Authorisation after iiNet: power, indifference and the future of intermediary liability

At the time the iiNet proceedings commenced, iiNet was Australia’s third largest ISP. It supplied internet access under a Customer Relationship Agreement (CRA) that prohibited customers from using the service to commit offences or infringe the rights of others. The CRA also empowered iiNet, where it suspected illegal conduct or breach of contract, to restrict, suspend or terminate a customer’s internet access.

Film and television studios, including Roadshow Films, coordinated through the Australian Federation Against Copyright Theft (AFACT), alleged that iiNet had authorised copyright infringement by its customers using the BitTorrent protocol. The studios relied on a series of infringement notices sent to iiNet over the course of approximately a year, identifying alleged instances of infringing activity by reference to IP addresses, time stamps and the copyrighted works in question. iiNet did not act on those notices. It disputed their reliability and sufficiency, and pointed to the limitations of IP address identification and the absence of any disclosed detection methodology. On that basis, it declined to warn, suspend or terminate customer accounts.

The critical elements relied upon by the film studios included:

• iiNet’s provision of internet access to customers who used that access to participate in the BitTorrent system;
• the customers’ infringements of the applicants’ films;
• iiNet’s knowledge of specific infringements said to be conveyed by the AFACT notices;
• iiNet’s technical and contractual power to terminate the provision of services to infringing customers; and
• iiNet’s failure to warn or, if appropriate, terminate those customers.

(iiNet at [63]-[80] per French CJ, Crennan and Kiefel JJ; [135]-[146] per Gummow and Hayne JJ).

On the film studios’ case, iiNet had been given specific, repeated notice of particular infringements by identified customers, knew enough to appreciate what was occurring, and had the practical and contractual ability to intervene, yet chose not to do so.

The High Court emphasised that whether iiNet authorised its customers’ infringements depended upon “all the facts of the case” (iiNet at [5], quoting Moorhouse at 12 per Gibbs J). The appeal was approached by asking interrelated questions that reflected the statutory factors in s 101(1A):

1. whether iiNet had the power to prevent its customers’ infringements; and
2. whether it was reasonable to expect iiNet to exercise that power in response to the notices it received.

The question whether iiNet should have taken reasonable steps after receipt of the AFACT notices necessarily engaged what iiNet knew, or could reliably be taken to know, about the alleged infringements. The High Court’s reasons were attentive both to the content of the allegations in the notices and to the fact that the methodology underpinning them was not fully disclosed until expert evidence was served in the litigation.

The real obstacle in the conventional ISP case: power

The High Court drew a critical distinction between direct and indirect control or power. The appellants pointed to iiNet’s contractual and technical capacity to suspend or terminate customer accounts. That was plainly a form of power in an abstract sense. But the High Court treated the relevant question as more exacting: what was the extent of that power in relation to the infringements in suit, and what reasonable steps did it support? (iiNet at [63]-[70] per French CJ, Crennan and Kiefel JJ).

Gummow and Hayne JJ emphasised that iiNet, as an ISP, had no direct control over its subscribers’ choice to use BitTorrent or the BitTorrent software, and could not remove the appellants’ films once they had been made available online. The only “indisputably practical” course was the exercise of indirect contractual power to switch off suspect accounts - but that would not merely avoid further infringement; it would also deny subscribers non-infringing uses of iiNet’s facilities. Further, in the absence of any effective protocol binding ISPs, terminated subscribers could simply take their business elsewhere (iiNet at [137]-[139], [143], [146] per Gummow and Hayne JJ).

The issue was not whether power existed in the abstract, it was the legal and practical relevance of that power to the infringements alleged. For a conventional ISP, the bare contractual ability to suspend or terminate a subscriber’s internet access is a form of power, but it may be too blunt, too indirect and too weakly connected to the infringing acts to bear the weight of authorisation. It is blunt because it withdraws a general-purpose lawful service. It is indirect because it does not itself control the BitTorrent system, the software used, or the infringing files. And it is weakly connected because the same subscriber may simply move to another provider, while the underlying content remains available elsewhere.

As such, for rights holders, the more difficult implication of iiNet is not that knowledge or “indifference” can never be established. In an appropriate case, a respondent’s informed failure to act may be highly relevant (see the reasoning in Campaigntrack by way of example at [77]-[79]). The more stubborn obstacle, at least in the case of a conventional ISP, is power.

Reasonable steps

Section 101(1A)(c) asks whether the respondent took reasonable steps, which necessarily directs attention to what steps were realistically available, how effective they were likely to be, what burdens or risks they carried, and how closely they bore upon the infringements alleged. Later cases have made this point expressly. As Pagone J observed in Pokémon Company International Inc v Redbubble Ltd (2017) 351 ALR 676, the task is not to ask whether there were other conceivable reasonable steps, but to ensure that the reasonable steps actually taken are considered in the authorisation analysis (at [58]-[67]).

In iiNet, the Court’s concern was that, on the facts, they were not shown to be a sufficiently clear or proportionate response to the case actually advanced. Warnings might or might not have had any practical effect. There was no evidence of likely subscriber behaviour in response. Termination was drastic. The AFACT notices themselves did not fully expose the basis on which iiNet was being asked to take that step. Nor had the rights holders established any agreed protocol or framework that would have reduced the practical and legal risk of acting as a proxy enforcement mechanism (iiNet at [75]-[76]).

This is an important point for contemporary readers. iiNet does not stand for the proposition that warnings or suspension can never be reasonable steps. It stands for the proposition that the reasonableness of such steps depends on the nature of the asserted power, the quality of the information available, the burdens and consequences of acting, and the likely efficacy of the step in preventing the relevant infringements.

It is clear that iiNet should not be reduced to the proposition that an internet service provider does not authorise the copyright infringements of its subscribers merely because it receives notices of infringement and continues to provide internet access. iiNet did not establish any categorical immunity for ISPs. Nothing in the statutory scheme supports such a conclusion. The statutory factors require attention to the extent of the respondent’s power to prevent the infringing act, the nature of the relationship with the primary infringer, and whether reasonable steps were taken. Those inquiries are evaluative and fact-sensitive. A respondent does not escape scrutiny because it is an ISP. Equally, it does not become liable simply because it provides a service through which infringement occurs.

iiNet shows that in intermediary cases, the decisive question is rarely whether the respondent can be said, in some colloquial sense, to have “known” and done too little. The more difficult question is whether the respondent possessed a sufficiently relevant power over the infringements in suit that its failure to exercise that power can properly be characterised as sanctioning, approving or countenancing those infringements. Accordingly, while its facts relate to BitTorrent-era internet access, iiNet remains a durable statement about the limits of authorisation in cases involving lawful services used by others to infringe.

Properly read, iiNet forecloses only a narrow but important proposition: that authorisation cannot be established against a conventional ISP merely by proving notice of infringement, a general contractual power to terminate access, and continued provision of ordinary internet services. It does not foreclose the possibility that an ISP could, in principle, authorise infringement on stronger facts. Nor does it foreclose liability for other intermediaries whose relationship to the infringements is closer and whose practical power is more specific.

The path forward for rights holders lies in identifying a more proximate and operationally meaningful capacity to prevent the relevant infringements than mere withdrawal of general internet access. That may be difficult in the case of a “plain” ISP. But it becomes more plausible where the intermediary does more than provide undifferentiated access, or where the asserted power extends beyond blunt account termination to targeted and repeated intervention in a known pattern of infringement.

That, in turn, explains why iiNet remains so useful. Its enduring significance may lie less in providing a road map for suing conventional access providers, and more in offering a framework for distinguishing weak from strong intermediary targets in future disputes.

Campaigntrack arose from a copyright dispute between competing providers of real estate marketing software. Campaigntrack alleged that Mr Semmens, who had previously developed Campaigntrack’s “DreamDesk” product, later created a competing product called “Toolbox” for the Biggin & Scott parties by reproducing a substantial part of DreamDesk’s source code. The critical issue for present purposes was whether, after receiving Campaigntrack’s solicitor’s letter in September 2016 and later a preliminary forensic report, the Biggin & Scott parties authorised Mr Semmens’ continuing infringements by failing to take further steps despite having practical power to investigate, halt deployment or terminate the relevant arrangements. The High Court ultimately held that the necessary evidentiary foundation for a finding of authorisation had not been established.

The Full Court majority (in Campaigntrack Pty Ltd v Real Estate Tool Box Pty Ltd (2022) 292 FCR 512) had concluded that, from 29 September 2016, the relevant parties authorised infringement by their indifference to the development and use of Toolbox after receiving Campaigntrack’s solicitor’s letter and later the preliminary report. The High Court unanimously rejected that conclusion. The High Court did not reject indifference as irrelevant to authorisation. Rather, it treated “authorisation by indifference” as a way of putting a case that still had to be proved by orthodox means: through findings, supported by evidence, directed to the particular state of affairs at the relevant time, including the respondent’s position, state of knowledge, and what reasonable steps were available in response (Campaigntrack at [88]).

The High Court accepted that the Biggin & Scott parties had power to prevent the infringing acts, and the relevant relationships, for the purposes of ss 36(1A)(a) and (b) of the Copyright Act. They could instruct Mr Semmens, investigate the allegations, stop Toolbox going live, permit forensic examination, and terminate arrangements if necessary (Campaigntrack at [77]). The Court also accepted that the Biggin & Scott parties had co-operated by giving undertakings and permitting the preliminary investigation. But that did not answer the question. The determinative issue was whether there was proof, at the relevant time and on the evidence actually led, that they had the requisite knowledge or suspicion, and that reasonable steps then required of them were not taken.

The High Court’s formulation is especially important. Their Honours said that proof of an allegation of “authorisation by indifference” requires findings, supported by evidence, that the person “was in a position and had knowledge of facts, matters and circumstances sufficient to give rise to a duty to take reasonable steps to avoid or prevent” the infringing act, and that this is not a general inquiry but one directed to a particular state of affairs at a particular time or times (Campaigntrack at [88]). This is a strikingly useful formulation for contemporary intermediary cases.

Campaigntrack represents both a confirmation of iiNet and a refinement of its continuing utility. Like iiNet, it rejects the idea that allegations of infringement, coupled with some abstract power to intervene, automatically make inaction legally meaningful. In iiNet, the AFACT notices did not oblige the ISP to take the step of warning, suspending or terminating customers. In Campaigntrack, even though the appellants had closer practical power than iiNet did, the High Court still insisted on proof of what they knew, when they knew it, and why the steps said to be required were in fact reasonable in the circumstances. On the evidence as led, that proof was missing. The Court held that it was not established that the Biggin & Scott parties knew of or suspected Mr Semmens’ infringing acts at any relevant time.

The practical lesson of Campaigntrack is therefore about proof. The High Court emphasised that the way the case had been run at trial mattered. The “authorisation by indifference” case was not properly put to the relevant witnesses, the significance said to attach to the preliminary report was not fairly put, and the forensic choices made before the primary judge precluded the conclusion the Full Court later drew. This is a reminder that modern authorisation cases are not won by invoking notice, control and indifference at a high level of abstraction. They require careful attention to chronology, state of knowledge, operational choices, and the concrete steps said to have been reasonably available at particular moments.

Campaigntrack is a valuable modern companion to iiNet. iiNet shows that notice plus non-termination is not enough. Campaigntrack confirms that indifference may matter, but only where the evidence establishes that the respondent’s position and knowledge were sufficient to crystallise a duty to take reasonable steps, and that the omission to do so was unreasonable in the circumstances.

In March 2026, the United States Supreme Court reversed the Fourth Circuit on contributory liability.

The majority (Thomas J, writing for Roberts CJ, Alito, Kagan, Gorsuch, Kavanaugh and Barrett JJ) held that contributory liability requires that a provider intended its service to be used for infringement, and that the requisite intent can be established in only two circumstances:

1. affirmative inducement of infringement; or
2. provision of a service tailored to infringement, in the sense that it is not capable of substantial or commercially significant non-infringing uses.

The first limb drew on Grokster, where file-sharing software companies had promoted and marketed their software as a tool to infringe copyrights, and Kalem Co v Harper Brothers 222 US 55, 62-63 (1911) (Kalem), where the defendant "not only expected but invoked by advertisement" the infringing use of its films (Cox slip opat 7-8). The second was framed by contrast to Sony, where the Betamax video recorder was held not to attract contributory liability because it was capable of substantial non-infringing uses, including time-shifting television broadcasts for personal viewing (Cox slip op at 8, quoting Grokster at 942 (Ginsburg J, concurring)).

The Supreme Court emphasised that mere knowledge of infringement is insufficient. It confirmed that indifferent knowledge does not suffice, that there is no copyright precedent for liability based only on constructive knowledge of likely infringing use, and that a court cannot impose contributory liability merely because a defendant failed to take affirmative steps to prevent infringement (Cox slip op at 8-9).

On the facts, Cox satisfied neither limb. It had not induced infringement; indeed, it had actively discouraged it through warnings, suspensions and terminations. Nor was Cox’s service tailored to infringement. As the majority observed, “Cox simply provided Internet access, which is used for many purposes other than copyright infringement” (Cox slip op at 10).

The Fourth Circuit’s approach therefore extended contributory liability beyond the bounds recognised in Sony and Grokster. By treating knowledge of infringement and continued service provision as sufficient, it collapsed intent into awareness.

Sotomayor J, joined by Jackson J, concurred in the result but criticised the majority’s narrow doctrinal approach.

Her Honour’s central objection was that the majority had, “without any meaningful explanation, unnecessarily limit[ed] secondary liability” even though the Court’s earlier authorities had left open the possibility that other common law theories, such as aiding and abetting, might apply in the copyright context. In her Honour’s view, Sony and Grokster preserved the possibility of fault-based secondary liability beyond inducement and tailored services (Cox (Sotomayor J) slip op at 1-2).

Sotomayor J further warned that the majority’s decision undermined the incentive structure reflected in the Digital Millennium Copyright Act (DMCA), which grants safe harbour protections to ISPs that adopt policies for terminating repeat infringers (Cox (Sotomayor J) slip op at 1-2). In her Honour’s view, Congress had sought to encourage ISPs to take reasonable steps against infringement without requiring them to respond to every allegation, whereas the majority’s rule substantially reduced any realistic prospect of secondary liability for ISPs regardless of what they knew or what they did (Cox (Sotomayor J) slip op at 5-6).

Notwithstanding those criticisms, Sotomayor J agreed that Cox was not liable on the evidence. Drawing on the more recent Supreme Court decisions of Twitter, Inc v Taamneh 598 US 471 (2023) and Smith & Wesson Brands, Inc v Estados Unidos Mexicanos 605 US 280 (2025), her Honour emphasised that liability requires intentional participation in wrongdoing (Cox (Sotomayor J) slip op at 9-10). The evidentiary gap between an IP address and an individual user meant that Cox could not be said to have intended to facilitate specific acts of infringement. At most, the evidence demonstrated indifference, which was insufficient to establish liability (Cox (Sotomayor J) slip op at 12-13).

The divergence between the majority and the concurrence exposes an unresolved debate within the United States system: whether a two-limbed categorical test (inducement or tailored service) adequately captures the full range of culpable intermediary conduct, or whether there remains room for more granular, common law fault rules reaching conduct that falls between passive provision and active encouragement. That debate forms a useful backdrop to the Australian statutory position.

The result makes Cox a useful comparator to iiNet, because in both systems the courts resisted attempts to turn notice plus continued service into an automatic rule of secondary liability. Post-Cox, the United States Supreme Court has rejected the proposition that contributory liability can rest simply on a provider’s knowledge that users are infringing, coupled with continued service and allegedly insufficient action to stop them. Indeed, the Court expressly criticised the Fourth Circuit for treating the supply of a product with knowledge that it will be used to infringe as sufficient, thereby moving beyond the two bases of liability recognised in Sony and Grokster (Cox slip op at 9-10; Cox (Sotomayor J) slip op at 4-5).

While the outcomes in iiNet and Cox are the same - ISPs not liable - that does not mean the United States and Australian positions are the same. They are not. The doctrinal structures are fundamentally different. The decision in Cox is concerned with the boundaries of judge-made contributory infringement, framed through the inheritance of Sony and Grokster and shaped by a reluctance to expand secondary liability beyond those precedents. Australian law, by contrast, addresses authorisation through a statutory framework that expressly directs attention to the respondent’s power to prevent the act, the nature of the relationship with the primary infringer, and whether reasonable steps were taken. The Australian inquiry is therefore not reducible to inducement or “tailoring”. It remains a more contextual question of whether the respondent’s conduct can properly be characterised as sanctioning, approving or countenancing the infringement.

In that sense, Cox is still useful for Australian readers, but for a different reason than first appeared. It illustrates a judicial reluctance to allow notice, knowledge and imperfect enforcement to do too much work. The difficult question for Australian courts going forward is not whether the intermediary “knew” and did not do enough in some colloquial sense. It is what legal significance that knowledge and inaction can bear within the particular doctrinal structure being applied.

Sotomayor J's conclusion that Cox was not liable rested not on the categorical limits adopted by the majority, but on the gap between an IP address associated with an infringement notice and proof that a specific account holder had intentionally facilitated a specific infringing act (Cox (Sotomayor J) slip op at 12-13). That gap will be familiar to Australian readers of iiNet. The High Court's scepticism about the AFACT notices turned, in significant part, on the same problem: whether the information conveyed was sufficient to reliably identify the relevant subscribers and their conduct with the precision required to make the demanded steps reasonable. In both Cox and iiNet, the limits of intermediary liability have proven to be shaped by the practical constraints of what rights holders can prove as well as by the doctrinal framework through which liability is assessed.

If there is a remaining cautionary lesson in Cox, it lies in the evidentiary record. The case still demonstrates how heavily modern intermediary disputes can turn on institutional facts: the design of enforcement systems, the treatment of repeat complaints, internal communications about subscriber retention, and the gap between formal policy and operational reality. Those matters were central to the way the plaintiffs framed the case, even though the Supreme Court ultimately held that they could not, without more, satisfy the United States law of contributory infringement. That emphasis on operational reality remains highly relevant in Australia, even though the doctrinal route is different.