to confirming the CDPA's insistence on knowledge as a pre-requisite for liability for "secondary infringement" of copyright. Whilst there is no general obligation to monitor, a prudent ISP will so far as is possible (and legal) carry out the sensible monitoring procedures. Additionally, the ISP must ensure that it is in a position to either terminate a user's right to use the service and/or remove the infringing content once it has been notified of such contents' presence on its service. Despite the legal protection afforded by both the CDPA and the E-Commerce Directive, this is best achieved within the contractual agreement that governs the ISP's provision of its service to its user customers. From the point at which an ISP is notified about infringing content, it runs the risk of potential liability for the continued existence of that content on the service.
2. The Copyright and Related Rights Directive
This Directive (whose first draft was presented in 1995 and whose implementation into the laws of all EEA States is required by 22 December 2002) attempts to harmonise certain aspects of copyright and related rights in relation to e-commerce with the EC. It has provisions of paricular relevance to anybody involved in the provision of on-line music.
In particular, an ISP should be aware of the following Articles:
(i) Article 6(iv) - Protection of Technological Protection Measures.
This Article provides protection against the circumvention of technologies used by rights owners to protect their works from duplication or other infringement of copyright. This will include techniques such as encryption and watermarking. In this Article, as with so many others in this Copyright Directive, Member States have a fair amount of discretion as to where exactly they place the statutory lines for intervention. The British Music Rights Organisation has pointed out that rather than harmonising the European Market, this is a "recipe for fragmenting the European Market". Nonetheless, it is their view that this Article must be retained in the Directive when it is adopted in its finalised form and implemented into UK legislation, as its absence would "adversely affect the ability to invest in trading mechanisms and technologies for on-line music services".
(ii) Article 5(ii)(b) - Exception for private copying.
As we have seen in the discussion on Napster, this Article attempts to allow copying of material that has already been purchased (although not necessarily by the person who is doing the copying). There is some concern that the Article as drafted extends the exceptions for private copying beyond that which is reasonable. Some criticism has been made that the drafting of the Directive is not tight enough. However, no matter how tight the wording, it will still be difficult to enforce its provisions as the majority of people who would claim the protection of this Article will of course be private individuals. In truth, this Article merely reflects what has been common practise amongst the record buying public for the last 30 years.
(iii) Article 5(1) - Temporary Copying.
Article 5(1) provides an exception to copyright for temporary copying that will be of particular interest to ISPs. ISPs argued that if the exception extended to them in respect of liability for infringing copies was not drafted widely enough, they would be liable for caches of network copies for copyright works they could not monitor. However, the issue of liability has now been addressed in the E-Commerce Directive and there would now appear to be some conflict between the two Directives. According to The British Music Rights Organisiation the wording of the Copyright Directive would "allow non-transient incidental copies to be exempt under Article 5(1)"; this contradicts the wording of Article 12 of the E-Commerce Directive which provides safeguards for the storage of automatic, intermediate and transient copies only.
(iv) Article 8(3) - Sanctions & Remedies
ISPs need to be aware that, although they may face no direct liability for the actions of their users, under Article 8(3) Member States must ensure that rightholders are able to enforce injunctive relief against "intermediaries whose services are used by a third party to infringe a copyright or related right".
Notwithstanding the potential for confusion between them, the cumulative effect of the two Directives in conjunction with the existing provisions of the CDPA is to assert the principle that ISPs will not be liable for the activities of their users who engage in file-sharing (either as suppliers or customers). But this exemption extends only to the point at which an ISP is notified that its own users are dealing in offending material. Prudent ISPs will, where possible, monitor content and service usage.
It therefore remains critical that ISPs have the means to remove such material and the right, in appropriate cases, to suspend or terminate provision of their service to the infringing user. Consequently, ISPs should give considerable thought to the contactual terms and conditions upon which they provide their services to users and ensure that these rights are correctly incorporated into such agreements. An ISP that cannot remove offending material from its service will suddenly find itself outside the scope of the statutory protection discussed in this article, and will risk exposure to liability for the acts of its users.