TrollTrolling is an artificial construct and much misunderstood: see Clare Brown’s article here. So it is no surprise to find the absence of any consistent law governing conduct on the internet as a whole. The internet transcends boundaries in a way that most national laws do not.

In England and Wales, the activities of trolls may fall foul of random statute, but each case is fact sensitive. For example, section 127 of the Communications Act 2003 makes it a criminal offence to send messages which are grossly offensive or of an indecent, obscene or menacing character. Then there is the Computer Misuse Act 1990 – which would outlaw the unauthorised access to a victim’s computer or twitter account – and the Fraud Act 2006 – identity theft resulting in an unlawful gain – and the Serious Crime Act 2007 – inciting crime. And of course we now have the Defamation Act 2013 which received royal assent on 25 April 2013.

This year on 9 July, Reece Elliott, a self-confessed part-time troll, was jailed for two years and four months for posting on Facebook messages such as: “I’m gonna kill hopefully 200 before I kill myself.” He was prosecuted for making threats to kill under Section 16 of the Offences Against the Person Act 1861 and for a further eight offences under the Communications Act 2003.

Given that there is no uniform, international jurisdiction of universal application it is likely that there are situations where the contents of a particular website are not unlawful in one country but illegal in another. Conflicting laws from different jurisdictions may apply, simultaneously, to the same content.

When trying to work out the relevant jurisdiction(s) of a particular comment by a troll the following questions must be asked:

  • what is the law of the state where the internet user (the victim) resides?
  • what is the law of the state where the host server is located?
  • what is the law of the state where the troll resides?

The answers could point to three different jurisdictions; it may be that a victim of a US troll using a Canadian server is located in England.

Whether or not a troll could find him or herself being extradited will depend on which two countries are involved, the applicable Treaty or Convention governing extradition proceedings between the two countries and the specific facts of the case.

An extraditable offence between two EU member states is usually an offence which could lead to a prison sentence of at least 12 months in the requesting state. This is unlikely to cover an offence under Section 127 of the Communications Act 2003, for example, because it is an offence triable, on summary conviction, to imprisonment for a term not exceeding six months, or a fine, or both. It may though cover an offence under the Computer Misuse Act, the Fraud Act or the Serious Crime Act depending on the severity of the facts of each case and the law of the other member state.

Extraditing an individual from a non EU member state is trickier still.

The real problem is making the web host liable to the victims for publishing anonymous posts. Trolls are generally impossible to trace, using as they do proxy servers or internet cafes so as not to reveal their own IP address, or simply because they are beyond the reach of the victim.

Until the internet operators tighten up their procedures so that the true identity of its users is recorded and made available to victims, the only way forward so far has been to contact the host server or host website and seek disclosure, whether voluntarily or by way of Norwich Pharmacal remedy, and, if the claim is one in defamation, to demand that the offending material is removed. In Tamiz v Google Inc [2013] EWCA Civ 68 the Court of Appeal held that an internet platform (Google) is a ‘publisher’ of defamatory material if it does not act promptly upon such notification. Moreover, Section 5(3) Defamation Act 2013 gives further (small) comfort: a website operator cannot use as a defence against a defamation claim that it did not post the message itself if (1) it was not possible for the claimant to identify the person who posted the statement, and (2) if the claimant gave the operator a notice of complaint in relation to the statement, and (3) the operator failed to respond to the notice of complaint in accordance with any provision contained in regulations.

Section 5 (3) sits unhappily with the decision on 10 October 2013 of the European Court of Human Rights (First Section) in Delfi AS v Estonia (no.64569/09), which found the website liable for comments posted by anonymous users, despite the website having removed the comments complained of on the same day that the complaints were made. It is not a decision that is likely to find favour when the appeal to the Grand Chamber is heard – but we will see.

However, neither section 5(3) nor, probably, Delfi provide much help to the abused victim whose need is to unmask, expose and if possible destroy the troll. Victims remain too often without recourse to effective remedy. Although the last few months have seen growing political and social pressure on social networking sites to take a more active role in moderation of their sites, we remain sceptical as to their value to the victim. Whilst Facebook now requires users to register a valid email address before they can set up an account or post comments on the website, this will not prevent users setting up anonymous email addresses.

The law is having to play catch up in the face of a rapidly changing virtual online world. Delfi shows that the courts have not yet succeeded in finding a balance between freedom of speech on the internet and the prevention of the offences that trolls are all too often committing.

Rhory Robertson is a Partner and Sophie Pugh a Trainee Solicitor working in the Collyer Bristow Cyber Investigations Unit.