Before :
MR JUSTICE FOXTON
Between :
LONESTAR COMMUNICATIONS CORPORATION LLC | Claimant |
- and - (1) DANIEL KAYE (2) AVISHAI MARZIANO (3) CELLCOM TELECOMMUNICATIONS LIMITED (4) RAN POLANI (5) ORANGE LIBERIA, INC | Defendants |
Tony Singla KC, Sophie Shaw and Mohammud Jaamae Hafeez-Baig (instructed by Freshfields Bruckhaus Deringer LLP) for the Claimant
Neil Kitchener KC and Andrew Lodder (instructed by Norton Rose Fulbright LLP) for the Fifth Defendant
Hearing dates: 7, 08, 12, 13, 14, 15, 16, 19, 20 and 21 December 2022; 16 and 17 January 2023:
Further written submissions received: 27 January 2023
Draft Judgment Circulated: 17 February 2023
Approved Judgment
I direct that no official shorthand note shall be taken of this Judgment and that copies of this version as handed down may be treated as authentic.
.............................
THE HONOURABLE MR JUSTICE FOXTON
This judgment was handed down by the judge remotely by circulation to the parties’ representatives by email and release to The National Archives. The date and time for hand-down is deemed to be Tuesday 28 February 2023 at 14:00.
The Honourable Mr Justice Foxton:
A INTRODUCTION
Between October 2015 and February 2017, the Claimant (Lonestar) – which provides cellular communication and internet services in Liberia – was the victim of a campaign of cyber-attacks (the DDOS Attacks). Lonestar alleges that the DDOS Attacks were orchestrated by the First Defendant (Mr Kaye) with financial and technical support from the Second Defendant (Mr Marziano) and the Fourth Defendant (Mr Polani).
The key issues at trial are:
whether Mr Kaye, Mr Marziano and/or Mr Polani (collectively the Individual Defendants) are liable in tort to Lonestar for the DDOS Attacks;
if and to the extent that they are, whether the Third Defendant (Cellcom BVI) and/or the Fifth Defendant (Orange Liberia) are vicariously or otherwise liable for their actions; and
what damages Lonestar is entitled to recover against anyone who is liable (both compensatory and, if available and appropriate, exemplary).
None of the Individual Defendants has participated in the trial at any stage. Cellcom BVI initially participated, but withdrew in early January 2022, saying that this was the result of financial difficulties. That has left Lonestar and Orange Liberia as the active participants at the hearing, with the principal areas of debate between those parties being:
whether, on the basis of largely uncontested facts, the Individual Defendants and Orange Liberia are liable under the applicable principles of Liberian law;
if so, what loss Lonestar has suffered, and whether in addition to compensatory damages the court should also make an award of exemplary damages (and, if so, in what amount).
B THE PARTIES
Lonestar is a well-established telecommunications company operating in Liberia and forms part of the MTN Group, the largest mobile network operator in Africa.
Orange Liberia is now a company in the Orange Group. Until April 2016, when it was acquired by the Orange Group, it was owned by Cellcom BVI and known as Cellcom Liberia.
Mr Kaye provided hacking for hire services. In 2018, he was convicted by a Cologne court of offences involving cyber-attacks on Deutsche Telekom. He has also been convicted of orchestrating the campaign of hacking against Lonestar, and on 11 January 2019 he was sentenced by HHJ Milne KC at Blackfriars Crown Court to 32 months’ imprisonment for that offence, following a guilty plea.
Mr Marziano was Chief Executive Officer of Cellcom Liberia from 2009 to 2013 and again from 2014. He also became Group Chief Executive Officer of Cellcom BVI in November 2013. From April 2016 to January 2017, he continued in office as the CEO of what was now Orange Liberia. His salary in respect of the latter role was paid by Cellcom BVI, who billed it back to Orange Liberia from April 2016.
Mr Ran Polani was employed by Cellcom BVI from October 2010, and worked from April 2016 to September 2017 as a mid-level manager in Orange Liberia’s Internet Services Provider Business Unit. His salary was also paid by Cellcom BVI, who billed it back to Orange Liberia from April 2016.
As I have stated, the Individual Defendants have not participated in the trial at any stage.
Cellcom BVI was represented by solicitors and counsel for much of the pre-trial phase of these proceedings, and served factual evidence and expert evidence on Liberian law. However, on 13 December 2021, Cellcom BVI’s solicitors informed the court that they would be applying to come off the record (which they did the following day), and that Cellcom BVI would henceforth be represented by one of its directors.
At the PTR, before me on 20 December 2021, provision was made for Cellcom BVI to apply to the court for permission for Mr Snider to represent it at the trial, and to serve evidence setting out the alleged financial difficulties which were said to have caused it to dispense with legal representation. However, on 7 January 2022, Cellcom BVI informed Lonestar that it would not be pursuing that application, and that it would not be seeking to call factual or expert evidence at the trial. The reasons why Cellcom BVI followed this course, and whether it resulted from financial difficulties or other factors, are in dispute, and the court is not in a position to make any findings about them.
C THE EVIDENCE
C1 Fact Witnesses
C1(1) Lonestar
Lonestar’s only factual witness was Mr Karl Toriola, the CEO of MTN Nigeria Communications Ltd, the indirect majority shareholder in Lonestar. In April 2015, he was appointed as a Group Operations Executive, and in December 2015 he became MTN’s Vice President for West and Central Africa, remaining in that role until December 2020. Between April 2015 and December 2020, Liberia was one of the markets over which Mr Toriola had oversight, and Lonestar’s CEO (Mr Babatunde Osho) reported to him.
It was Mr Toriola’s evidence that:
“As part of that oversight, I received documents produced by Lonestar and reporting on Lonestar’s performance …. Outside of those structured reporting mechanisms … I was also in frequent communication with Lonestar’s CEO, very often on a weekly, if not daily, basis”.
There is no doubt that Mr Toriola is a highly capable and experienced senior telecommunications executive, with good tactical awareness and great fluency of expression. It may be those qualities which led Lonestar to conclude that he should be its only fact witness at trial. However:
It became clear in the course of his cross-examination that Mr Toriola’s grasp of the basic chronology of the DDOS attacks on Lonestar was poor. His evidence was that the worst effects of the attacks were experienced from October 2015 to January 2016 and March to April 2016, rather than just from mid-July 2016 onwards. While chronologically supportive of Lonestar’s quantum calculation, this evidence is completely inconsistent with the contemporaneous documents (as explained below).
I am satisfied that Mr Toriola’s evidence as to the quality, frequency and content of information communicated to him about the DDOS Attacks “outside of … structured reporting mechanisms” was the subject of very considerable overstatement, as was his evidence as to how much of his time was taken up with DDOS-related matters, and how large the issue loomed at the time. Thus, he appears to have received only 3 or fewer emails dealing with the DDOS Attacks between October 2015 and July 2016.
I am satisfied that the unreliability of Mr Toriola’s evidence in these respects reflected (a) the limited nature of his engagement with the DDOS Attacks contemporaneously, which is scarcely surprising given his senior position and responsibility for operations in a number of West and Central African countries (Liberia accounting for only about 3% of the markets within his sphere of responsibility); and (b) a readiness on his part to tailor his evidence so as to support Lonestar’s case.
In these circumstances, it is necessary to approach his evidence with caution. In particular, I am satisfied that the contemporaneous assessments within Lonestar provide a much more reliable basis for assessing the duration and effect of the DDOS Attacks, and their commercial consequences, than Mr Toriola’s evidence, and that his own evidence that the contemporary view of management was that the DDOS Attacks were responsible for the greater part in the decline in Lonestar’s performance over the period from October 2015 to January 2017 was wrong.
Lonestar’s decision to call Mr Toriola, rather than anyone working “in country” at the relevant time, meant that there was no witness before the court who was able to speak with the benefit of experience of working at Lonestar at the relevant time. No satisfactory explanation was offered for this evidential deficiency. In particular it is apparent that a number of the executives who held senior positions with Lonestar at the relevant time still work within the MTN group, including Mr Andrew Bugembe (who was Chief Financial Officer from October 2014 to August 2016) and Mr Kyomukama (Chief Technology and Independent Officer from September 2014 to September 2016). The explanations offered in Appendix A to Lonestar’s closing for the absence of these witnesses were not persuasive, and rather served to highlight the importance of the missing evidence. It was said that Mr Bugembe‘s work was “primarily focussed on finance” and that Mr Kyomukama’s evidence would not have added materially to Mr Toriola’s given that he was “a former Chief Technical Officer” (which I understand to be a reference to Mr Toriola’s role as Deputy Chief Technical Officer of Airtel Nigeria, working in Nigeria, up to 2006).
C1(2) Orange Liberia
Orange Liberia adduced factual evidence from four witnesses.
Mr Mamadou Coulibaly, who was the CEO of Orange Liberia between February 2017 and October 2020.
Mr Gregory Cardoza, the Chief Technical Officer of Orange Liberia since 2010.
Mr Diakalia Berte, who was the CFO of Orange Liberia between April 2016 and April 2022, and a senior manager at Orange Cote d’Ivoire (Orange CDI) between May 2010 and 7 April 2016.
Mr Kolo Kone, was Deputy Chief Technology Officer at Orange CDI between April 2020 and November 2021, and was Chief ITN and Network Integration Officer at Orange Liberia between April 2016 and April 2020.
The evidence of these witnesses was of very limited assistance in the resolution of the factual disputes which had to be determined at the trial. Only Mr Cardoza and, for part of the period, Mr Berte and Mr Kone were working for Cellcom/Orange Liberia during the relevant period. Their evidence as to their perceptions, from within Cellcom/Orange Liberia, of the significance of the DDOS Attacks for Lonestar was inevitably that of “outsiders”. It was also coloured by the parties’ competing narratives in the dispute, as became clear during the course of their cross-examination. For that reason, I do not feel able to place any reliance on their evidence as to the significance of the DDOS Attacks. In relation to all four witnesses, their evidence did not add materially to the contemporaneous documents, which provide the best, and most reliable, evidence of the impact of the DDOS Attacks on Lonestar.
C2 Expert evidence
The court heard expert evidence in three disciplines.
C2(1) The Liberian Law Experts
First, expert evidence in Liberian law:
for Lonestar, from Counsellor Gloria Musu-Scott, formerly Chief Justice of the Liberian Supreme Court from 1997 to 2003, when she returned to private practice; and
for Orange Liberia, from Counsellor Gerald Padmore, a US trained and based lawyer who has been admitted to the Liberian bar for more than 50 years, and a substantial part of whose practice involves advising on matters of Liberian law.
In addition, expert reports from Professor Phillip Banks III, obtained by Cellcom BVI, were placed by Orange Liberia before the court under CPR 35.11, but Professor Banks did not give evidence. Professor Banks is a professor at the Louis A Grimes School of Law in Liberia, and was an Associate Justice of the Liberian Supreme Court from 2011 to 2018.
Counsellor Musu-Scott is clearly able to speak authoritatively as to the likely outlook of the Liberian Supreme Court on broad issues of judicial policy. However, her evidence was less informative when seeking to address the issues of Liberian law at a more granular level, and she had a tendency to answer questions by referring Mr Kitchener KC to what she had said in her report (much as a judge might refer counsel to what they had said in a judgment, without wishing to enlarge on or debate its contents). While Lonestar was undoubtedly correct to observe in its closing submissions that “her evidence in cross-examination was consistent with her reports”, it was also co-extensive with it as well. The “conclusory” character of her evidence made it less helpful than it would otherwise have been, given the highly debateable nature of many of the issues of Liberian law.
Counsellor Padmore was an impressive witness, who was willing to engage in debate and to give ground, and whose answers were reflective. While he has practised from the U.S. for the last 40 years, I am satisfied that he is an expert in and knowledgeable of Liberian law, with considerable experience of litigation in the Liberian courts. He was willing in the course of his oral evidence to acknowledge a degree of “rough and readiness” in aspects of the decision-making of the Liberian court (something which, understandably, would have been difficult for Counsellor Musu-Scott). However, when tested against those realities, the analysis of certain issues in his reports did appear to present a rather idealised version of Liberian law.
C2(2) The Cyber-security Experts
Second, the court heard expert evidence in cyber security:
for Lonestar, from Mr Alex Campbell, a Director in the London office of Stroz Friedberg, where he is responsible for significant digital forensics and incident response investigations; and
for Orange Liberia, from Mr Steven Shepherd MBE, a cyber-security consultant at PA Consulting.
On the purely technical questions, the evidence of both witnesses was informed, helpful and only in dispute to a limited extent. As to their evidence in cross-examination:
Mr Campbell had been asked to perform a forensic exercise in which he reviewed contemporaneous emails, and offered a view as to whether they provided evidence of a DDOS Attack having taken place or impacted Lonestar on a particular day or during a particular period. It became apparent during Mr Lodder’s impressive cross-examination that the approach Mr Campbell adopted when performing that exercise had been an overinclusive one. I am satisfied that reading the documents in the context of the evidence overall provides the best means of gauging the timing, duration and consequences of the DDOS Attacks, and I have reviewed the documents myself rather than simply accept Mr Campbell’s interpretation of them.
Mr Shepherd had an occasional tendency to anticipate the question asked and answer accordingly. In addition, he was clearly troubled by Lonestar’s failure to preserve the technical data which he regarded as the best evidence on the issues he had been asked to address (a concern which was justified, as I explain below), and he had some difficulty in moving past that point in the course of his cross-examination. However, his evidence was clear and helpful, and he was willing to acknowledge the evidential limitations in his analysis. His explanation of the significance of the summary reports available from the mitigation systems, and what they did and did not show, was particularly helpful.
C2(3) Expert Evidence in Valuation and Economic Matters
Third, expert evidence in valuation/economic matters:
for Lonestar, from Mr James Nicholson, a Chartered Financial Analyst and Head of FTI Consulting’s Economic and Financial Consulting practice in Asia; and
for Orange Liberia, from Mr David Thomas, the managing partner of DT Economics LLP, a London based economics consultancy which focuses on the telecoms sector.
Both experts were very well-qualified, well-prepared and adept at holding their ground in the course of cross-examination. On the key issues in dispute, they had adopted very different approaches, which, I suspect, were to a large extent conditioned by the forensic circumstances of the parties calling them. As I explain below, the contemporaneous documents are not supportive of the scale and timing of loss for which Lonestar claims, and Mr Nicholson’s analysis was largely built on Mr Toriola’s evidence and a macro-economic analysis of the West African mobile telecommunications market. Mr Thomas’ analysis was largely grounded in the internal materials disclosed by Lonestar. There were occasions in his cross-examination in which Mr Thomas became a little combative, and unnecessarily acerbic. However, I am satisfied that this was not the result of any misplaced loyalty to the party calling him, but reflected the strength of his belief in the reliability and intellectual robustness of his own analysis, and the unfavourable view he had formed of Lonestar’s offering. Nor is it fair to suggest (as Lonestar did in closing) that “Mr Thomas took an extreme view, making every conceivable point against Lonestar (however immaterial) with a view to justifying his extreme assumptions”. As I explain below, on certain points Mr Thomas was willing to adopt what I suspect were assumptions which were favourable to Lonestar, in order to present a conservative and robust analysis. While Orange Liberia sought to row back from certain of those positions in closing, I have not allowed them to do so. However, the fact of the attempt belies Lonestar’s characterisation of Mr Thomas’ evidence in closing.
D THE FACTS
D1 The Liberian Mobile Market up to October 2015
Liberia has a population of just over 5 million people, and a GDP per capita of $633. The vast majority of mobile communications business in Liberia is pre-paid voice business, by customers who top-up their SIMs on a very regular basis.
Lonestar was the first company to enter the Liberian cellular telecommunications market, in 1999 (the national carrier, Libtelco, only offered fixed wireless services and not cellular telecommunication services). For a period, Lonestar was the only operator in that market, and hence the incumbent. It was able to charge high prices both for SIM cards and to stay connected.
In 2005, Cellcom Liberia entered the market, and from that point, the telecommunications market in Liberia has effectively been a two-player market. In March 2014, an Information Memorandum produced by Standard Bank in relation to the potential sale of Cellcom BVI estimated that the combined share of the Liberian telecommunications market of Lonestar and Cellcom Liberia was 96%.
In June 2012, Cellcom Liberia launched 3G services, enabling it to be the first mobile operator to offer mobile data in Liberia, Lonestar’s offering being launched in December 2013.
Cellcom Liberia undertook a number of marketing campaigns. These included its “$1 for 3 days” campaign launched in March 2013, which offered three days of calls to other numbers on the Cellcom Liberia network for US$1.
It is clear that this offer, which remained in operation until September 2019, had a significant impact on the Liberian market. Having made a profit of $28.2m in 2013, Lonestar’s profit fell to $7.4m in 2014 and US$1.96m in 2015 (a year in which Mr Nicholson, Lonestar’s expert, suggests that there was only a US$0.1m impact from the DDOS Attacks). The figures for (combined voice/data) market share show Lonestar’s progressive loss of market share to Cellcom Liberia:
There was also a steady decline in Lonestar’s Average Revenue per User (ARPU) – once again the figures presented below are combined voice/data figures:
In April 2015, Lonestar was forced to introduce its own $1 for 3 days package, albeit one not available to High Value Customers (HVCs), known as DYO. Between April and October 2015, the combined (voice/data) ARPUs of Lonestar and Cellcom Liberia were running roughly in parallel, although there is a dispute between the parties as to whether Lonestar had steadied the ship, as it contends, or whether this was a brief pause in its irresistible downwards descent.
The mobile market in Liberia was, at the relevant time, dominated by voice rather than data:
In October 2015, at the start of the DDOS Attack period, over 90% of Lonestar’s revenue was from voice traffic, and at the end of the DDOS Attack period, voice accounted for over 85% of Lonestar’s revenue. It was common ground that Lonestar was still the voice incumbent in October 2015.
Data was more important to Cellcom Liberia, but still only amounted to 32% of revenue by October 2015. Cellcom Liberia was undoubtedly the data incumbent, enjoying 5 times the data usage and double the ARPU on data of Lonestar.
There is nothing particularly surprising in the mobile voice and data markets having different incumbent operators, and it is a state of affairs which is even less surprising in the Liberian market than it might be elsewhere. By 2013/2014, it had become very common for mobile phone users in Liberia to have both a Lonestar and a Cellcom Liberia SIM, allowing them to use both networks depending on strength of coverage as relevant to the particular call they wanted to make, and the particular network of the person they wanted to call (assuming that they were not also “multi-SIMing”) because “on network” calls were cheaper than using one network to call a phone on another network. The speed with which Liberia became a “multi-SIM market” can be seen from the fact that by the middle of 2018, a Lonestar budget was referring to “near 100% multi-SIM usage”.
One consequence of the “multi-SIMing” was that mobile users who used both voice and data could have a preferred network for voice (Lonestar) and a preferred network for data (Cellcom Liberia).
A particular issue of controversy so far as the relative positions of Lonestar and Cellcom Liberia is concerned is who had a higher proportion of HVCs – those who spent appreciably more than the average user-spend. A key element in Lonestar’s quantum case is that Cellcom Liberia’s aggressive pricing had not won them many HVCs, who were more interested in quality of service and network coverage than price, and for that reason were attracted to Lonestar. Lonestar contends that it was the adverse effects of the DDOS Attacks on the quality of its service which led HVCs to move to Cellcom / Orange Liberia. As to this:
A Lonestar Market Performance Report of April 2014 suggests that Cellcom Liberia’s proportionate share of HVCs (36%-63%) was broadly equivalent to its proportionate share of the market as a whole (34%-64%).
Lonestar’s Market Performance Report for the third quarter of 2015 suggested that in the intervening 18 months, the relative split of HVCs was 46%:51%, and that HVCs viewed the Cellcom Liberia network more favourably (reflected in a higher “NPS” or “Network Promoter Score”, with Cellcom Liberia leading Lonestar by 32% on this measure by October 2015). HVCs compared Lonestar’s value offering particularly unfavourably with Cellcom Liberia’s. Whether, as Lonestar asserts, it was still ahead overall so far as HVCs are concerned by the end of the third quarter of September 2015 depends on the accuracy of its own data, which there are reasons to doubt. Mr Nicholson accepted that by October 2015, Cellcom Liberia probably had a higher proportion of HVCs and a higher absolute number. Whether that is correct or not, the direction of travel so far as HVCs are concerned is clear, and it was towards Cellcom Liberia, who must have been close to, if not at or above, parity by the start of the DDOS Attacks.
The contemporary documents do not support the (somewhat counter-intuitive) assertion that HVCs were not significantly motivated by price. As explained below, in January 2016, Lonestar took the very significant decision to open up its DYO offering to HVCs: something only explicable on the basis that HVCs were motivated by price. A Lonestar proposal produced in March 2016 aimed at winning back HVCs referred to a fall in HVC revenues of 63% since December 2012 which was the direct result of Cellcom Liberia’s “$1 – 3 days” offering introduced in March 2013.
Finally, it is essential to keep the voice/data distinction firmly in mind – not only did Cellcom Liberia launch 3G 18 months before Lonestar, but it had more cell sites, better download speeds and better internet gateway capacity. If HVCs had been motivated by quality of service rather than price to the extent that Lonestar claims, then its data business would naturally have migrated to Cellcom Liberia, which had a stronger offering and first mover advantage.
D2 The Cellcom-Orange Transaction
In July 2015, Orange CDI submitted a binding offer to Cellcom BVI to acquire 85-90% of the share capital of Cellcom Liberia. A stock purchase agreement for the sale was signed on 18 December 2015, and amended on 5 April 2016 (the SPA).
Under the final version of the SPA:
Orange CDI paid an “Initial Price” of $105m (clause 2.5), subject to certain contractually agreed adjustments to take account of debt, working capital and capital expenditure before the sale. Of that amount, $9m was to be paid into escrow, and released to Cellcom BVI in three equal tranches on the first, second and third anniversaries of the sale (clause 2.6(a)).
Clause 2.5(d) provided that the Initial Price was to be increased by $5m if the “Normalized EBITDA” figure derived from Cellcom Liberia’s audited accounts for 2015 was greater than US$23,500,000.
Clause 2.8 provided for the payment of an “earn-out” payment calculated by reference to the “Normalized EBITDA” figure derived from Cellcom BVI’s audited accounts for the 12-month period ending on 30 June 2016.
I will refer to the payments in (ii) and (iii) as the Earn Out Payments.
On 5 April 2016, Cellcom BVI, Cellcom Liberia and another Orange entity (Orange BVI) entered into a Transitional Services Agreement (the TSA) by which Cellcom BVI agreed to provide certain services to Orange Liberia during a period after the completion of the sale, in return for the payment of fees. These included “consulting services” to be provided by various named members of staff, including Mr Marziano and Mr Polani. In total, Cellcom BVI was paid $1,568,038 under the TSA.
D3 The DDOS Attacks: An Introduction
D3(1) The Types of DDOS Attack and the Means of Mitigating Them
A DDOS attack is a form of cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by flooding the target machine or resource from multiple different sources, in an effort to overwhelm it and prevent legitimate requests for connection being fulfilled.
The DDOS Attacks were attacks on Lonestar’s data work, and did not have a technical impact on the availability or quality of Lonestar’s voice network.
There are, broadly, three types of DDOS attack, all of which featured in the attacks on Lonestar:
“Volumetric” attacks which seek to consume some or all of the bandwidth of the victim’s network, and thereby block the access of legitimate users to the system.
“State exhaustion” attacks which seek to consume or overwhelm specific parts of the network by getting services or infrastructure to respond to false requests for connections.
“Application layer” attacks which target a specific part of an application or service such as a specific webpage, and seek to exhaust the application or service.
It is common for these types of attack to be used in combination, in what is known as a “multi-vector attack”. They can be carried out by using so-called “Booters”, which are publicly available, on-demand, web-based “DDOS-for-hire” services offered for a fee by cybercriminals, who undertake external attacks on a network. They can also be undertaken using “Botnets”, which involves infecting a victim’s software with malware controlled by cybercriminals, such that it can then be used (along with other infected devices) to carry out a DDOS attack.
Lonestar was the victim of multi-vectored DDOS attacks, involving all three types of DDOS attacks, using both “Booters” (in particular the “vDOS” booter service) and Botnets (Lonestar’s system being attacked by devices infected by the “Mirai” or “Mirai#14” malware).
Lonestar had in place measures designed to protect it against the effects of DDOS attacks, and those systems were enhanced during the period of the DDOS Attacks:
When the attacks began, Lonestar had installed the Huawei Abnormal Traffic Inspection System (the Huawei System) and the Arbor Atlas System.
The Huawei System is an on/off-premises system which identifies DDOS traffic on-premises, directs it off-premises to Huawei’s servers to be cleaned (or scrubbed) and then returns it to the client’s network. In October 2015, it had a capacity of 20 gigabits. In March 2016, the capacity of that system was increased to 120 gigabits.
The Arbor Atlas system is a DDOS intelligence system, not a mitigation system. However, from 22 July 2016, Lonestar was using the Arbor Peakflow System, an on-premises system which identified and cleaned DDOS traffic. This added an extra 60 gigabits of cleaning capacity.
From 7 September 2016, Lonestar was using the Arbor Cloud system, an off-premises system which identified and cleaned DDOS traffic.
The Huawei and Peakflow systems were set up to deal with state exhaustion and application layer attacks, and the Arbour Cloud system with volumetric attacks.
D3(2) Sources of Evidence as to the Timing, Scale and Impact of the DDOS Attacks
It is common ground that Lonestar has had in its possession technical data which would substantially have identified the number, type and duration of the DDOS Attacks. In particular, Lonestar would have had data showing what network devices and services were affected by DDOS traffic, in what ways, and for how long. However, Lonestar did not retain that data. While I am satisfied that Lonestar’s failure to preserve this technical data was not the result of any deliberate decision to ensure that it was not available in the litigation, its failure to preserve this material is surprising. Lonestar knew it had been subjected to the DDOS Attacks from October 2015, on its own case they were having a very significant impact on its business and profitability, and it made an insurance notification on 2 November 2015. Mr Kaye’s activities came to light in early 2017. While there had been some suggestion that it would have been very onerous to retain the material because of its size, Mr Campbell accepted in cross-examination that the traffic-flow and log files could have been stored without retaining the underlying packets of information, and that this material could have been retained. I found Mr Campbell’s attempts to explain away the failure to retain this data unconvincing.
In terms of the material which is available:
The Huawei and Arbor mitigation systems generated summary reports of traffic information which identified what DDOS or other anomalous traffic had been identified and what mitigation steps had been taken (the Mitigation Reports).
In addition, there is non-technical evidence in the form of contemporaneous emails and reports from which conclusions may be drawn as to the occurrence, or the effects, of a DDOS attack on particular date, albeit there is much greater scope for dispute as to what that documentation shows than would be the case with technical data.
Taking the Mitigation Reports first:
The Mitigation Reports only record traffic which transits through those systems, and would not pick-up DDOS traffic which was able to bypass those systems. Further, a full set of Mitigation Reports is not available, and some of them are incomplete. Further the summary reports, which are all that are available, do not provide additional traffic metrics which would have been available on the underlying systems.
It was Mr Shepherd’s evidence, which I accept, that the complete Mitigation Reports which were available showed DDOS attacks detected by the system (of all three kinds) on 351 days during the DDOS Attack period. In relation to those attacks, it was only possible with the technical data available to measure the effect of the volumetric attacks. The complete Mitigation Reports showed that, on 132 days, the volume of the attacks exceeded the bandwidth capacity of Lonestar’s network (which is a measure only of the effect of volumetric attack), and on 18 of those days, the cleaning capacity of the system (for which purpose Mr Shepherd adopted a more conservative figure than Mr Campbell as to what the cleaning capacity was in March 2016).
Mr Shepherd’s evidence, which once again I accept, is that the effect of the volume of traffic exceeding the processing capacity of Lonestar’s system would be some element of “latency” (or a slowing-down of the user experience), but that the degree of latency would vary depending on the extent of any excess. That latency could be a matter of milliseconds, which a user would not notice, to something more substantial. It was not possible for Mr Shepherd to assess the degree of latency on the available technical information, because he required network traffic metrics to do so, nor could he assess how quickly the network would have recovered from the DDOS Attacks. However, Mr Shepherd’s view was that:
“For any attack within the scrubbing capacity of the mitigation systems, any latency resulting from the DDOS attacks would be measured in milliseconds and would not be noticeable to the user. It is only on days where the cleaning capacity of the mitigation system in question was significantly exceeded that a DDOS attack that has been detected and mitigated would cause noticeable latency”.
That statement was agreed by Mr Campbell in the experts’ joint statement, subject to the point addressed in the next sub-paragraph. As I have noted, there were 18 days when the volume of traffic exceeded the cleaning capacity of the mitigation systems.
Mr Shepherd’s figures did not include attacks which were kept off Lonestar’s system because they were diverted to the Arbor Cloud. He accepted that it would be possible to have DDOS attacks which were so significant that they could affect public internet links, without actually entering the Lonestar network. However, I accept his evidence that it was not possible on the technical data now available to determine whether this happened, because it is not possible to determine how much data transited the two links in question. Mr Campbell did not suggest that there had been an impact on the public internet in his evidence.
Mr Shepherd accepted that his “volumetric” analysis would not pick up the effects of DDOS Attacks of the other two kinds which the filtering of the mitigation systems was not set up to or capable of detecting (and attacks of those kinds can be more difficult to detect), or which bypassed the mitigation systems (e.g. because they were entering Lonestar’s network through sites such as Facebook and Google, in circumstances in which the system had not been set up to route traffic from those sources through the mitigation software for part of the DDOS Attack period). However, it was not possible from the technical data now available to determine whether there were state exhaustion or application layer attacks which bypassed or got through the mitigation systems, or what if any effect they had.
Mr Singla KC placed much emphasis on a report produced by an organisation called USENIX for a security symposium in August 2017 which had analysed 1,000 malware samples resulting from DDOS attacks aimed at a number of organisations using the Mirai malware, and concluded that they comprised 32% volumetric attacks, 39% state exhaustion attacks and 34.5% application layer attacks. This data, however, only relates to the period from 31 October 2016 onwards (Mr Kaye having first used the Mirai botnet on that date), nor does it answer the question of how many of these attacks would have evaded or partially transited the mitigation systems.
It will be apparent from this summary that:
Mr Shepherd’s analysis of the available technical data alone may not identify all the effects of the DDOS Attacks. Had Lonestar retained and disclosed the mitigation system log reports, it would have been possible to determine the effects of state exhaustion and application layer attacks which were not detected by the mitigation software or bypassed the mitigation systems altogether (if there were any).
It is not possible from the available technical data alone to determine the effect on user experience, save that I am satisfied that, on volumetric effects, latency will only have been noticeable when the volume of traffic exceeded the cleaning capacity, which was 18 days (or a lower figure if the figures used by Mr Campbell for that capacity are correct).
Turning to the contemporaneous documents:
Mr Campbell has identified 125 days on which he says that there is documentary evidence of the adverse effects of a DDOS attack. 57 of those days overlap with the 132 days on which Mr Shepherd accepts that there is evidence of a DDOS attack (although, as noted above, Mr Shepherd says that there would only have been adverse effects noticed by users on a maximum of 18 days).
Mr Singla KC sought to suggest that it followed from the limited nature of this overlap that there must have been DDOS attacks which were not picked up by the mitigation systems, or which had adverse effects on users otherwise than through volumetric effects.
There are a number of reasons why this might not be the case: (i) that Mr Campbell has misinterpreted the relevant document; (ii) that the sender of the relevant document has misunderstood or misdiagnosed what they are observing; or (iii) that there are undetected attacks, or attacks with non-volumetric effects. The answer, in all probability, is that all of these events have occurred, with Mr Lodder’s cross-examination of Mr Campbell identifying a number of examples of (i) and (ii) and Mr Singla KC’s cross-examination of Mr Shepherd identifying some possible examples of (iii).
This range of possibilities reflects the fact that, while a useful source of evidence, contemporaneous documents of this kind are inherently less informative on the question of the existence and effect of DDOS Attacks than technical data. Nor do statements in individual emails assist in assessing the duration or severity of any effect.
In my view, the assessment of the documentary evidence is best undertaken in the context of the evidence as a whole, rather than simply seeking to add up the number of days which can be linked to a relevant document, and then presenting the resultant total as significant in itself (as Mr Campbell did).
D4 A Detailed Chronological Analysis
D4(1) August-September 2015
A document prepared by Mr Marziano commenting on Lonestar’s Particulars of Claim acknowledges that he knew Mr Kaye before the DDOS Attacks began, and claims that he first met Mr Kaye “sometime in 2015”. By August 2015, Mr Marziano and Mr Kaye were communicating about a proposed cyber-attack on Lonestar through an encrypted instant-messaging application called “Threema”. It is clear from their exchanges that the topic had been discussed before the first available communication, and that it was proposed that Mr Marziano pay Mr Kaye to carry out the attacks. Agreement was reached on the broad purpose of the attacks, including disrupting, damaging and sabotaging Lonestar’s business.
Mr Marziano provided Mr Kaye with Lonestar email addresses to assist him. Mr Kaye began constructing a “bot” to assist in the attacks. On 12 September 2015, Mr Kaye and Mr Marziano met in Nice, and Mr Marziano paid Mr Kaye $9,000 in cash.
D4(2) October-December 2015
On 12 October 2015, Mr Kaye provided a brief demonstration of DDOS attacks on Lonestar, and Mr Marziano identified certain times when he wanted Mr Kaye to take down Lonestar’s internet services. On 15 and 16 October, Mr Marziano reported back on the effect of the DDOS Attacks to date, and steps Lonestar was reportedly taking to deal with them. On 22 October, they discussed ways in which the DDOS Attacks might be made more powerful.
In early November, Mr Marziano provided Mr Kaye with Threema contact details for Mr Polani. Mr Polani then communicated with Mr Kaye directly, providing him with relevant information, and discussing how further DDOS Attacks could be undertaken, and how Mr Polani might help. Mr Polani also reported back on the effects of the DDOS Attacks as perceived in Liberia. Mr Marziano made a further payment to Mr Kaye on 5 November 2015, and they met in London on 14 November 2015.
Turning to the effect of the DDOS Attacks, there are 10 days in October in which traffic identified by the Huawei mitigation system exceeded the capacity of Lonestar’s network and cleaning system:
3-4 October;
13-16 October;
24-27 October.
On all of those dates save for 27 October, Mr Campbell has identified documents referring to effects consistent with DDOS attacks. Mr Campbell identifies documents which he says evidence effective DDOS attacks on 7-9, 12, 17, 19-23 and 28-30 October.
It is clear from the contemporaneous documents that there was an attack lasting just over an hour on 3 October, and a shorter attack the following day, 4 October. I accept that the first of these would have caused noticeable latency for a period, and perhaps the second, but Mr Marziano’s Threema chat in the evening of 4 October makes it clear that all effects had ceased by that point. Mr Kaye was on holiday over the period from 7-9 October, and I am not persuaded that there were any attacks during that period. I accept that there were two brief attacks on 12 October, when Mr Kaye sought to demonstrate to Mr Marziano during a Threema chat that he could switch the attacks “on” and “off”.
There were further attacks between 13-16, and 24-27 October. The significance and scale of the October attacks is, in my view, best captured in the following documents:
A report prepared by Huawei on 13 October 2015 referring to two attacks on 3 and 4 October, but no other attacks up to that point.
A report prepared by Mr Bowier on 30 October 2015 referring to the problems beginning on 13-17 October, and further problems from 24-27 October, which were resolved. The report suggested that the issues had been addressed and resolved, with normal traffic now being observed. Other internal reports suggest that traffic was back-to-normal by the end of the month.
The data traffic flow graphs in the 30 October report, which show 13-16 and 24-27 October as the period of abnormally high traffic.
Lonestar’s October 2015 review referred to the DDOS Attacks as a “key challenge”, with internal and external actions having improved matters in the last couple of days of the month. The review did not identify any adverse effects from the DDOS Attacks, and Mr Toriola did not suggest that there had been any.
The Mitigation Reports do not show any occasions when there were attacks exceeding the scrubbing capacity of Lonestar’s network in either November or December 2015. Mr Campbell has referred to two documents said to show effects on the system on three days in that period– 3 November, 29 November and 1 December. However, I am not persuaded that there were any appreciable effects of DDOS Attacks on Lonestar in those months:
Mr Kaye’s messages to Mr Marziano on Threema on 10, 11, 15, 20 and 29 November 2015 were all to the effect that he was trying but not succeeding to attack Lonestar. Their exchanges in December do not suggest that there was an attack.
The 3 November email refers to a brief attack during a period of planned emergency maintenance which reduced the efficacy of the mitigation software for about an hour.
An email referring to slowness on a particular VLAN on 29 November and 1 December was investigated by Huawei, who concluded that there was no evidence of a DDOS attack.
There was no official report of any attacks in those months (in the Ops Reviews or otherwise) and the Q4 2015 CEO Report stated that “the attacks are now contained after enhancement of the anti-DDOS policies both internally and at MTN.NET”.
No written report of a DDOS attack was made to Mr Toriola between 16 October 2015 and 7 February 2016, and I am unable to accept his evidence that he was receiving verbal reports of attacks during this period. As would be expected, Lonestar and MTN operated with thorough management information systems which provided comprehensive reports of the business. Had the DDOS Attacks impacted Lonestar in November and December 2015, this would have found its way into the management reporting documentation.
It is important to consider Lonestar’s financial performance in Q4 2015, in view of the suggestion that it was the effects of the DDOS attacks which drove a key pricing decision in January 2016:
Its performance against budget in terms of data usage improved in November and December 2015 as against September 2015 (rising from 68% ahead of budget YTD to 83% ahead of budget YTD).
It achieved 110% of budget for data users as at 31 December 2015.
Notwithstanding the higher usage, revenue and EBITDA were below expectations. This was attributed by Lonestar’s management to the ongoing price war with Cellcom Liberia, and there was no attempt to link that unwelcome performance with the DDOS Attacks.
The differential in the average combined ARPU between Lonestar and Cellcom Liberia at the end of Q4 2015 was $1.01, as it had been at the end of Q2 and Q3, before the DDOS Attacks began.
There is nothing, therefore, to suggest that the DDOS Attacks had had any significant impact on Lonestar’s data business by the end of 2015, still less that any impact on Lonestar’s data business had begun to have a knock-on impact on Lonestar’s voice business.
D4(3) January to June 2016
There is no real visibility as to any interactions between Mr Kaye and Mr Marziano over this period. There were no occasions in January 2016 when DDOS Attacks occurred at levels which exceeded Lonestar’s network or scrubbing capacities. While Mr Campbell suggests that there are documents which are consistent with the effects of DDOS Attacks on 6 and 29 January, neither document will bear the weight placed on it:
The 6 January document is concerned with difficulty accessing websites at a particular email address, which does not appear to have received “dirty” traffic on 6 January, and other websites could be accessed.
The 29 January email is a complaint about Orange blocking access to certain ports on a recently activated internet link, and no DDOS attack traffic was detected on that day.
Consistent with that picture:
The Ops Review for January 2016 makes no reference to any DDOS attacks in January 2016, nor does any other management document.
The Q1 CEO Report referred only to improvements to the mitigation capacity “in the wake of the DDOS attacks endured last year” (emphasis added).
The Ops Review for January 2016, which had to deliver the very bad news that revenues were 10% below budget YTD, 21% lower than in January 2015, and data revenues were 46% below budget, did not seek to ascribe this to the DDOS Attacks, or refer to any attacks that month.
In January 2016, Lonestar decided to open up its DYO offering to HVCs – a hugely significant pricing decision which would inevitably have an adverse impact on its ARPU. There is no suggestion in any of the contemporaneous documents that this decision was a response to the DDOS Attacks. On the contrary, the available documentation attributes the decision (entirely understandably) to the need to compete with Cellcom Liberia’s $1-3 days offer:
In the Q1 2016 CEO Report, Mr Osho referred to an “HVC ARPU decline as blacklist is lifted and HVCs downgrade to DYO ($1 for 3)”, and stated that Lonestar was continuing to drive DYO “to be competitive”. It noted that MOU had declined by 5% against the previous quarter, reflecting the fact that Q4 of the year is traditionally a high use period, and the effect of “new bundles and price plans with capped mins” (i.e., Lonestar customers using its DYO offer had their number of minutes of use capped in January 2016, which exerted a downwards pressure on MOU).
In the March 2016 “HVC Win Back Plan”, the drop in revenue from HVCs was attributed to “competition $1 for 3 days promotion”, and was described as having been ongoing for 39 months. This document contained a thorough review of the reasons why Lonestar was losing HVCs (both by way of reduced earnings and churn of 16% of the customer base). The DDOS Attacks were not even mentioned.
As I have said, as part of the process of opening up DYO to HVCs, Lonestar made changes to DYO which made it less attractive than Cellcom/Orange Liberia’s $1-3 days offering: capping the number of minutes for each user, capping the total amount of voice traffic on the network for 6 hours a day and placing limits on the number of times a customer could re-charge the $1-3 days each month. Certainly, Lonestar disclosed some documents which suggest that it took these steps, which Mr Thomas interpreted in this sense, and no witness was called by Lonestar to explain the position.
Mr Toriola did not even mention the January 2016 price adjustment in his first witness statement, and did not suggest it was a response to the DDOS Attacks in his second witness statement. That suggestion emerged for the first time in cross-examination, but was thoroughly unconvincing, and wholly inconsistent with the documentation.
The consequences of allowing HVCs to access DYO, while retaining access to Lonestar’s superior voice network, were instant and entirely predictable:
Lonestar reversed the fall in HVCs, to the point of gaining HVCs between December 2015 and February 2016.
With the influx of HVCs, the minutes of use on the DYO package increased by 13%.
Its customer churn (the number of customers leaving its network) reduced.
However, the price of that was that its ARPU dropped from $14.30 on October 2015 to $9.90 in January 2016, as HVCs who had previously made calls at higher tariffs now made them on the DYO tariff.
In the wake of that, the differential in the combined voice/data ARPU between Lonestar and Orange Liberia fell from $1 in December to $0.17 in January, and to minus $0.13 in February.
There is evidence of two large attacks on the Lonestar network on 6 and (to a lesser extent) 7 February 2016, albeit the effect of the evidence is that these attacks had much less effect on the Lonestar network than the October 2015 attacks:
Documents referred to by Mr Campbell, and the Threema chat between Mr Kaye and Mr Marziano, are consistent with attacks at this time.
Traffic utilisation graphs, which show two short periods of traffic congestion and a longer period of about an hour, all on 6 February 2016.
Once again, a formal report was obtained from Huawei which referred to attacks on 6 February, and confirms their duration, and suggests that traffic was normal by 7 February. The absence of such reports in respect of other dates in the January-June period is consistent with the limited number of DDOS Attacks in the first half of 2016.
Mr Osho in the Q1 2016 CEO Report stated “some episodes of DDOS attacks were experienced again in February albeit at a much less severity than was experienced last year”.
A Huawei report refers to a small and fully mitigated attack on 8 February 2016. While Mr Campbell refers to an email from Mr Bowier of that date linking an issue with network performance with the DDOS attack, Huawei’s investigation showed that this was not in fact the case, and the broad effect of communications at this time is that the network was running normally on this date (e.g. Huawei stated that they were “not finding any abnormality” and that traffic was following “its normal trend”). The Threema messages relied upon by Mr Campbell to support an attack on 20 February do not support that conclusion (the IP address in question not being Lonestar’s). Nor is there anything to suggest that Lonestar perceived, from a business perspective, that its data offering faced a threat from the DDOS Attacks which could reduce usage or cause it to lose customers. In February 2016, Lonestar removed the (small) data component of its DYO offering, effectively increasing its data pricing. It is difficult to see why these steps would have been taken if the DDOS Attacks had been perceived as presenting a material threat to the data business at this time. There is no evidence, however, of the DDOS Attacks even being discussed in this context.
The technical evidence suggests that there were a number of small, and mitigated, DDOS attacks in March and the first four days of April, with the cleaning capacity of the Huawei system not being exceeded on any day during those two months (and indeed on the figures used by Mr Campbell, Lonestar’s network capacity was not exceeded at all during those two months). Mr Campbell does not identify any document said to be supportive of data attacks during this period. The Q1 and Q2 CEO Reports do not refer to any DDOS attacks between March and June, nor do the Ops Reviews for March and April.
It is necessary to interrupt the narrative relating to the DDOS Attacks at this point to address two significant market developments in April 2016.
The first is that Orange Liberia launched 4G data services (also known as LTE). The attraction of a 4G data offering to HVC customers is obvious, and the introduction of 4G had an immediate impact on Orange Liberia’s data traffic (as did Lonestar’s introduction of its 4G data offering, 9 months later):
While Mr Toriola sought to suggest that the challenges of dealing with the DDOS Attacks had delayed the introduction of Lonestar’s 4G offering, there were no contemporaneous documents supporting this assertion, and on the contrary it is clear from the 2016 Q1, Q2, Q3 and Q4 CEO Reports that there were delays in tendering for the project (which was not completed until June 2016) and in procuring the necessary equipment (because of the need to set up the letters of credit necessary to import it).
The second is that Lonestar reduced its PAYG voice and data prices by between 30% and 45%. Once again, contemporary documents do not suggest that this decision was taken in response to the effects of the DDOS Attacks (and, in fairness, Mr Toriola did not suggest that it was). The Q2 2016 CEO Report stated that “Attritional Price war and competition value destruction resulted to a review across Voice and Data PAYG tariff adjustments of up to -30% in voice and -45% in data”. The same document, when addressing the factors impacting “QoQ core Voice and Data revenue negatively”, referred to various factors, including “LTE network launch in April giving undue data advantage”, but said nothing about the DDOS Attacks. It also referred to HVC ARPU declining “as more HVC now migrating to $1 for 3 days”: another sign of the lure of low prices for HVCs customers.
Inevitably, the reduction in Lonestar’s prices had an immediate impact on its ARPU. The ARPU differential between Lonestar and Orange fell 39c between March and April 2016, and by 70c from March 2016 to June 2016.
The technical data does not reveal any effects of DDOS attacks on the system in May and June 2016, and, once again, there are no references to DDOS attacks in the Ops Reviews for those months, or in the Q2 CEO Report. Mr Campbell did not identify any documents said to evidence the effects of DDOS attacks in June 2016, but he does point to 5 documents said to evidence effects on six days in May. I accept that there is material suggestive of “a possible DDOS attack” on 11 May, which impacted Lonestar’s mobile money service for 2 hours. The material relied upon as evidence of the effect of attacks on 17 and 19 May concern a complaint by a customer located in South Africa which was investigated by Huawei, who thought that DDOS “should not be an issue”. In the event, the issue appears to have been the result of the customer attempting to use a port on a subnet which had been blacklisted by internet providers. On 18 May, Huawei noted traffic congestion on a particular VLAN, but there is nothing to suggest that this was the result of a DDOS attack, and no DDOS attack traffic was detected by the Huawei system on that date. The email exchange relied upon in relation to 26-27 May is inconclusive, and there is no record of a DDOS attack on 26 May.
Lonestar’s business performance at the end of Q2 2016 was disappointing – ARPU was 14% below budget on a YTD basis, revenue 23% below budget, and EBITDA 37% below budget. The executives tasked with presenting those unhappy figures to senior management would no doubt have welcomed the opportunity to blame them on a supervening and unpredictable event such as the DDOS Attacks. However, no such suggestion was made. The ARPU and EBITDA figures were attributed to the two pricing decisions, and Orange Liberia’s launch of 4G/LTE. The CEO’s report for Q2 2016 attributed the reduction in MOU to limits placed on Lonestar’s DYO package (“MOU declined by 10% against Q1, driven by $1 for 3 days availability throttling for 6 hours daily. The adjustment has now been lifted and MOU is now on the increase” – throttling being a limit on voice calling during peak hours). Nor did the July 2016 document, “Data Strategy and GTM Plan”, in a considered “SWOT” survey of Lonestar’s business, identify the DDOS Attacks as a weakness or a threat. This document included a detailed survey of changes in Lonestar’s data customers from Q3 2015 to Q2 2016, with a view to determining whether customers who had stopped using Lonestar’s data offering had changed their Lonestar voice spend to a greater extent than those who had not. There was no material reduction in the voice spend by those who had stopped using data and those who had not. That is very difficult to reconcile with Lonestar’s case theory that attacks whose technical effects were limited to its data network materially impacted its voice earnings, because unhappy customers voice spending “followed” their data spend.
D4(4) July to August 2016
In or around July 2016, Mr Kaye gained access to the “vDOS” booter platform, and in September 2016, to the Mirai botnet.
A new, and more serious, phase of the DDOS Attacks began in the second half of July. Significantly, on 24 July 2016, Mr Toriola received his first communication on the subject of DDOS since 7 February, and on 25 July, Mr Bowier sent an email referring to attacks the previous week, and comparing them with what happened “during our last DDOS attack in February”.
The technical data shows no attack traffic from 1 to 17 July, then a significant increase in DDOS attacks in the last 10 days of July and the first two weeks of August. The attacks were within the cleaning capacity of Lonestar’s cleaning system (which was further enhanced on 25 July when the Arbor Peakflow system became operational).
Mr Campbell has pointed to documents said to show the effects of DDOS attacks on Lonestar’s network on 12 days in July and 16 days in August (either directly, or as consequences of mitigating measures put in place to deal with DDOS attacks). While I am not satisfied that all of these documents establish the occurrence of effective DDOS attacks, I am persuaded that there were 8-10 days in the second half of July when DDOS attacks had noticeable effects on Lonestar’s system. An email from Mr Bowier of 25 July refers to Lonestar being “under serious DDOS UDP flooding for a week” which “caused all of our data services to run very slow”. A Huawei report also refers to attacks from 28-31 July.
From 29 July, the evidence suggests that a modification to the mitigation software proved effective in countering the new wave of attacks, albeit a network modification on 14 August provided a brief opportunity for the DDOS Attacks to penetrate Lonestar’s defences once again. There was an effective attack on 17 August, leading to the installation of another defensive measure, the Level 3 NPS service, on that date. Issues resulting from the implementation of anti-DDOS measures continued to have effects on the network to 21 August. An email from Mr Chingwena suggests that, by the evening of 21 August, the effects had been overcome. There are no documents which evidence DDOS attacks from 22-25 August.
On 26 August, Mr Kaye switched the form of the DDOS Attacks to TCP SYN attacks, which were able to bypass the defensive measures currently in place. It took Lonestar a few days to arrive at a satisfactory means of dealing with the new form of attack, without the defensive measures themselves impacting the user experience. This appears to have taken until 29 August, and Mr Campbell does not point to any documents suggestive of ongoing effects on 30 and 31 August.
The July and August Ops Reviews mentioned this next wave of effective DDOS attacks, as did the Q3 CEO Report. While the July report did not seek to link Lonestar’s financial performance with the attacks, as opposed to pricing decisions and dealer issues, the August report discussed a 45% decline in mobile data revenue and attributed it to the DDOS Attacks. The Q3 2016 CEO Report also referred to “DDOS attack on the network negatively impairing customers data experience with a correlated drop in Data revenue thereof”. There was no attempt to suggest that the DDOS Attacks had caused the reduction in voice revenues, which was attributed to the reduction in prices following the April 2016 review and the increasing use by HVCs of Lonestar’s DYO offering.
D4(5) September to October 2016
The technical data suggests that Lonestar’s defensive measures, supplemented from 7 September 2016 by the Arbor Cloud system, were largely effective in dealing with any DDOS attacks up to the last day of October. For by far the greater part of this period, very little traffic was detected, and attacks on 28 September and 4 and 5 October were well within the cleaning capacity of the systems. Mr Campbell points to documents which he suggests evidence effective attacks on 4 days in September and 7 days in October. As to these:
I accept that the installation of the Arbour Cloud on 7 September did entail a service interruption, and that this is fairly characterised as a consequence of the DDOS Attacks in general.
The emails concerning website access and slow internet issues between 23 and 26 September appear to have been linked to a change in the 3G browsing subnet address rather than issues related to the DDOS Attacks.
The email of 4 October is consistent with the technical data, but states that the attack was “fully mitigated” and “no service affected”.
The emails relating to 11 October concerning an internet link involving Orange Liberia and Lonestar are inconclusive, and in any event, the technical data did not detect any DDOS attacks on that day.
The emails relating to 19-23 October concern a number of issues. There is a DDOS attack detected at 16.51 on 19 October and cleaned in 9 minutes with an email of that date stating “no impact on traffic observed”; the email cited for 21 and 22 October concerned Arbor enquiring whether Lonestar wanted to continue to pay for the service when no attack had been observed for a number of days (and from which it is clear that no traffic had been cleaned for 13 days); and the emails relating to 23 October are inconclusive, traffic flow was normal at that time and no DDOS traffic was detected.
I accept that there was a perception by some within Lonestar of ongoing adverse effects either from the DDOS Attacks or the measures taken to address them. The September Ops Review referred to the Arbor software helping to ease the attacks, but also to “continuous DDOS attacks resulting in poor data experience” (albeit data revenue was 18% up on August, data subscribers 9% up and data revenue from HVCs 47% up). The October Ops Review referred to “Fluctuation in Data Experience”, and referred to the major attack on 31 October which I discuss below. However, data revenue growth was 7% up on a “month-on-month” basis.
I accept that the contemporaneous documents provide some support for Lonestar’s argument that, by September or October, the DDOS Attacks were having an impact on its data revenue. The September Ops Review refers to “revenue loss DUE to DDOS attack” and to putting in place “DD[O]S Attack Control” to “address poor data performance”. The October Ops Review refers to “fluctuation in Data Experience … affecting uptake of data bundles”. However, the Ops Reviews do not suggest that there was any impact on its voice revenue, the adverse state of which is attributed to other causes.
D4(6) 31 October 2016 to February 2017
From 31 October 2016, Mr Kaye had access to the Mirai #14 botnet, and this led to a marked increase in the severity of DDOS attacks to which Lonestar was subjected. These attacks were particularly effective between 31 October and 2 November, when the attacks and the mitigating software caused internet slowness and loss of data traffic, and generated significant international press commentary between 3 and 7 November. That commentary inevitably presented a rather dramatic account of the attacks which, equally inevitably, featured prominently in Lonestar’s case at trial. Lonestar’s internal assessment on 3 November noted:
the unprecedented size of the attacks; and
that they had inevitably caused “some undesirable behaviors, especially slowness and loss of data traffic”.
That is a more sober assessment than the press coverage, and Orange Liberia draws attention to the assessment of one cyber-security expert describing the “breathless” press coverage as exaggerated. However, even if the press coverage did “over-egg” the impact of the DDOS Attacks on Lonestar’s network, those public statements will have constituted another way in which the DDOS Attacks will have damaged perceptions of Lonestar’s data offering.
So far as the period between 3 and 20 November is concerned, there were periods on 4, 10 and 14 November when their scale appears to have overrun the cleaning capacity of the mitigation systems. Mr Campbell does not identify any documents said to evidence the effects of DDOS attacks for 5-6, 8, 12, 15-18 and 25-27 November.
Over the period from 20 to 23 November, the DDOS Attacks took advantage of a “direct peering” connection Lonestar had with Facebook, Google and YouTube’s websites, allowing “dirty” traffic to circumvent the mitigation software. There was an element of “cat and mouse”, with Lonestar taking steps to close one “back door”, by closing the direct peering with a particular site, only for Mr Kaye to try another “back door”. Lonestar worked hard with external contractors to come up with a solution, which was put in place in the course of 24 November, and appears to have solved the issue.
Nonetheless, it is clear that the cumulative effect of the DDOS Attacks had caused a customer backlash against Lonestar’s data offering. The November 2016 Ops Review identified as a key challenge “DDOS impact on Data quality creating negative experience and backlash from customer. MoM Data volume declined by 20million MB”. Further, one slide stated, “Top 20 MoM Data revenue significantly declined as a result of DDoS attacks and some subscribers that have moved their data to competition are also moving voice”. There is a dispute as to whether this is a reference to lost subscribers, or to reduced usage by those continuing to use Lonestar for some voice. As to this:
An analysis within Lonestar which is roughly contemporaneous with this document looked at 86,000 subscribers who had stopped using Lonestar’s data services in August 2016, and found that 35,000 continued to use other services, and 51,000 had left Lonestar’s network entirely. The analysis does not suggest that the voice ARPU for those who remained fell appreciably.
The November Ops Review “Top 20 Downgraded Subscriber” analysis showed voice revenue increasing (albeit by only 1%) while data revenue fell by 33%, and for HVCs, voice revenue increased by 3%, minutes of use increased by 6% and data revenue fell by 30%. That does not support a view that the DDOS Attacks were having any significant effect on voice traffic.
In these circumstances, I am not persuaded that, as at November 2016, Lonestar had formed the view that the DDOS Attacks had appreciably reduced usage by retained voice customers, as opposed to contributing to the churn of customers who left Lonestar altogether. I also note that Lonestar’s “Recovery Plan” prepared in November 2016 referred to four reasons why such a plan was required. Relevantly for present purposes, it referred to:
“Response and matching competitor value destroying offer of $1 for 3 days led to significant loss of Voice revenue”; and
“Persistent Cyber-attack via DDOS degraded all data service and thus resulting in further revenue loss on Data”.
It was still Lonestar’s considered analysis, therefore, that the impact of DDOS attacks on its revenue was essentially on revenue from data services.
Turning to December, Mr Campbell points to documents said to evidence the effects of DDOS attacks on various dates. I accept that there is evidence of the DDOS Attacks impacting Lonestar’s internet services on various dates up to 15 December, whether the direct impact of DDOS Attacks or as results of adjustments to the Arbor Peakflow onsite APS system which Lonestar installed at the end of November. Once fully operational, this new system would ensure that not all attack traffic had to be routed to the Arbor Cloud to be dealt with, minimising the impact of Lonestar’s defensive systems on those using its network. However, it was only from 15 December that the new defensive systems were fully functioning. Those systems largely contained the DDOS Attacks from that date, save for what appear to have been relatively minor effects on 18 and 23 December.
The December Ops Review referred once again to “the continuous DDOS attacks”, and to a “fluctuation” but it noted a 34% increase in data revenue compared with the preceding month, while recognising the adverse effects which the DDOS Attacks had had on data revenues YTD. The Q4 CEO Report also referred to the growth in the number of data subscribers (14%) “despite consistent DDOS attacks since July 2016”, growth concentrated in September (9%) and December (9%). There is also evidence that Lonestar had adjusted its data pricing in response to the DDOS Attacks and Orange Liberia’s 4G/LTE offering, Mr Osho referring to a “300% bonus on data bundles to entice and retain Data Users in the mi[d]st of the DDoS attacks and to also mitigate the impact of the competition LTE expansion”. The is the first documented suggestion of any reduction in Lonestar’s data prices by reason of the DDOS Attacks. Mr Osho also noted the voice usage was up over Q3 (just as Q3 had been significantly up over Q2), but that voice revenues were down because “price war and competition value destruction remains a factor in the market as subscribers spend continue to decrease while traffic increases”. The loss in data revenue to the DDOS Attacks had not, therefore, contributed to a reduction in voice usage, and the reduction in voice revenue was the result of ongoing price competition. The Revised December Recovery Plan (prepared under Mr Toriola’s direction) is to similar effect, identifying DDOS and 4G/LTE as the reason for lost data revenue, and the DYO offer as the reason for lost voice revenue, both on an “all customer” basis, and for HVCs when considered separately. The report noted the “attacks easing out”, as a result of the mitigation measures taken, but that matters were “under observation” and subject to “further optimisation”.
Another document produced in December 2016, the “Top 20 Downgraded Subscribers Analysis”, recorded a drop of voice revenue (63% between October and November 2016) and MOU (by 58%). It observed that “this drop is a result of a high movement of subscribers to $1 for 3 day calls On-net Calls and $1 a day On-net calls + calls to USA and Canada”. However, it also states “as was shown in our previous analysis on the slide below, most of the Data Subscribers move their voice spend where their data spend is, and with the planned LTE Advanced launched, an aggressive data win back campaign is set to be targeted at thes[e] for revenue growth a[n]d upgrade back to the Top 20 segment”. The attached slide is headed “DDOS Impact on Data Users and Total Spend: Poor Data Experience Impacting Other Revenue”. It only analysed the position across three months – July, August and September 2016. The analysis indicated that of the data subscribers in July 2016 who stopped using data in August and September, 60% left the network altogether (i.e., became lost subscribers) and there was a slow MoM decrease in spend for the others “as they slowly moved their spend to where they are using data”. The figures on this chart are something of a curiosity, because the average voice spend of 86,000 subscribers in July 2016 is $3.04. The average voice spend of those still on the network in August but no longer using data is higher than that - $5. The position in September is $4.53, still above the July figure.
In January 2017, the technical data shows no or negligible attack traffic making it through the Arbor APS or Cloud systems, and reaching the final line of defence in the form of the Huawei system. Mr Campbell has pointed to documents which he suggests evidence the effects of DDOS Attacks on 13 days. I accept that there were some effects on 18-19 and 30 January, and brief effects while the Arbor filters were fine-tuned. Beyond that, I am not persuaded that there were any significant effects during this period. The January 2017 Ops Review refers to the success of the mitigation strategy, although it continues to refer to “data fluctuations” caused by the DDOS Attacks as a “key challenge”.
In January 2017, the Liberian government imposed a tax on mobile phone usage of 1c per minute. While Orange Liberia absorbed that tax themselves, Lonestar sought to pass it on. The results of that decision were instant and dramatic. The Ops Review referred to a “huge subscriber shift, with a 32% decline in MTN RGS 1 between 15th to 31st" (i.e., over a one-day period). There was an 18% drop in voice revenue within 2 weeks, and a 36% reduction in voice minutes of use. An RGS 30 comparison (looking at subscribers who had not used the Lonestar network for 30 days) showed voice subscribers leaving Lonestar for Orange Liberia in similar proportions across all value segments – further confirmation that price mattered to HVCs as well as other customers. By contrast, Lonestar’s data business reaped immediate benefits from the launch of 4G/LTE, just as Orange Liberia had (see the figure at [72] above).
The DDOS Attacks came to an end in early February 2017. Large attacks continued up to 8 February, when they were largely mitigated by the defensive systems, with smaller attacks thereafter (including after Mr Kaye had been arrested on 22 February). Mr Campbell points to documents which he says evidence the effects of DDOS attacks on 6 days in the period up to and including 8 February. I accept that the setting of the filters on the Arbor systems did cause issues affecting some websites during this period, and that this is fairly characterised as a consequence of the DDOS Attacks generally. It is not suggested that the DDOS Attacks had any effects after 8 February.
The February Ops Review highlighted the success of the DDOS containment programme, and did not refer to the DDOS Attacks causing loss of revenue. It did, however, note the ongoing effects of the decision to pass on the tax, with a 28% decline in voice revenue, and loss of customers in similar proportions across all value segments. The Q1 2017 CEO Report said that the decision had caused “a mass exit of over 200,000 subscribers” and a 45% reduction in minutes of use against the previous quarter.
In September 2017, Lonestar prepared its budget for 2018. One slide in this document identified “key events and market” shifts in the left-hand column, and “impact on MTN Liberia’s Current State” in the right-hand column. It included the following entries:
Key events and market shifts | Impact on MTN Liberia’s Current State |
Responded to the Value Destroying Offer from competition – Free Calls for 3 Days | Significant loss of Voice Revenue (from $114m in 2012 to $48.5m in 2016) |
Persistent Cyber attack via DDOS | Loss of HVCs due to poor data quality |
Competition l[a]unched 3G & LTE almost 9 mo[n]ths ahead of MTN | Competition have a clear lead on data and hence most HVCS have moved to competition |
It is striking that this document attributes the fall in voice revenue solely to DYO, it identifies the effect of the DDOS Attacks as loss of HVCs “due to poor data quality”, and attributes the loss of HVCs to Orange Liberia’s “clear lead on data”. Slide 19 in the same deck also stated “DDOS Attacks took HV customers away from Data” (and “DYO unconditionally discounted voice”). While there is a reference to “lost customer preference as primary SIM”, this is linked to the fact that certain products “had been designed to auto-renew and deduct balance”, and that “’Fear of Losing Balance’ has driven customers away from Higher Denomination recharges”. There are a number of references in the documents to this issue having a negative impact on revenue. It has nothing to do with the DDOS Attacks, but reflected the fact that “all digital products were designed to auto-renew causing customer complaints on credit depletion”.
D5(7) Overview
In June 2018, Lonestar produced a timeline of the DDOS Attacks as follows:
This analysis is not entirely consistent with the conclusions I have drawn from the technical data and contemporary documents – the attacks of 6 and 7 February are not mentioned, and the level of attacks in October 2016 is overstated in respect of the period prior to 31 October. But in broad terms, the summary correctly captures the sequence of events: initial impacts in October, and again from July 2016, with a new level of intensity in November 2016, and full stability by February 2017.
That broad pattern is consistent with numerous other pieces of evidence:
The severity index prepared by Lonestar and provided to Mr Nicholson, and which he reproduced at paragraph 5.7 of his first report, which shows severe attacks in October dropping off in early November, a brief spike of activity on two days in February and then nothing of significance until July.
Mr Campbell’s evidence that “prior to July 2016 the mitigation systems Lonestar had in place were generally capable of defending against the DDOS attacks directed at Lonestar”. I do not accept that this statement was limited to volumetric attacks (not least because Mr Campbell was clearly concerned with all attacks). The date was significant because it was Mr Kaye’s access to a vDOS booter in that month which Mr Campbell suggests changed the position.
The agreement of the quantum experts that Lonestar lost no subscribers as a result of the DDOS Attacks before September 2016.
The analysis of state exhaustion and application layer attacks which were detected (“SYN flood” and “SYN-ACK”), which shows such attacks in October 2015, a few in November, 6 and 7 February and 19 July.
The 18 dates on which Mr Shepherd identifies attacks exceeding the network and defensive capacity of Lonestar’s network all fall within the three clusters of October 2015, July 2016 and from 31 October 2016.
The dates on which there is both attack traffic in excess of Lonestar’s bandwidth capacity and a document said by Mr Campbell to evidence the effects of DDOS Attacks (assuming, contrary to my conclusions, that each document he identifies does evidence the effects of a DDOS Attack on the date in question): 16 days in October 2015, a single day in November 2015, 3 days in February 2016, 11 days in July and 6 days in August 2016, 5 days in November, 3 days in December and 6 days in January and February 2017.
The timing of emails to Mr Toriola about the DDOS Attacks – four in October 2015, an email in February 2016, three emails in July 2016, 14 in August, 5 in September, one in October, three in November, 4 in December, 12 in January and 5 in February.
The evidence given by Lonestar’s then-CEO, Mr Babutunde Osho, in the English criminal proceedings on 6 July 2017, which referred to “consistent DDOS attacks between September 2016 and February 2017” (although, as will be apparent, the estimate of loss of revenue of US$17.6m he gave to the court has not been substantiated by the evidence before me).
Lonestar’s closing, which, when identifying documents for the court’s review, pointed to an email of 21 October 2015, an email of 6 January 2016 (which I am satisfied was referring to an issue which was not in fact the product of a DDOS Attack, the IP address in question not being one which saw any “dirty traffic”, and other websites being accessible), 7 February 2016, a report of 1 August 2016 referring to attacks in July, a report covering the period July to September 2016, three emails in November 2016 and an email from January 2017 referring to attacks “over the last few months”.
A funding request prepared by Lonestar in October 2017 conveys a broadly similar message, as does Lonestar’s YTD Business Review and 5-Year Plan of June 2018.
D6 The Arrest, Prosecution and Conviction of Mr Kaye and Subsequent Events
The DDOS attacks ended in February 2017. On 22 February 2017, Mr Kaye was arrested by the NCA at Luton airport pursuant to an international arrest warrant concerning a number of alleged cyber-attacks. He was extradited to Germany on 2 March 2017 and charged with offences relating to a cyber-attack on Deutsche Telekom. He was interviewed by the Cologne Prosecutor, in the course of which he admitted that he was the person responsible for carrying out the DDOS Attacks on Lonestar, that he had done so at the request and direction of Mr Marziano and that Mr Marziano had introduced him to Mr Polani who had provided technical support and assistance as necessary.
A report produced by the Cologne Prosecutor records that a mobile phone found on Mr Kaye when he was arrested contained Mr Marziano’s telephone number and email, Mr Polani’s email, numerous messages between Mr Kaye and Mr Marziano concerning the DDOS Attacks, sent via SMS, WhatsApp and Facebook Messenger, and messages between Mr Kaye and Mr Polani on Threema which showed that Mr Polani was “in contact with Kaye on several occasions in order to check whether the attacks had been successful or to report on the impact in Liberia”.
In March 2017, the Liberian government withdrew the 1 cent per minute tax it had imposed in January 2017 (see [98] above).
On 28 July 2017, Mr Kaye pleaded guilty to the charges made against him by the Cologne Prosecutor and received a suspended sentence of 20 months’ imprisonment. The judgment of the court records Mr Kaye making a “full confession” that “he had intended to create a botnet in order to ultimately cause harm to the Liberian company” (i.e., Lonestar), the purpose of that statement being to suggest that he had not acted to harm Deutsche Telekom.
In August 2017, Mr Kaye was extradited back to the United Kingdom where he was charged with offences under the Computer Misuse Act 1990, including in relation to the DDOS Attacks. Mr Kaye initially pleaded not guilty, but he changed his plea and entered guilty pleas to two offences under the Computer Misuse Act 1990 and one offence under the Proceeds of Crime Act 2002, in relation to the DDOS Attacks. On 11 January 2019, he was sentenced to 32 months’ imprisonment.
In September 2019, the Liberian government imposed a floor cap on both voice and data services that effectively outlawed unlimited calling promotions such as $1-3 days and DYO.
E LIBERIAN LAW
E1 Introduction
It is common ground that Lonestar’s claims are governed by Liberian law. Liberia has a common law system, in which decisions of the Liberian Supreme Court constitute a source of law, alongside legislation.
Section 40 of the Liberian “General Construction Law” provides:
“Except as modified by laws now in force and those which may hereafter be enacted by the Liberian common law, the following shall be, when applicable, considered Liberian law:
(a) the rules adopted for chancery proceedings in England, and
(b) the common law and usages of the courts of England and of the United States of America, as set forth in case law and in Blackstone’s and Kent’s Commentaries and in other authoritative treatises and digests”.
This statute was referred to by the parties as the Reception Statute, although in contrast to some reception statutes (e.g. s.3 of the (Singapore) Application of English Law Act 1993), it was common ground that it does not provide for the incorporation of a body of law at a particular date, but “the common law ... as it stands at the time when those laws are adopted and applied in a particular case, and thus not necessarily the law as it stood at the time when the Reception Statute was enacted”. It was also common ground that the Reception Statute did not “require the Liberian Supreme Court to prefer United States common law principles to English common law principles, or vice-versa”, but that in practice “the Liberian Supreme Court looks more often and primarily to United States treatises, digests and case law rather than to English law treatises, digests and case law”. The frequency of recourse to the Reception Statute was in issue.
There were a number of disagreements between the Liberian law experts as to how the Reception Statute operated, which it is convenient to address at this stage of the judgment. In particular, Counsellor Padmore and Professor Banks argued that the Reception Statute did not “accord automatic status” to the common law of England and the United States, even if there was no Liberian statute or common law in force. Rather, they contend that the effect of the words “if applicable” was that it was only when the Liberian Supreme Court (as the only court capable of generating decisions with the status of binding precedents) reviewed and accepted the relevant English or US common law that these provisions became part of Liberian common law. Counsellor Musu-Scott’s evidence was that the Reception Statute “confirms and maintains the common law of England and of the United States as part of the law of Liberia” on any issue not covered by Liberian statute or the case law of the Supreme Court of Liberia.
As is often the case, the debate between the experts assumed a form in which each criticised an extreme version of the other’s contention. Thus Counsellor Musu-Scott suggested that Counsellor Padmore and Professor Banks were arguing for the position that only the Liberian Supreme Court could decide whether or not a particular rule of US or English common law should form part of Liberian law, in circumstances in which the jurisdiction of the Supreme Court was only appellate rather than original, and the cases of the lower courts which reached the Supreme Court on appeal would, on this theory, never raise issues of this kind because this would not be a source of law open to them. For their part, Counsellor Padmore and Professor Banks suggested that it was the inevitable consequence of Counsellor Musu-Scott’s theory that all principles of common law of England and Wales, and of all fifty of the United States and the federal jurisdiction, the contents of Blackstone, Kent and other “authoritative treatises and digests” were all automatically binding on a first instance judge, even though they might well conflict inter se.
I am satisfied that, as the Reception Statute now falls to be applied, the normative force of the common law as it has developed in England and Wales in Liberian court decisions is much attenuated. I cannot accept that it is binding in the sense that a first instance judge would be obliged to follow English law on an issue which Liberian statutes or case law had yet to address, not least because of the possibility for conflict between the various legal sources identified in s.40. I accept that English common law is given a higher status than, say, the decisions of German or Italian courts, and indeed formally at least than the decisions of common law jurisdictions such as India or Canada. However, the constraint which s.40 of the Reception Statute places on the law-making power of the judge is, in my view, very limited indeed. I am satisfied that English case law, for example, would have less normative force before a Liberian court than decisions of the European Court of Human Rights would have before an English court by virtue of s.2 of the Human Rights Act 1998. To the extent that it has any impact on the freedom of action of a Liberian judge when deciding the content of Liberian law, the judge would retain a “strong” rather than “weak” discretion. The language of Liberian case law reflects that, for example Quelo v Providence Concrete Works [1981] LRSC 29, 301, in which the Liberian Supreme Court held that when determining whether or not to apply some principle of foreign law under the Reception Statute, “we should weigh all the benefits and choose the blessings”.
I am also satisfied that, to the extent that the Reception Statute influenced the decision of the Liberian judge, it is to U.S. rather than English sources that the judge would principally look. That is not because the Reception Statute creates any formal hierarchy as between the two – it clearly does not – but because of the very close links between Liberia and the U.S.A. since Liberia’s foundation, the heavy influence which U.S. statutes have had for Liberia’s lawmakers, and the extent to which Liberian legal education has exposed its lawyers to U.S. rather than English influences. That reflects the position of all the experts in the joint memorandum, and the cases I was referred to which, with one exception (Miller v Parker [1982] LRSC 73 dealing, of all things, with the presumption that a conveyance into two or more names creates a joint tenancy), involved the application of principles of U.S. law.
It might be wondered why it would matter so much whether, in the field of civil liability for wrongs, a Liberian court, faced with a gap in its own law, would look to U.S. or English sources to fill that gap. The answer to that question leads to what, for me at least, was one of the great forensic mysteries in this case. As it is relevant to both the ways in which Lonestar puts its case (an action of damages for wrong under existing Liberian law, or the application of the English torts of lawful or unlawful means conspiracy or unlawful interference under the Reception Statute), I should address the issue at this stage.
E2 The Issue of Direct Actionability
Whether there can be tortious liability where someone, whether acting alone or with others, has caused the claimant loss by unlawful acts without those acts themselves being actionable at the suit of the claimant has proved a controversial topic under English law:
For the purposes of the tort of unlawful means conspiracy, there were a number of cases which supported the view that the unlawful means had to be actionable at the suit of the victim against at least one of the conspirators. The decision of the House of Lords in Lonrho v Shell (No 2) [1982] AC 173 was interpreted by some judges as creating such a requirement (e.g., Michaels v Taylor [2001] Ch 493).
That interpretation was rejected in Revenue & Customs Commissioners v Total Network SL [2008] 1 AC 1174, which held that the crime of cheating the Revenue could comprise an unlawful act for the purposes of unlawful means conspiracy. In JSC Bank v Ablyazov (No 14) [2018] UKSC 19 [15] the Supreme Court held that “a criminal offence could be a sufficient unlawful means for the purpose of the law of conspiracy, provided that it was objectively directed against the claimant”.
However, before breach of a civil statute can provide the unlawful means for this tort, it is necessary for the statutory provision in question to be one which can be enforced by the claimant for the tort of breach of statutory duty (Clerk & Lindsell on Torts (23rd), [23-113]).
In OBG v Allan [2007] UKHL 21, the House of Lords confirmed the existence of a tort where one party interferes with the economic interests of the claimant, by the use of unlawful means, and with the intention and effect of injuring the claimant. The principal focus of the tort is where one party (A) uses unlawful means against another party (B) with the intention and effect of causing loss to a third (C), who then sues A. The three-party version of this tort requires the unlawful means to be actionable at the suit of B for C to claim.
In its opening, Lonestar referred to certain U.S. materials exhibited by Mr Padmore, and stated:
“It is apparent from the materials which he himself exhibits that there is nothing in US common law which is in fact inconsistent with Lonestar’s case under English law. In particular, it is plain that U.S. law recognises a form of secondary liability for conspiracy to commit a tort and to exercise unlawful means”.
However, as Mr Singla KC accepted in closing, such evidence as there was in relation to the position under U.S. law supported a (majority) requirement that the unlawful means be actionable at the suit or the claimant (such that two of more persons who agree that one of them will commit a tort actionable at the suit of the victim can both be sued by the victim).
In the Particulars of Claim, Lonestar has advanced the following claims against the Defendants:
lawful means conspiracy;
unlawful means conspiracy, the unlawful means being:
breaches of a UK statute (ss.3(1), 3A(1) and (5) of the Computer Misuse Act 1990) by reason of Mr Kaye’s conduct in this jurisdiction; and
breach of s.76 of the Liberian Telecommunications Act 2007;
“unlawful interference”, relying on the same unlawful means;
a claim of liability under action of damages for wrong, a claim said to be available under Liberian law for loss caused by “wrongful conduct”, the conduct implicitly alleged to be wrongful including the contravention of the statutes referred to above. This emerges clearly from the terms of the permission to adduce expert evidence on this part of the case which I granted on 27 September 2021 and which permits expert evidence on the following issues:
“Does Liberian law recognise a cause of action of damages for wrong?
(i) If yes, what are the elements of this cause of action under Liberian law?
(ii) To the extent that one of the elements involves a “wrong”, would a breach of: (1) section 3 and/or 3A of the Computer Misuse Act 1990 (being a United Kingdom statute) or (ii) section 76 of the Liberian Telecommunications Act 2007 suffice to establish that element.”
In addition to:
the issue of whether a Liberian court would recognise the English torts under the Reception Statute;
there are also disputes as to whether:
to the extent it did so, breach of foreign legislation (the Computer Misuse Act 1990) would be sufficient;
there was an action of damages for wrong as a matter of Liberian law and if so:
could breach of a UK statute constitute a wrong for this purpose; and
did the “wrong” have to be civilly actionable at the suit of the victim.
It will be apparent that none of these issues would arise to the extent that the Liberian Telecommunications Act 2007 (the 2007 Act) itself gave a civil cause of action against anyone who had suffered loss as a result of a breach of its provisions. However, while a breach of s.76 of the 2007 Act was pleaded as an unlawful means for the purposes of the two English “unlawful means” torts, and, implicitly as one basis for the claim under the action of damages for wrong, no civil claim for damages was advanced under s.80 of the 2007 Act.
E3 The 2007 Act and the Evidence Upon it
E3(1) The 2007 Act
Section 76 of the 2007 Act provides:
“(1) No person shall:
(a) fraudulently, maliciously, or with dishonest intent, use any telecommunications facility or obtain any telecommunications service without payment of a lawful charge thereof;
(b) intentionally, without right and with dishonest intent, access the whole or any part of a telecommunications network or computer system by infringing security measures, with the intent of obtaining telecommunications or computer data;
(c) intentionally, without right and with dishonest intent, intercept by technical means a transmission not intended for public reception of telecommunications or computer data to, from or within a telecommunications network or computer system;
(d) intentionally, without right and with dishonest intent, damage, delete, deteriorate, alter or suppress telecommunications or computer data without right, where this results in harm to any other person;
(e) intentionally, without right and with dishonest intent, interfere with the functioning of a telecommunications network or computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing telecommunications or computer data;
(f) intentionally, without right and with dishonest intent, possess, produce, sell, procure for use, import, distribute or otherwise make available a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in subsections (1) (a), (b), (c), (d) or (e); or a computer password, access code, or similar data by which the whole or any part of a telecommunications network or computer system is capable of being accessed with intent that it be used for the purpose of committing any of the offences established in subsections (1) (a), (b), (c), (d) or (e);
(g) use, or cause or suffer to be used, any telecommunications network or telecommunications service for the purpose of disturbing, annoying, irritating, offending or harassing any person, including by means of a call with or without speech or other sounds, data or video images; or
(h) wilfully damage any telecommunications network or related telecommunications facility.
(2) Every person who acts in contravention of this Section commits an offence and is liable to the penalties prescribed in Section 77.”
Section 77 clearly contemplates that the s.76 offence can be committed both by natural persons and corporations (who can only act through natural persons), and that the employees of corporations can be punished for a corporation’s breach. It provides:
“(1) Every person who contravenes Section 76 of this Act, and is found guilty of the same after being accorded due process of the law, and is guilty of the offence and liable:
(a) in the case of a natural person, to a fine not exceeding one hundred thousand Liberian Dollars for a first offence and two hundred and fifty thousand Liberian Dollars for a subsequent offence;
(b) in the case of a company or any person other than a natural person, to a fine not exceeding one million Liberian Dollars for a first offence and five million Liberian Dollars for a subsequent offence; or
(c) in the case of a natural person who is an officer, employee or agent of a company and who is responsible for the contravention, breach or failure by the company, imprisonment for a Term to be decided in accordance with the New Penal Code of the Republic of Liberia.”
Section 80, headed “Civil Liability” provides:
“(1) Subject to any limitation of liability imposed in accordance with this Act or any other act, a person who has sustained loss or damage as a result of any act or omission that is contrary to this Act, or contrary to any regulation, rule or order made under this Act may bring a civil action against any person who engaged in, directed, authorized, consented to or participated in the act or omission.
(2) Any action brought pursuant to this Section shall be subject to the practices and procedures of the applicable court in such matters.”
A “person” is defined by s.2(1) of the 2007 Act as “a natural or other legally recognized person or entity, and includes a joint stock company, a limited liability company, a partnership, a sole proprietorship, a joint venture, or other form of entity whether incorporated or unincorporated.”
I now turn to the evidence on ss.76 and 80 of the 2007 Act.
E3(2) Professor Banks’ Evidence on the 2007 Act
Professor Banks in his first report of 13 August 2021 expressed the following views:
He said that s.80 “does not lay out a special procedure” for the civil claim but “in respect of damages suffered by a party on account of the violations, the courts would deem the violations to be a wrong committed against the victim, and as such would allow the victim to bring an action of damages for wrong or to even characterize the action as simply one of damages.”
He said that “it is noteworthy … that the Liberian Telecommunications Act 2007, at Section 80, does recognize that there can be civil liability arising from a violation of the Act where loss or damage is sustained by a person. But the section also states that a person may bring such ‘civil action against any person who engaged in, directed, authorized, consented to or participated in the act or omission.’ This means that a person may bring a civil action against the actual perpetrator of the act or against the principal of the perpetrator of the act if the principal, whether a natural person or a corporate entity, ‘directed, authorized, consented to or participated in the act or omission’”.
He suggested that “because the Liberian Telecommunications Act 2007 does not have extra-territorial effect, a person injured or damaged by the act of another, done in a foreign country, cannot bring suit in the foreign country to enforce the violation of the Liberian Telecommunications Act 2007, although the impact of the perpetrator’s action is felt in Liberia. The suit would have to be brought in Liberia in a court of competent jurisdiction.” Orange Liberia did not raise that (surprising) contention before me.
That a s.80 claim “would be an action of damages for wrong, not one based on the theory or principle of ‘unlawful means conspiracy’” stating he was “of the opinion, and as has been the practice in civil actions which have grown out of a statutory prohibition, a party may rely on the common law concept of damages for wrong or simply action of damages which is recognized under Liberian law. Under Liberian law, the Liberian courts would not treat or characterize the action as a breach of a statutory duty. Such characterization would only be given to the action if the Liberia Telecommunications Authority was the complainant and was seeking to hold the violator accountable for the violation of the statutory duty or to ensure compliance with the Act.”
That the offences under s.76 of the 2007 are grounded in intentional misconduct, which, together with the fact that the 2007 Act does not refer to agency, means that there can be no vicarious liability under the 2007 Act.
In his second report, Professor Banks expressed the view (which is not readily reconcilable with the view expressed in his first report) that “because the Liberia Telecommunications Act 2007 is a statute and does not fall within or has not been declared, either by the statute or by the courts, as constituting or to be an ‘action of damages for wrong’, but has its own cause of action (criminal and civil), it cannot be deemed to constitute an “action of damages for wrong””.
In his third report, Professor Banks said that the 2007 Act only imposed a liability on those who had “engaged in, directed, authorized, consented to or participated in the act or omission”, and no common law tort could be brought which imposed a liability for a breach of s.76 in circumstances in which it would not have arisen under s.80.
E3(3) Counsellor Padmore’s Evidence on the 2007 Act
In his first report, Counsellor Padmore said that s.80 did not impose liability for an agreement to commit the s.76 offence, although he was careful to note that a person who did enter into such an agreement “may be liable for engaging in, directing, authorizing, consenting to or participating in an offence.” He said that there was no room for a civil liability in conspiracy for breaches of s.76.
Counsellor Padmore referred to the 2007 Act in passing in his second report, saying that there was no action for damages for wrong under the Liberian law, with the result that the issue of whether a breach of s.76 of the 2007 Act could constitute such a wrong did not arise.
In his third report, Counsellor Padmore essentially repeated the views he had expressed in his first report.
E3(4) Counsellor Musu-Scott’s Evidence on the 2007 Act
In her first report, Counsellor Musu-Scott noted that s.77 imposed penalties against the agents or employees of corporations for breaches of s.76, as well as the corporations themselves.
In her second report, Counsellor Musu-Scott expressed the view that a breach of s.76 of the 2007 Act could provide the basis for an action of damages for wrong, pointing to various cases in which the breach of a statute had been held to ground such an action.
In her third report, Counsellor Musu-Scott stated that she did not accept that s.80 prevented the Liberian courts from recognising common law liability for conspiracy for breaches of s.76, or that a breach of s.76 could not form the basis of an action of damages for wrong, pointing to other cases in which she said that breaches of Liberian statutes had formed the basis for a claim of this type. She noted (fairly in my assessment) the change between Professor Banks’ view on this issue between his first and second reports.
E3(5) The Experts’ Joint Memorandum on the 2007 Act
The Joint Memorandum suggested that the experts were agreed as to what had to be proved to establish a breach of s.76 of the 2007 Act, on the basis that the Act was clear. As to s.80:
Professor Banks and Counsellor Padmore said that it gave a claim against the person who “engaged in, directed, authorized, consented to or participated in the act or omission”, but not against a person who agreed to commit the offence, but accepted that “such a person may be liable for engaging in, directing, authorizing, consenting to or participating” in the offence.
Professor Banks and Counsellor Padmore expressed the view that there could only be liability under s.80 “where said defendant has directed, authorized, consented to, ratified, acquiesced in, or participated in the act, and that if those factors are not present, a defendant will not be held liable” (a view which accords with their opinion as to the limits of vicarious liability generally under Liberian law).
Counsellor Padmore suggested that there could be no liability at common law for the offence and Professor Banks that s.76 could not provide the basis for an action for damages for wrong.
Counsellor Musu-Scott did not agree that s.80 precluded a common law claim based on a breach of 76, and said that s.80 was not exhaustive.
E3(6) The Evidence at Trial
As I have explained, Professor Banks did not give evidence at trial. The 2007 Act received very little attention in cross-examination. Counsellor Musu-Scott was not asked about it. It was suggested to Counsellor Padmore that s.80 did not address liability on the basis of agreement (which he accepted) and that this showed s.80 was not an exhaustive code. In response to that last suggestion, he replied:
“Section 80. I don’t think that the entire issue relates to the Telecommunications Act. That is (inaudible) my point. The Telecommunications Act is a Liberian statute that says, here is the law in Liberia, and that is it”.
While that does not appear to be an answer to the question asked, Mr Singla KC was evidently happy with it, because he responded “exactly”.
I have been left with the distinct impression that both Lonestar and Orange Liberia were keen to say as little as possible about s.80. While I entirely understand Mr Kitchener KC’s forensic reluctance, both because s.80 has not been pleaded and because it does not appear helpful to this part of his case, I found the reasons for Mr Singla KC’s reluctance more difficult to discern. However, judges see only a very small part of the forensic landscape which the parties’ legal representatives must survey in full, and then plot how to navigate. The end result is:
No claim is being advanced under s.80.
The existence of s.80 is being relied upon by Orange Liberia as a reason why there should be no liability on any other basis under Liberian law.
The argument at (ii) is disputed.
That dispute was not explored at trial.
I should record, however, that the position in which I find myself is, from the peculiarly personal perspective of the judgment writer, an uncomfortable and artificial one, in which there are debates as to whether particular forms of claim can be advanced against the background of s.80 and/or as to whether any requirement of direct actionability, if there is one, is met, without any exploration of that key provision.
E4 The Action of Damages for Wrong under Liberian Law
E4(1) The Historical Position
The early Liberian legal sources provided to me referring to an action of damages for wrong were the Constitution and Laws of Maryland in Liberia (1837), published by the Maryland State Colonization Society, and “the Statute Laws of the Republic of Liberia, Carefully Compiled from the Laws of the Commonwealth with the Declaration of Independence” published “by Authority” in Monrovia in 1856. I am told that this last book is referred to by Liberian lawyers as the “Old Blue Book”. Title II (“Of Remedies”), Chapter 1 (“Of Actions”) of both works are to the following effect:
Section 3 divides actions into three classes: breach of contract, actions which “grow out of a wrong” and causes of action which “grow out of a judgment”.
Sections 11 to 14 provide:
“There are three actions growing out of wrongs – replevin – ejectment – and the action to recover damages for a wrong.
Replevin is an action to recover the possession of movable property wrongfully withheld by the defendant from the plaintiff.
Ejectment is an action to recover possession of real or immovable property, wrongfully withheld by the defendant from the plaintiff. A widow may recover her dower in ejectment.
The action to recover damages for wrong is an action in which the plaintiff seeks to obtain from the defendant, a sum of money, or damages or compensation for the injury he has sustained, by reason of some act of the defendant. It may briefly be called an action of damages. It is the action which lies for every injury, for which there is no other remedy”.
There is much here to ignite the interests of the legal historian, and no doubt to dull the senses of those fortunate enough to spend their salad days studying more glamorous fare. Professor David Ibbetson noted that these works appeared to have adopted the broad structure of the law of civil procedure in Maryland as detailed in Treatise on the Course of Proceedings in the Common Law Courts of the State of Maryland (1839). Chapter II (“of the Remedies used in Maryland”), 45-6 observes that there are five causes of action for wrongs in Maryland – replevin, ejectment, dower “and the remaining two, case, and trespass”. Trespass lay for direct interference with the person or with real or personal property (or the possession thereof), and case “whenever actual force is impossible”.
This division is consistent with the distinction which emerged in English (and was transplanted to American) tort law between trespass (which had at its core the idea of forcible wrongdoing or invasive interferences with the claimant or their property) and trespass on the case (which did not, and as a result “had an almost unlimited potential to expand into other areas”: David Ibbetson, A Historical Introduction to the Law of Obligations, 56: Ibbetson). However, as further transplanted into Liberia, the action of damages for wrong appears to have subsumed both trespass and case into a single broad category of tortious claims.
So far as the development of English tort law is concerned (and at the risk of it being suggested by Professor Ibbetson – not for the first time – that I have overly simplified a set of complex historical developments), the position appears to be as follows:
The availability of the action on the case led the effective range of the law of torts to be considerably expanded in the fifteenth and sixteenth centuries.
By the start of the seventeenth century the law of torts had come to assume three aspects (Ibbetson, 96):
“First was the core, centred on the general action of trespass, but extending into trespass on the case, dealing with invasive interferences. Second was a group of tolerably well-bounded ‘nominate’ torts, of which nuisance, conversion, and defamation were the most obvious examples. Finally, there was a miscellaneous ragbag of situations in which plaintiffs had succeeded in convincing the courts that they had suffered loss for which they ought to be compensated – an open-ended set of ‘torticles’ as one modern commentator has dubbed them”.
In the eighteenth century, and into the nineteenth century, there was “a wholesale shift of litigation from trespass to case” (Ibbetson, 153), but case remained “subdivided into a number of nominate forms and a large residuary group linked together by nothing stronger than the defendant was alleged to have caused loss to the plaintiff” (Ibbetson, 169).
During the nineteenth century, a substantial part of the residuary group had “coalesced as the tort of negligence” (ibid), outside of which a series of individual torts crystallised, generally classified by reference to the interests of the claimant which had been infringed, each with their own rules (Ibbetson, 184).
The first tort treatise published in either England and Wales or the U.S. was published in Boston in 1859. In the 1866 edition of that book, Francis Hilliard’s The Law of Torts, the author complained of the prevailing tendency to treat the law of wrongs as a “system of forms rather than principles” (preface, vi).
By the end of the twentieth century, the tort of negligence had come to dominate the field, although there remained “a myriad of ‘torticles’, ranging from interference with dead bodies and racial discrimination to harassment and deceit, each with its own particular rules” (Ibbetson, 201).
As I have indicated, from the creation of the Republic, Liberian tort law reflected the development at [148(iii)] trespass having been assumed within what became the even larger residuary category of case (the action of damages for wrong). The issue between the experts is whether, as it now falls to be applied:
Liberian tort law has developed to the state in [148(vi)], such that it is necessary for Lonestar to bring itself within a recognised or nominate tort, with its own particular rules; or
“the action of damages for wrong” continues to provide a vehicle to bring claims within the “ragbag” or “open-ended set of ‘torticles’” referred to in [148(ii)] where the defendant is alleged to have caused loss to the claimant for which the claimant ought to be compensated, outside of those established categories.
E4(2) The Current Position Under Liberian Law
It is Counsellor Musu-Scott’s opinion that there remains a claim of “action of damages for wrong” under Liberian law which does not require the claimant to satisfy the “particular rules” of causes of action such as negligence, nuisance, conversion etc. Her evidence is:
“As a matter of Liberian law, the action of damages for wrong is a well-known, common law-based cause of action for non-contractual wrongs … [A]n action of damages for wrong requires proof of two elements: wrongful conduct by a defendant, which results in injury or loss. No particular criteria are prescribed in the case law of the Liberian Supreme Court in relation to whether conduct is, or is not, ‘wrongful’ (and for the avoidance of doubt, it is not necessary for the relevant wrongful conduct to be in breach of a statute). Instead, when determining whether conduct qualifies as ‘wrongful’, the Liberian courts will … generally take a broad and fact-sensitive approach”.
On this account, the action would indeed embrace “a miscellaneous ragbag of situations in which plaintiffs had succeeded in convincing the courts that they had suffered loss for which they ought to be compensated”.
Counsellor Padmore, by contrast, says that from its inception, the action of damages for wrong was simply a form of action, and it was necessary for the claimant to plead one of a number of recognised causes of action. He refers to a specimen wording in an appendix to the Old Blue Book, giving a “form of a complaint” for an action against someone who had come onto the claimant’s land and cut down and carried away ten trees. Title II, Chapter IV of the Old Blue Book – “Of the Complaint” – does prescribe certain matters which a complaint must include in their pleading, including that “the complaint in an action of damages shall state the injury complained of, and the fact that the plaintiff has sustained damages thereby”. It also specifies certain requirements for complaints of damages to real property, personal property, personal injury or domestic relations. However, it says nothing about these being exhaustive and a chapter dealing with the contents of a complaint (where reference to the appendix first appears) would not be an obvious place to look for an exhaustive definition of the types of tort claim which can be brought. The Appendix itself says:
“The preceding forms of complaints are only models or specimens and may be changed or modified, or new ones invented on similar principles, to be used in cases not herein provided for.”
Further, the existence of a residuary category for tort claims in Liberia in the form of the action of damages for wrong is supported by s.165(c) of the Civil Procedure Law 1956, describing “[a]ctions to recover damages for wrong” as “an action which lies for every injury for which there is no other remedy” (and the Joint Memorandum quotes a similar statement by the Supreme Court of Liberia in King v Williams (1916) 2 LLLR 219, 221).
On that basis alone, therefore, I have concluded that Counsellor Padmore’s evidence that Liberian law only ever recognised specific torts dealing with a delineated set of wrongful acts is not correct. Having reached that conclusion on the basis of the cited terms of the Old Blue Book (the only source Counsellor Padmore relied upon), I would simply note the entirely general terms of other sections of the Old Blue Book which were not put in evidence, in Book I, “Of Legal Principles and Rules”, which are wholly inconsistent with there being an (unidentified and) exhaustive list of individual torts at that stage in Liberia’s legal history:
§1: “An injury is an unlawful damage done to another and is the proper subject of action”.
§2: “Every act which is prejudicial to the interest of another is an injury, unless it be warranted by some law …”.
§5: “Every person is liable to an action for all damages which arise from the negligence, carelessness or unskilfulness of himself or his wife at any time, of his agents or servants while employed in his business”.
§6: “Every man is bound to use his own property so as not to damage his neighbour. If any person makes use of his own property in a manner prejudicial to his neighbour’s interest, it is an injury”.
§55: “All the provisions of this title are to be considered as annexed to, incorporated in, and controlling all the provisions of the second title [viz, “Of Remedies”] except those contained in the twenty-third chapter” [viz “Of the Writ of Habeas Corpus”].
Those passages are in very similar terms to a document which was in evidence, an “Abstract of Legal Principles and Rules” dated January 1841 which describes the principles for liability for wrong in similarly general terms (Title I sections 1 to 6 and 54).
Counsellor Padmore was on surer ground when noting that claimants were frequently non-suited if they had pursued their claim using the wrong form of action. One of the cases he referred to, Cavalla River Company v ES Prince Pepple [1934] LRSC 5, involved a case in which the form of action - “action of damages to personal property” - had wrongly been used to bring a claim for breach of contract to recover an amount of money deposited with the defendant and repayable on demand. The claim was dismissed for that reason.
Difficulties of that kind were addressed by section 1.3 of the Liberian Civil Procedure Act 1972 (the 1972 Act) which provided as follows:
“1.1. Application of Civil Procedure Law.
The Civil Procedure Law shall govern the procedure in all civil actions and special proceedings before all judges and in all courts in the judicial branch of the Government, except where the procedure is regulated by inconsistent statutes or rules adopted in conformity therewith. Acts required by provisions of this title to be done by clerks of court may be done by a justice of the peace or stipendiary magistrate in applying those provisions to courts not of record.
1.2. Actions and special proceedings.
1. Prosecution as action. Any independent application to a court for relief shall be prosecuted in the form of an action, except where prosecution in the form of a special proceeding is authorized. Except where otherwise required by statute or rule of court, procedure in special proceedings shall be the same as in actions.
…
1.3. One form of civil action.
There is only one form of civil action. The distinction between actions at law and suits in equity, and the form of those actions and suits heretofore existing, are abolished.”
I accept that the 1972 Act made significant changes to the procedural law of Liberia, and reduced the risk of a complainant with a good claim finding that claim dismissed because of the particular document used to assert it. In Kamara v Wolloh [1981] LRSC 15, for example, an attempt to dismiss a claim because it had been issued as summary proceedings, when it was not, failed because of the 1972 Act. However, the suggestion that the 1972 Act amended the substantive tort law of Liberia, such that the principles which determined what matters could be the subject of a claim in tort were changed, is a much more challenging assertion. Counsellor Padmore’s opinion was as follows:
“In the place of the historical practice of pleading causes of action within the constraints of the various forms of action, the modern practice is to plead individual causes of action (e.g. negligence, libel, etc) using the ‘one form of civil action’ that became applicable in Liberia after 1972. The new procedure is confirmed, for example, in the sample pleadings in Appendix 1 to the Liberian Civil Procedure Law 1972, which include sample pleadings in an ‘action for breach of contract’ (Form 3), negligence (Form 8), an ‘action for damages for assault and battery …
Liberian law has thus never recognized a cause of action called the ‘action for damages for wrong’. It was historically a form of action which a plaintiff could use to bring causes of action recognized by Liberian law, but it was abolished in or before 1972. Although parties’ pleadings and decided cases after 1972 often continue to refer to the old ‘action for damages for wrong’, this is anachronistic and a holdover from past practice. As I have said, it would not even be correct as a matter of historical practice prior to 1972 to refer to the ‘action for damages for wrongs’ as a cause of action recognized by Liberian law because it never has been.”
On this issue of the effect of the 1972 Act, I prefer the evidence of Counsellor Musu-Scott for the following reasons.
First, as I have stated, the suggestion that there was a closed category of tort causes of action before 1972 is not supported by the passages in the Old Blue Book on which Counsellor Padmore relied, nor its 1837 predecessor, nor did he point to any other source from which I could identify what that closed category comprised.
Second, the 1972 Act was a procedural reform, but I have seen nothing to suggest that it limited the factual circumstances in which a tortious remedy would be available for loss caused by unlawful conduct. When I asked Counsellor Padmore whether, following the passing of the 1972 Act, there was any conduct which would previously have been actionable in tort which ceased to be so, he answered (very fairly) “that is a very good question … I’m afraid I can’t answer it right now”, although he did accept my suggestion that “it would be quite an odd thing for a procedural statute to do.” It is very difficult to see how the 1972 Act changed what sets of facts could be the subject of a claim in tort, as opposed to the means by which such a claim might be pursued. The 1972 Act does not purport to address anything other than matters of procedure (including, for that purpose, limitation which has a hybrid substantive and procedural character).
Nor did the specimen pleadings at the end of the 1972 Act have that effect (any more than their predecessors in the appendix to the Old Blue Book). Section 9.3, addressing “Form of pleadings”, provides that “pleading forms, contained in the appendix of forms, are sufficient under the requirements of this title and are illustrative of the degree of particularity required.”
Third, I found the reaction of Professor Banks – a former Associate Justice of the Supreme Court of Liberia – to this suggestion striking. He said that “an examination of cases decided by the Supreme Court clearly demonstrates overwhelmingly the existence in the Liberian jurisdiction of a cause of action denominated ‘action of damages for wrong’”. He denied that this was simply a form of pleading, suggesting that Counsellor Padmore’s view “would bring into question the legitimacy or legality of all of the cases of action of damages for wrong”. I am unable to accept Orange Liberia’s view that the difference between Counsellor Padmore and Professor Banks on this issue was essentially terminological. It is clear that Professor Banks saw the action of damages for wrong as specific to Liberia, and a distinct feature of the Liberian legal landscape in contrast to the position in England and Wales and the U.S.A.
Finally, the way in which Liberian courts have continued to reason in the cases to which I have been referred is inconsistent with Counsellor Padmore’s analysis. F.W. Maitland’s famous observation that “the forms of action we have buried, but they still rule us from the grave” (The Forms of Action at Common Law (1909), 1) has proved particularly true in Liberia. While it is possible to analyse the facts of many of these cases, and show that they include averments which would meet the requirements of particular torts, that is not how they are reasoned:
In NPA v Dougbah [2016] LRSC 22, the court’s analysis proceeded as follows: “wherefore it is our opinion that the appellant’s conduct in removing the subject container from the premises resulting to the loss of its contents was wrongful; that said wrongful conduct injured the shippers of the containers as they were dispossessed of their belongings; and for such wrong damages would lie as a matter of law”. No reference was made to any nominate tort such as conversion or detinue.
In Firestone Liberia Inc v G Galimah Kollie [2012] LRSC 14, the claimant brought an action for damages for wrong premised on the wrongful seizure and detention of their truck. The case contains no reference to conversion, trespass to goods or detinue. Rather the court held that, while Firestone Liberia Inc had been granted extensive police powers and authorities under an Amended and Restated Concession Agreement with the Republic of Liberia (which had been given effect by legislation), by that same Agreement, Firestone had agreed to subscribe to and adhere to the principles contained in the Voluntary Principles on Security and Human Rights. It was found that Firestone had violated those principles and breached the Liberian constitution through the duration of the seizure, their own use of the truck during the period of its detention and their failure to comply with the Concession Agreement. In short, the wrongful act was breach of a statute (as Counsellor Padmore acknowledged), but there was no analysis of whether the statute gave a statutory cause of action to the claimant (who was not, after all, a party to the Concession Agreement).
Total (Liberia) Inc v Stoner (Liberia) Inc 26 August 2021 involved the allegation that a contract to hire the claimant’s trucks had wrongfully been suspended on the basis of a third-party’s allegation of non-delivery of fuel, without a proper investigation. The principal issue for the court was whether it was open to the defendant to rely on a recently discovered arbitration agreement to object to the court’s jurisdiction. However, there was no suggestion that the claimant’s claim did not constitute a tort known to Liberian law. The trial judge upheld the claimant’s claim because “the termination of the services to the plaintiff was not justified and that same was done merely to injure and expose the plaintiff to serious hardship and mental anguish. In the mind of this court, an Action for Damages for Wrong will be justified”. None of the 29 errors alleged in the defendant’s bill of exception said that bad faith suspension of a contract was not a recognised tort. The Supreme Court noted that “the review of the records reveals that the trial judge principally held the appellant liable for damages for wrong on the theory that the suspension and later termination of the appellant was unjustified, in the absence of due process …. [and] where the alleged neglect to deliver … was unsubstantiated by evidence.” There was no suggestion that this was not a sufficient basis for liability. On the contrary, the Supreme Court found that the suspension was wrongful, and stated “the law extant is that the plaintiff in action for damages for wrong must not only plead the wrong complained of, but that the plaintiff must prove by the preponderance of the evidence that he suffered loss or injury as a result of the defendant’s wrongful act”.
City Builders v Purported City Builders 15 July 2013. The claimant brought what was described as a “sixteen-count complaint in an action of damages for wrong” against the defendant who had registered a business in the same name as the claimant’s, “in flagrant violation of our Association Law which prohibits two corporations from operating under the same name”. The trial judge dismissed the claim, on the basis that the claimant had no trademark in its name. The Supreme Court identified the sole issue as “whether or not the acts of the defendants/appellees constitute a wrong for which … damages will lie”. They answered that question in the most general terms: “we hold that it was wrong … to have filed articles of incorporation carrying the name City Builders Inc, because the said name had previously been assigned to the plaintiff/appellant”. It was pointed out that the statute required those seeking to incorporate a business to ensure that they did not use the same name as another business, but there was no consideration of whether the statute created a statutory duty or gave a cause of action to the existing business. While Orange Liberia suggested in closing that “City Builders may … be best understood as a negligence case or as a case in the tort of passing off”, neither the case itself, nor Counsellor Padmore when asked about it, offers either rationale.
50-50 Incorporated v Ecobank Liberia Ltd, 8 September 2017, in which the claim (which failed on the facts, but was not challenged on the law) was that a bank who had identified the claimant as a defaulting debtor in a return sent to the Central Bank of Liberia had acted wrongfully in failing to correct that submission once the debt was paid, in breach of the Central Bank of Liberia “Regulation Guidelines for Management of the Credit Reference System”.
Having concluded that the current state of Liberian law does not comprise an exhaustive list of nominate or specific torts of the kind now recognised in US and English law, but that it retains, through the action of damages for wrong, scope for some kinds of residual claims outside of those categories, the question which then arises is whether the wrongs relied upon here – breaches of the UK statute and the 2007 Act – satisfy the requirement of a “wrongful act” for this purpose. I remain unclear as to the type of act or omission which can constitute a wrong for the purpose of the action of damages for wrong, perhaps because there is no definition, simply a series of case-by-case responses. Counsellor Musu-Scott said that “no particular criteria are prescribed in the case law of the Liberian Supreme Court” and the courts “generally take a broad and fact-sensitive approach”. Professor Banks, who shared Counsellor Musu-Scott’s analysis that an action of damages for wrong survived as a substantive claim under Liberian law, suggested that what was required was “the commission of an act (whether intentional or unintentional, the outcome of criminal or civil act, in contract or in tort, negligence or otherwise) which has violated the claimant’s right”.
I am not persuaded that the category of wrongful act is anything like as broad or open-ended as Counsellor Musu-Scott suggests. However, it is clear from the City Builders and Kollie cases that, in principle at least, breach of a duty imposed by a Liberian statute, or the interference with an interest legally protected by a statute, can provide the necessary wrongful act for the purposes of an action of damages for wrong. In this case, I am satisfied that, subject to the issue of whether s.80 of the 2007 Act precludes an alternative remedy, wrongful interference with Lonestar’s telecommunications network in breach of s.76 of the 2007 Act is sufficient. The clear terms of s.76 both identify a telecommunications network as a legally protected interest, and render unjustified interference with such a network unlawful. Indeed, Professor Banks’ first report accepted this in terms:
“The Telecommunications Act 2007 does not lay out a special procedure. However, in respect of damages suffered by a party on account of the violations, the court would deem the violations to be a wrong committed against the victim, and as such would allow the victim to bring an action of damages for wrong or to even characterize the action as simply one of damages …
Where the unlawful or wrongful act results in injury or damage to a third party … the Liberian courts could consider the act not only a violation of the statute but also a wrongful act perpetrated against the third party ...
The conduct complained of may be one in violation of a statute with resulting damage to the complainant …. All of these are deemed and treated as wrongful, and hence the Liberian court’s acceptance of the action of damages for wrong …
I am of the opinion, and as has been the practice in civil actions which have grown out of a statutory prohibition, a party may rely on the common law concept of damages for wrong or simply action of damages which is recognized under Liberian law. Under Liberian law, the Liberian courts would not treat or characterize the action as a breach of a statutory duty. Such characterization would only be given to the action if the Liberia Telecommunications Authority was the complainant and was seeking to hold the violator accountable for the violation of the statutory duty or to ensure compliance with the Act”.
These passages appeared in a report produced when Lonestar was only advancing claims under the English law torts of lawful and unlawful means conspiracy, and unlawful interference, their purpose being to show that, while Liberian law had a substantive claim (the action of damages for wrong) with elements of these English torts, the torts themselves were not and would not be recognised as part of Liberian law. It is right to acknowledge that in his subsequent reports, and his contribution to the Joint Memorandum, all produced after Lonestar had advanced a claim in reliance on the action of damages for wrong, Professor Banks provides an apparently different opinion:
“Because the Liberia Telecommunications Act 2007 is a statute and does not fall within or has not been declared, either by the statute or by the courts, as constituting or to be an ‘action of damages for wrong’ but has its own cause of action (criminal and civil) it cannot be deemed to constitute an action of damages for wrong’.
Where a complainant claims that a common law tort was committed against it and relies on the breach of a statute which vests in a complainant a right to civil action, but is restrictive as to elements which must be present for the complainant to claim damages against the defendant, liability will not attach if any one or more of the elements or conditions stated in Section 80 of the Telecommunications Act 2007 is not present.”
I deal with the specific issue about the position when an action of damages for wrong would be inconsistent with s.80 below. If Professor Banks was seeking to raise a wider issue in his second and subsequent reports, he neither acknowledged the change from his first report, nor offered any explanation for it, and the resultant position would be very difficult to reconcile with his general description of the action of damages for wrong in his first report, which he apparently stands by. I am satisfied that this is one of those many occasions when first thoughts were best thoughts, the opinion in the first report being particularly valuable because it was given at a time when the point had yet to crystallise as a dispute in the litigation.
By contrast, I was not persuaded on the evidence that breach of the (UK) Computer Misuse Act 1990 would suffice. Liberia has passed its own legislation addressing the “mischief” which the DDOS Attacks constituted. If, for any reason, the 2007 Act was not capable of supplying the wrongful act necessary for an action of damages for wrong, then I am not persuaded Liberia would look to legislation from a foreign legislature to fill this gap. In this regard, I found Counsellor Padmore’s evidence persuasive:
“Liberia is very jealous, perhaps like every - maybe not every, but certainly that one poor country, that has now existed for about 200 years in a sea of colonial [colonised] by very large and powerful European countries. Liberia has been very jealous to guard its sovereignty. It is a poor country and it is very proud of that sovereignty. I find it very difficult to think that Liberian courts would ever, under any circumstances, incorporate a foreign statute as a basis for liability in Liberia.”
E4(3) The Elephant in the Room
That leaves over, however, the issue of whether the existence of s.80 precludes a claim for an action of damages for wrong based on an unlawful act constituted by a breach of s.76 of the 2007 Act.
I have little difficulty accepting, as a matter of principle, that if the Liberian legislature had stipulated certain limits on the right of civil recovery premised on a breach of a particular legislative obligation, then it is highly unlikely that a Liberian court would permit an action of damages in wider terms in respect of that same breach. However, leaving aside the issue of vicarious liability to which I will return, it remains wholly unclear to me why it is suggested that there would be any conflict between the 2007 Act and the action of damages for wrong in this case. I was left with the distinct impression that the issue of conflict with s.80 was a theoretical rather than practical obstacle to Lonestar’s claim.
The wording of the statute is particularly wide, providing for the civil liability of “any person who engaged in, directed, authorized, consented to or participated in” the relevant acts. The experts identified no special rule of construction of the 2007 Act, beyond the clear effect of the language used.
Counsellor Padmore expressed the view that “Section 80 does not include civil liability on the basis of an agreement to commit an offence”, but was always careful to qualify that language by stating “such a person” (viz someone who has entered into an agreement) “may be liable for engaging in, directing, authorizing, consenting to or participating in an offence”. Lonestar’s pleaded case (which, as I explain below, is substantiated on the facts) is that Mr Marziano commissioned Mr Kaye to carry out the attacks, paid him to do so, that Mr Marziano, Mr Polani and Mr Kaye planned and implemented them together and that Mr Marziano and Mr Polani provided reports on their effectiveness. There is simply no real world in which that conduct would fall outside the broad scope of s.80.
Nor is there anything to suggest that the “manner of enforcement” of s.76, from a civil perspective, would differ as between an action brought under s.80 and an action of damages for wrong. Indeed s.80 expressly refers to any claim under it being “subject to the practices and procedures of the applicable court in such matters”, and, as I have noted, Professor Banks’ initial and unvarnished view was that this could involve an action of damages for wrong.
In the absence of such a conflict being established, I am not persuaded that the existence of s.80 precludes an action of damages for wrong premised on a breach of s.76 of the 2007 Act. Both Counsellor Musu-Scott and Professor Banks (in his first report) were of the view that it did not. Indeed, it is not clear that Counsellor Padmore was saying anything more than that there could be no action of damages for wrong based on a pure agreement to commit the s.76 offence, and nothing more, because s.80 did not provide for liability on this basis. But that is not this case.
E5 The English Torts of Lawful and Unlawful Means Conspiracy and Unlawful Interference
I was not persuaded that the Liberian courts would have adopted any of these three English torts under the Reception Statute. As I have indicated, to the extent that the Liberian courts do look to other common law jurisdictions, I am satisfied that it has become the overwhelming practice for them to look to U.S. rather than English jurisprudence. If there was no Liberian law to such effect, I was not persuaded that the Liberian courts would have been willing to embrace a tort of lawful means conspiracy (a distinct oddity in the modern world), or torts which gave causes of action for unlawful acts to those who did not acquire their own cause of action against the primary wrongdoer in respect of that unlawful act.
In any event, had it been necessary to reach this stage of the analysis, it would have followed that although Liberia had passed legislation specifically criminalising conduct of the type in issue in these proceedings through the 2007 Act, that conduct was only civilly actionable under s.80 (as to which no claim is pleaded) or in circumstances which were not satisfied in this case. To my mind, it is simply not realistic to imagine that the Liberian courts would “receive” a new common law tort or torts from other jurisdictions, simply for the purpose of providing a wider scope of civil liability for breach of the 2007 Act than the Liberian legislature had seen fit to provide.
E6 Vicarious Liability under Liberian Law
The second principal dispute in relation to Liberian law concerned the circumstances in which an employer or principal could be vicariously liable for the acts of a servant or agent, a question which raised a number of sub-issues:
Can an employer/principal be held vicariously liable for intentional wrongdoing by an employee/agent?
Can an employer/principal be held civilly liable for a breach of s.76 of the 2007 Act committed by an employee/agent?
What test determines whether someone is an employee for the purposes of vicarious liability?
In what circumstances (if any) can wrongful conduct by a natural person be attributed to a company?
E6(1) Can an Employer/Principal be Held Vicariously Liable for Intentional Wrongdoing by an Employee/Agent?
The suggestion that, as a matter of Liberian law, an employer or principal cannot be vicariously liable for intentional acts of wrongdoing by their servants or agents was traced by Counsellor Padmore to Woodin & Company v Gibson [1923] LRSC 1. The case involved an allegedly slanderous statement made by Cooper (who was alleged to be acting as Woodin’s agent) to the effect that Gibson (a postmaster) had been supressing the defendant’s letters in his official capacity, and an allegedly libellous statement made about Gibson on a subsequent occasion to the Postmaster General of the Republic of Liberia. In response to the slander claim, Woodin alleged that there was no claim “as the alleged false, scandalous and defamatory words were spoken … outside of [Cooper’s] authority and capacity as agent aforesaid, and can not legally be traced to the defendant, he was not acting at that particular time in the capacity of agent for the defendant”.
In addressing the slander claim, the Court held:
“Generally a principal is not liable for the wilful acts or misdeeds of his agent whereby damage is done to another unless he originally commanded, or subsequently assented to, the act. He is liable to third persons for the misfeasance or negligence of the agent, in the course of the agency; but the responsibility of the principal is limited to cases properly in the scope of the agency. (Story on Agency, 454.) The record clearly shows that the conversation during which Mathew Joseph Cooper, the defendants' former agent, is alleged to have uttered the libellous words set out in plaintiff's complaint, took place at the post office in Harper, but there was nothing to show whether the letters referred to were the letters of the said Mathew Joseph Cooper or those of his principal W. D. Woodin & Co., the defendant in this case. In any case it does not clearly appear that the said Mathew Joseph Cooper was acting in the scope of his agency at the time. To make a corporation or company responsible for every unauthorized act of its agent would work incalculable harm.”
There are a number of noteworthy features of this passage:
Slander is not, generally, a tort which depends on the speaker having any particular intention, and thus not a tort which requires a “wilful act or misdeed”. Nor was the jury apparently asked to make any finding as to Cooper’s state of mind when making the allegedly slanderous statements. In these circumstances, it is not clear how the factual premise for a rule of law dealing with vicarious liability for acts of intentional wrongdoing arose.
The initial sentence expresses a “general” rather than universal rule, and the passage moves very quickly in the next sentence to a discussion of scope of agency, suggesting that the first sentence may do no more than reflect an assumption that generally, intentional wrongdoing will not fall within the scope of the agency.
The court found that there was no evidence to show that Cooper was speaking about his employer’s letters or acting within the scope of his agency.
It is common ground that the reference given to Story is in error. Para. 454 of the 1882 (and last) edition deals with liability for the conduct of sub-agents. Paragraphs 452 and 453 make it clear that a principal can sometimes be held liable in a criminal suit, and to a third party for “frauds, deceits, concealments and … other malfeasances, or misfeasances, and omissions of his agent, in the course of his employment, although the principal did not authorize, or justify, or participate.” Indeed, it was noted that “in no other way could there be any safety to third persons in their dealing ... indirectly with [the principal] through the instrumentality of the agent”, the principal warranting the agent’s “fidelity and good conduct in all matters within the scope of the agency”. Examples of circumstances when the principal would be liable included selling false jewels or “fraudulently deceiving a third person, in the matter of his agency”.
Woodin, therefore, is at best a rather uncertain foundation for a principle that there is no vicarious liability for acts of intentional wrongdoing under Liberian law. Orange Liberia also relies on the decision in Harris v Cavalla Rubber [2013] LRSC 9. That was another case of slander, the defendant’s security agents having stopped the claimant and accused him of stealing the defendant’s rubber. The Supreme Court cited Woodin, stating “it is generally held that the principal is not customarily held liable for the wilful acts of his agent which conduct results to the injury of another”, but said that the case before them “presented an exception” because the agent’s act had subsequently been assented to. It is right, therefore, that the Supreme Court accepted the existence of a general rule to the effect contended for by Orange Liberia, without re-visiting the issue, albeit that they did not need to because the case would not have fallen foul of such a rule.
However, there are a number of cases in which awards of compensatory damages have been made against companies in respect of intentional tortious conduct by their employees – for example Firestone v Kollie [2012] LRSC 14, In Re Honourable Prince Quaye Toe [1999] LRSC 45 and Inter-Con Security System Inc v Bartuah 6 July 2001 (all involving physical assaults). Given Orange Liberia’s reference to Woodin as a decision which has “stood for more than one hundred years”, it is important to note that it does not appear to have cast a particularly long shadow in the Liberian courts.
There were two further cases to which I was referred.
The first was In Re: Grievance and Ethics Committee Investigation Report on Complaint by Mr Augustin T Iriekpen against Counsellor Samuel Pearson 8 February 2021. The case involved professional misconduct proceedings against the lawyer for the Monrovia City Corporation. The claimant said that three of his vehicles had been towed away by the corporation’s contractor (of which the defendant was also a director). When he contacted the corporation’s lawyer to ask for their return, the defendant demanded as condition of ordering their release that two cars be given to him personally. The defendant sold one car, gave another away as a graduation gift, and used the third himself. When reported to his professional body, the defendant took the point that he had been acting as the corporation’s agent and suggested that they were the proper defendant. Not surprisingly, the committee had no truck with that answer (and it is impossible to see how this could have relieved the defendant of personal liability on the facts of the case). The committee said the defendant’s actions did not “fall within the scope of authority of a lawyer for which he should be shielded by the Monrovia City Council”. The link between the defendant’s conduct, and his role as the corporation’s legal adviser, was tenuous indeed. The decision appears to rest on the finding of the scope of the defendant’s authority, rather than any principle of law.
The second, and more important, case is Guaranty Trust Bank v Freeman 23 September 2022, a decision handed down after the experts reports had been exchanged (and resulting in brief fourth reports from Counsellors Musu-Scott and Padmore). An employee of a bank was summoned to the managing director’s office for their regular meeting, where he was assaulted (the managing director throwing a calculator at him). He sued the managing director and the bank, arguing that “the negligence of the employee is imputable to the employer if the relationship of princip[al]-agent exists at the time of and in respect of the transaction out of which the specific injury arose”. It is clear from the case that the bank argued that it could not be liable for “an unlawful action of any of its employees while acting totally outside of his legitimate scope of authority”, and it also quoted (without express attribution) the passage in Woodin set out at [179] above. The Supreme Court held that the wrongful act had been committed on the bank’s premises at a meeting arranged in accordance with the scope of duty and authority of the managing director, and that the bank was vicariously liable for the assault.
The decision in Guaranty Trust is important. The court clearly had Woodin (which was cited to it) in mind, but reached a decision which was inconsistent with the “general rule” for which I am asked to treat Woodin as authority. The court cited U.S. commentaries in support of its decision which do not themselves reflect the limitation in the doctrine of vicarious liability for which Orange Liberia contends. Counsellor Padmore sought to suggest that the decision made a limited in-road into Woodin – either because the assault took place on the bank’s premises or because it was an assault by a fellow employee. That latter justification, if correct, would involve Liberian law following the reverse trajectory from English and US law, in which there was initially no vicarious liability for employee-on-employee torts (the “common employment” rule). However, Counsellor Padmore accepted that neither point of distinction is relied upon by the Supreme Court in its judgment. The case provides a useful litmus test of Counsellors Musu-Scott’s and Padmore’s prior opinions on the scope of vicarious liability under Liberian law, and provides strong support for the views of the former on an issue on which judicial policy is particularly important. Taken with the wholly uncertain basis for Woodin and the cases which have ignored the supposed limitation for which Orange Liberia contends, Guaranty Trust establishes, to my satisfaction, that provided deliberate wrongdoing is undertaken by the employee within the scope of their employment, there is no rule of Liberian law which prevents the employer from being vicariously liable. The suggestion that it would have required an express reference to and overruling of Woodin for the Supreme Court to have formulated the law in these terms attributes too great a weight to Woodin, and assumes what I am satisfied is an over-idealised characterisation of the Liberian judicial system in practical operation.
The effect of this conclusion is that the law of Liberia on the issue of vicarious liability is, in this respect, broadly consistent with that of the two jurisdictions from which its common law heritage is derived. Counsellor Padmore suggested that what on his evidence was a different principle in Liberia reflected “Liberia’s domestic policy to encourage intern[ational] parties to incorporate offshore corporations under Liberian law”, and to “favor business interests and to avoid imposing broad liability on businesses, hence the adoption of Delaware corporations law as Liberian law in most respects”. Whether that policy is reflected in a 1922 decision about the Liberian postal service is, in my respectful view, debateable. It was not suggested that Delaware law recognised such a limitation on the doctrine of vicarious liability, and I suspect that the reality of the attitude of the Liberian courts is better caught by Counsellor Padmore’s observation that the bank in Guaranty Trust was always going to be found liable for the tort of its foreign national managing director against a local (“the Supreme Court of Liberia would never have failed to hold the bank responsible in those circumstances”), and that his advice to one of Liberia’s largest international corporations was “settle your cases and do your very best to come up with an arbitration”, that company never having prevailed in the Supreme Court or at any other level in Liberia, to his knowledge.
E6(2) Can an Employer/Principal be Held Civilly Liable for a Breach of s.76 of the 2007 Act Committed by an Employee/Agent?
No separate issue in respect of vicarious liability under the 2007 Act was crystallised at trial. The issue was considered by Professor Banks. The effect of his opinion is that the same test of vicarious liability applies to s.76 and s.80 as applies at common law, noting the “all the violations for which the perpetrators are deemed to have committed a crime under section 76 are grounded in intentional misconduct”, but accepting nonetheless that “the agent must have been acting within the scope of his employment in order for the principal to be held vicariously liable”. In relation to s.80, he advised:
“Sub-section (2) of Section 80 … states that ‘any action brought pursuant to this Section shall be subject to the practices and procedures of the applicable court in such matters’. The practices and procedures include the measures for holding a person vicariously liable … which have been espoused by the Supreme Court and which are adhered to by the lower courts before whom the actions are instituted”.
I have concluded that there is no intentional tort exception to the vicarious liability doctrine at Liberian common law. However, I would note that there appears even less scope for such a limitation under the 2007 Act. Section s.76 of the 2007 Act creates various offences dependent on wrongful or dishonest intent. As Counsellor Musu-Scott pointed out in her first report, companies can commit these offences (and therefore, necessarily, have the dishonest intent of natural persons attributed to them for the purpose of criminal liability): see not simply the definition of “person” but also s.77(1)(b)), and the statute expressly provides for the independent criminal liability of natural persons who are officers, employees or agents of such a company and are responsible for the breach. Vicarious liability for the intentional acts of officers, employees or agents is “baked in” to the criminal offences created by the 2007 Act. There is nothing in s.80, dealing with the position where acts contrary to the 2007 Act have caused loss, to suggest it applies to a narrower class of persons than those who can commit the s.76 offences.
E6(3) What Test Determines Whether Someone is an Employee for the Purposes of Vicarious Liability?
It is common ground that there is no fixed definition of the concept of “employee” under Liberian law, with the expression taking its meaning from the context in which it appears, and turning on “the facts and circumstances of a particular case” (Firestone Plantation Co v Burge [1985] LRSC 20). Many of the Liberian cases in which the issue has been considered are “inwards-looking” cases, concerning the rights of the putative employee and employer inter se, and in particular those which are intended to provide certain forms of statutory protection to employees. However, the issues arising in this case are essentially “outward-looking”, determining when the victims of the putative employee’s torts can recover from the putative employer. Legal questions of this type raise policy considerations of ensuring that enterprises bear the adverse consequences (and the costs of those consequences) which their activities bring about (factors referred to in the American Digest, Corpus Juris Secundum, ¶206 cited by the Liberian Supreme Court in Guaranty Trust Bank (Liberia) Ltd v Freeman 23 September 2022). That is a very different policy consideration from that animating statutes intended to protect the rights of those who are, generally, in a subordinate bargaining position, and who benefit from certain statutory protections both in relation to their conditions of work, their levels of remuneration and when and how the relevant relationship may be brought to an end.
The first legal issue which arises is the position of seconded employees – where someone under an employment contract with company X is seconded by company X to company Y to provide the services of an employee for company Y, and commits a tort in the context of providing those services. The only case dealing with seconded employees to which I was referred was International Bank of Monrovia v Ochoada [2013] LRSC 17. In that case, there was what appears to be a relatively common arrangement for expatriates working in Liberia, in which the claimant had an employment contract with an offshore company, ADCON, but acted as the general manager of IB/ITC, a Liberian bank. When he was dismissed from his position, he brought a claim for wrongful dismissal against IB/ITC. The Supreme Court held that the written contract of employment between the claimant and ADCON was the best evidence of who his employer was. This was also an “inwards-looking” case, and the decision of the Supreme Court was not reached on the basis of a legal ruling (that the written contract of employment was legally determinative) but on the basis of the balance of the evidence, on which the first-tier tribunal’s conclusions were determinative and, also, correct. However, the Supreme Court judgment did hold that the claimant could only have been employed by one of ADCON or IB/ITC.
Given its context (an “inwards-looking” dispute) and the basis on which it was reasoned (the limited right of the court below to review findings of fact and what the balance of the evidence established), I have not found Ochoada particularly enlightening on the issues before me. It is clear under Liberian law that there can be vicarious liability for the acts of natural persons even if they are not parties to contracts of employment with the defendant. In Kantara Malian Kamara v APM Terminals Ltd 29 September 2017, in which the terminal (APM) had hired a firm of stevedores (Camer), whose crane driver had negligently dropped cargo on the claimant’s trucks, APM was held vicariously liable for the negligent operation of the crane under the doctrine of respondeat superior on the basis that it had retained (or, as it was put, “employed”) Camer to discharge the cargo. Camer was also held liable.
This suggests that the question of whether the doctrine of vicarious liability is engaged under Liberian law does not depend upon the existence of a contract of employment alone. Indeed, were matters otherwise, it would be all to easy for corporations in Liberia to avoid any liability for tortious acts arising from their operations, particularly when these arose from the actions of senior management, by “off-shoring” the employment contract: something which appears to be a prevalent business practice there. The APM case also shows that two defendants can be vicariously liable for the same tortious act (in that case APM and Camer), something which Counsellor Padmore accepted was conceptually possible under Liberian law.
Finally, there is the question of when a tortious act will fall within the scope of an employee’s employment. Once again, I was not referred to any Liberian legal source expressly addressing this issue. Counsellor Musu-Scott suggested that “all that is usually required for the conduct to be within the scope of the employee’s employment is a connection between the wrongdoing and their employment or role”, and that the Liberian courts adopted “a broad (and generally inclusive) approach to the question of whether an individual has acted outside the scope of their employment or role”. Counsellor Padmore suggested that Liberian courts would look at section 7.07(2) of the Restatement (Third) of the Law of Agency¸ which provides that “an employee’s act is not within the scope of employment when it occurs within an independent course of conduct not intended by the employee to serve any purpose of the employer”.
I am sure that both of these elements – connection between the wrongdoing and the role, and the employee’s purpose – are relevant to the enquiry. On the basis of the authorities placed before me, I am satisfied that an extreme and criminal pursuit of the employee’s duties can nonetheless fall within the scope of employment (as seen in the cases where employers have been held liable for vicious criminal assaults by a bank executive, security guards or public officials). I am also satisfied that the mere fact that the employees are acting for their own nefarious purposes does not necessarily preclude vicarious liability in a case in which their position as employees provides the means and opportunity for them to advantage themselves. In NPA v Dougbah 5 February 2016, a container was held by the port authority for alleged non-payment of fees. Before selling the contents at what was meant to be a public auction, the National Port Authority was required to notify the owner. The claimant’s goods were alleged to have been sold by NPA staff who manipulated procedures and breached protocols “for their own personal aggrandizement”. NPA’s managing director admitted that some staff had manipulated the system, and had been dismissed. NPA was held liable. Finally, I note that in Guaranty Trust Bank (Liberia) Ltd v Freeman 23 September 2022, the Supreme Court emphasised that the managing director had “used his authority” to harm the claimant at a meeting occurring “in the regular course of business”, the tort being committed while performing an official duty in holding the meeting. Those matters were sufficient to render the bank liable.
In short, it is clear that the following factors are relevant without being determinative, but the issue of whether a particular act occurs within the scope of employment is a fact-dependent question:
whether the employee is performing a function or advancing an interest which his employment requires him to perform or advance;
whether the employee was seeking to advance his own interest; and
whether the employee is using an opportunity or means arising from his employment.
E6(4) In what Circumstances (if any) Can Wrongful Conduct by a Natural Person be Attributed to a Company?
In the alternative to its case on vicarious liability, Lonestar argued that the actions of Mr Marziano are legally attributable to Orange Liberia on the basis that Mr Marziano was the “directing mind and will” of the company. While Counsellor Musu-Scott suggested that Liberian courts would recognise a principle of attribution of this kind, she was unable to point to any supporting authority (the decision of In the Intestate of the late Shad Kaydea v The Turay Family [2015] LRSC 37, to which she referred, being addressed to different issues altogether).
I was not persuaded that there was such a principle of Liberian law, or that one would be recognised by the Liberian courts. I was not pointed to any principle of U.S. law to similar effect (which, as I have stated, would be the first “port of call” of a Liberian court looking at the position under other legal systems). I accept Counsellor Padmore’s evidence that Liberian law would look, in particular, to Delaware law on an issue of this kind, and that Delaware law does not recognise this basis for the liability of corporations.
E7 Exemplary Damages
It was agreed by the experts that Liberian law permits an award of exemplary damages in cases of malice, fraud or gross negligence (Itoka v Noelke [1939] LRSC 1). That case states that in order for punitive damages to be awarded, “there must enter into the injury some element of aggravation, or some coloring of insult or malice that will take the case outside of the ordinary rule of compensation”.
Counsellor Padmore (and Professor Banks) suggested that Liberian law would not award exemplary damages in circumstances in which an employer was held vicariously liable for an employee’s tort, but had not authorised or ratified the tort. The scepticism which the Supreme Court expressed about the award of punitive damages in the Guaranty Trust case lends some support for that view, as do statements in Story on Agency which is a text cited in some Liberian decisions on agency and authority issues. Counsellor Musu-Scott challenged that view, pointing to the award of punitive damages in Firestone Liberia v Kollie et al [2016] LRSC 33, a case which involved extreme facts, and personally reprehensible conduct by the employer. Whether or not there is an absolute rule of the kind for which Counsellor Padmore and Professor Banks contend, I accept that the fact that the liability of the employer is vicarious in nature, and that the acts in question were not authorised or ratified, are highly relevant factors when considering whether to exercise the discretion to award punitive damages.
It was common ground that punitive damages would not be awarded in a case in which compensatory damages were sufficient to achieve the purpose of punishment on their own, and, that where they are awarded, it is only to the extent that, together with any compensatory damages, they are sufficient to achieve that purpose (Firestone v Kollie). Counsellor Padmore (and Professor Banks) suggested that the amount of punitive damages awarded in Liberia was “generally quite modest”, although Counsellor Musu-Scott was able to point to figures ranging from 3% to 200% of the amount of general damages (the latter being in a case in which the defendant had also flagrantly defied a court order to cease the wrongful act). As such awards are generally made by juries in Liberia, it is difficult to draw any conclusions as to their “usual” level beyond noting that each case will depend on its particular facts. Awards of punitive damages have been made in cases of bodily injury (Kollie) and financial loss (City Builders).
F THE CLAIM AGAINST THE INDIVIDUAL DEFENDANTS
I have made various findings as to the actions of the Individual Defendants in section D above. In addition to the contemporaneous documentary evidence, in interviews with the Cologne Prosecutor between 16 and 18 May 2017, Mr Kaye confirmed the following:
He had carried out the DDOS Attacks and had done so at Mr Marziano’s instigation in return for payment.
He and Mr Marziano had discussed how to implement the DDOS Attacks.
Mr Marziano had introduced him to Mr Polani who had provided him with technical support and assistance as required.
Mr Polani “checked network availability, monitored certain things and was in Liberia at the time, meaning he was able to monitor things locally”.
Mr Marziano’s and Mr Polani’s contact details, and messages between the two of them and Mr Kaye, were found in Mr Kaye’s mobile phone.
Against this background I am satisfied of the following:
Mr Kaye undertook the DDOS Attacks, and breached s.76 of the 2007 Act in doing so.
He was solicited and encouraged to begin those attacks by Mr Marziano, who paid him to do so.
Mr Marziano (and Mr Polani once he had become involved) encouraged and assisted the DDOS Attacks.
Mr Marziano and Mr Polani’s conduct also breached s.76 of the 2007 Act.
Each of the Individual Defendants is, subject to any time bar defence, liable to Lonestar under the action of damages for wrong for loss caused by the DDOS Attacks.
Given my conclusions as to the timing of loss in Section I below, it is not necessary to distinguish between the loss caused by Mr Kaye and Mr Marziano on the one hand, and Mr Polani on the other.
G THE CLAIM AGAINST ORANGE LIBERIA AND CELLCOM BVI
G1 Were Mr Marziano and/or Mr Polani Employees of Orange Liberia and/or Cellcom BVI for the Purposes of the Doctrine of Vicarious Liability?
Mr Marziano joined Cellcom BVI in 2009, and was appointed CEO of Cellcom Liberia that year. However, he never had an employment contract with Cellcom Liberia. In November 2013, he ceased to be CEO of Cellcom Liberia and became CEO of Cellcom Guinea. He was also CEO of Cellcom BVI.
Mr Polani joined Cellcom BVI in October 2010, and entered into an employment contract with Cellcom BVI at that stage. He was appointed as Internet Services Provider Business Unit Manager on joining Cellcom BVI.
Throughout the period when Mr Marziano and Mr Polani were working for Cellcom Liberia:
Neither of them had an employment contract with Cellcom Liberia.
Mr Polani had a written contract of employment with Cellcom BVI dated 15 November 2010.
I am satisfied that Mr Marziano had either a formal or an informal employment contract with Cellcom BVI as well. An unsigned contract appears in the trial bundles.
The principal salary of both Mr Marziano and Mr Polani was paid by Cellcom BVI (although it is possible that Cellcom Liberia paid some form of expenses and local reimbursement).
Mr Marziano appeared on the Cellcom Liberia “Employee Master List”.
In short, the position of Mr Marziano and Mr Polani appears to have resembled that of other expatriates discharging roles for companies in international ownership, operating in Liberia, a structure which may well have reflected concerns about the risk of Liberian withholding tax.
When considering whether Cellcom/Orange Liberia can be vicariously liable for the acts of Mr Marziano and Mr Polani, it is helpful to begin by considering the position before the DDOS Attacks began. During that period, it cannot, in my assessment, be seriously argued that the fact that Mr Marziano’s and Mr Polani’s employment contracts were with Cellcom BVI and not Cellcom Liberia had the legal effect that any torts committed within the scope of performing their roles at Cellcom Liberia could not engage the doctrine of vicarious liability under Liberian law. In functional terms, Mr Marziano and Mr Polani were Cellcom Liberia employees. Their services were performed exclusively for Cellcom Liberia. Mr Marziano’s central role was such that, when Mr Coulibaly took over from him, a 10-day handover period was required.
When, in the binding offer of 31 July 2015, Orange CDI stated that it was a condition of the offer that “key management continue to remain employed by the Company for the transitional period of 18 months post Closing”, it was the “off-shored” expatriates they were most concerned with, not those whose written contracts of employment were with Cellcom Liberia. I am satisfied that that reality would be reflected in the application of the doctrine of vicarious liability under Liberian law.
Turning to the subsequent period, it is important to note the DDOS Attacks, and the Individual Defendants’ involvement with them, all began before Cellcom BVI agreed to sell the shares to the Orange Group pursuant to the SPA of 18 December 2015 (albeit after the July 2015 binding offer to purchase). The actual transfer of those shares from Cellcom BVI occurred in April 2016. Looking at the position up until April 2016, I am not persuaded that the contractual arrangements between Cellcom BVI and Orange changed Mr Marziano and Mr Polani’s status as employees of Cellcom Liberia for vicarious liability purposes. However, I accept that the prospective transfer, given its implications for Mr Marziano’s and Mr Polani’s motivation, may well be relevant to the issue of whether their involvement in the DDOS Attacks fell within the scope of their employment with Cellcom Liberia.
The TSA of 5 April 2016 provided for Cellcom BVI to provide certain consultancy services to Orange Liberia for a transitional period, including through certain named individuals: Mr Marziano until 31 January 2017, and Mr Polani until 31 July 2017. This was a provision intended to maintain the status quo during the transition period, clause 3.3 providing that the services were to be provided “substantially on the same basis … and for the same purpose as they were provided … immediately prior to the date hereof and shall be used …. for the same purpose for which they were provided prior to the date hereof”. Term Sheet 2.3 provided that the services of the named 22 expatriate employees were to be provided “on the same level as currently provided to the Target Company” on a full-time basis. The TSA provided that:
The expatriates would be subject to the existing Cellcom BVI insurances, with Orange Liberia being invoiced for the cost.
Cellcom BVI would pay the monthly salary and annual bonus of the named expatriates, but reinvoice Orange Liberia for the costs.
Orange Liberia would pay for flights, “specific advantages” and “local reimbursement”.
Once again, I am not persuaded that these change in the legal structures by which Mr Marziano and Mr Polani came to be performing their roles with Orange Liberia affected their position as, in functional terms, employees of Orange Liberia. Both before and after 5 April 2016, their contracts of employment were with Cellcom BVI, and they were paid by Cellcom BVI, but they worked exclusively (or in the case of Mr Marziano, principally) for Orange Liberia. Indeed, once the TSA had been concluded, the salaries and benefits of Mr Marziano and Mr Polani were ultimately paid by Orange Liberia (who reimbursed Cellcom BVI). As Mr Coulibaly acknowledged, it was Mr Marziano to whom the day-to-day running of Orange Liberia was left. In the Orange Liberia employee handbook, as he had in the Cellcom Liberia employee handbook which preceded it, Mr Marziano acknowledged the reality of his position when addressing the handbook to his “fellow employees”. The handbooks also acknowledged his responsibility “for the overall management and operation of the company”. Mr Marziano attended the three meetings of the Orange Liberia board which took place between April 2016 and Mr Marziano’s departure in January 2017.
I am satisfied, therefore, that Mr Marziano and Mr Polani were employees of Orange Liberia throughout the period of the DDOS Attacks for the purpose of the doctrine of vicarious liability. I am satisfied that they were also employees of Cellcom BVI for the purposes of that doctrine (and for other purposes). They had entered into contracts of employment with Cellcom BVI, which had seconded them to Orange Liberia. I am satisfied that Liberian law accommodates the possibility of two principals being vicariously liable for the same act.
That leaves the separate and distinct issue of whether, in instigating, planning and assisting in the DDOS Attacks, Mr Marziano and Mr Polani were acting within the scope of their respective employments. I will first consider that issue by reference to the position of Orange Liberia, and then by reference to the position of Cellcom BVI, being conscious that the answer need not necessarily be the same in each case.
G2 Did Mr Marziano’s and Mr Polani’s Involvement in the DDOS Attacks Fall Within the Scope of their Employment with Orange Liberia?
This is an important, and difficult issue, in relation to which the underlying facts are relatively straightforward, but their overall effect under Liberian law more challenging.
My findings of fact are as follows:
Mr Marziano was responsible for, and in control of, the day-to-day operation of Cellcom/Orange Liberia throughout the DDOS Attacks.
His responsibilities included promoting Orange Liberia’s sales, having ultimate oversight of its technical performance, the quality of its network, its customer service and marketing, analysing and reporting on its financial performance, helping to set and seeking to ensure it met financial targets and overseeing human resources issues.
In this capacity, part of Mr Marziano’s functions included approving means to win customers or business from Lonestar. In email exchanges on 20 July 2016, he referred to steps being taken to improve Orange Liberia’s data performance, which included “targeting MTN’s data users” and “acquisition of heavy data users”, and referred to a “Data War” Lonestar had declared by reducing its prices. He concluded “If MTN will react with more data that what we are offering, I have Plan B and Plan C 😊”. While Mr Marziano would never have admitted this, I am satisfied that the ongoing DDOS Attacks were one of the plans he was referring to.
So far as Mr Polani is concerned, there is less clarity as to what his role in Cellcom/Orange Liberia comprised. However, it included managing internal assets, and aspects of business development, in particular for business (so-called “B2B”) customers, and helping with installation and after-sales support. I accept on the evidence that part of his role included procuring DDOS protection for Cellcom/Orange Liberia and offering his opinion as to its adequacy.
Mr Marziano and Mr Polani kept their activities in relation to the DDOS Attacks secret from other employees at Orange Liberia (and Cellcom BVI). They used personal and/or encrypted messages rather than their Orange Liberia or Cellcom BVI emails to communicate and Mr Marziano used his personal, rather than corporate, funds to pay Mr Kaye (although he did use his Orange Liberia email when arranging one payment).
With one possible exception, Mr Marziano and Mr Polani’s actions in relation to the DDOS Attacks did not use any equipment of Orange Liberia, or exploit any opportunity which came to them in their capacity as Orange Liberia employees, nor did their employment by Orange Liberia leave them better placed to facilitate such attacks. The exception is that I accept that information sent to Mr Polani in relation to the DDOS Attacks in his role for Orange Liberia might well have assisted him in feeding back information to Mr Kaye, although it is not possible to determine on the evidence whether this did happen.
The immediate purpose of Mr Marziano’s and Mr Polani’s activities was to damage Lonestar because it was Orange Liberia’s principal rival, in order to improve Orange Liberia’s financial performance in what was essentially a two-player market. This was to be done by encouraging customers of Lonestar to switch their subscriptions and/or use from Lonestar to Orange Liberia. However, neither of them held any personal animus against Lonestar. The losses to Lonestar were simply a means to the end of improving Orange Liberia’s performance. Nor did they have any intention of damaging Orange Liberia (on the contrary).
Subject to one possible qualification, the intermediate purpose of Mr Marziano’s and Mr Polani’s activities was, by improving Orange Liberia’s financial performance, to increase the amounts paid by Orange Liberia to Cellcom BVI under the performance-related provisions of the SPA, albeit the benefit to Cellcom BVI would not be co-extensive with the benefit to Orange Liberia (Orange Liberia would continue to benefit from customers and usage gained from Lonestar through the DDOS Attacks after the end of the period relevant to the Earn Out Payments).
The possible qualification arises from the fact that the Earn Out Payments were linked to Orange Liberia’s financial performance up to 30 June 2016. However, Mr Kaye redoubled his DDOS Attack efforts in the second-half of 2016, presumably at Mr Marziano’s continuing instigation. No distinction was drawn in argument in relation to the period before and after 30 June 2016, so I should simply note that I am unable to make a finding as to whether Mr Marziano and Mr Polani had an intermediate purpose after 30 June 2016 and, if so, what it was.
The ultimate purpose of Mr Marziano’s and Mr Polani’s activities was to benefit themselves financially – in relation to activities up to 30 June 2016, through benefits they hoped to obtain from Cellcom BVI through their employment relationship with Cellcom BVI, and in ways which are not clear to me in relation to the subsequent period.
Taking the position of Mr Marziano first, I am satisfied that his involvement in the DDOS Attacks can fairly be characterised as a wholly impermissible (and I accept, so far as the Orange Group was concerned, wholly unauthorised) means of pursuing his responsibility and role of moving customers and usage from Lonestar to Orange Liberia, with the immediate object of benefiting Orange Liberia. That provides very strong support for the suggestion that the tortious means by which this aspect of his role was pursued fell within the scope of his employment. If, for example, Mr Marziano had pursued the same goal by planting false statements about the reliability of Lonestar’s data network in the press, rather than criminally creating a state of unreliability, I would have thought it obvious that the wrongful act fell within the scope of his employment. I am not persuaded that the fact that he acted in secret and used his own financial resources is sufficient to alter that conclusion (any more than if he had used his own financial resources to pay a bribe to secure a valuable contract for Orange Liberia). Employees who use dishonest means to secure a financial benefit for their employers (and thereby benefit themselves) frequently act secretly, and in ways which are less amenable to discovery, not least for fear of being stopped or sacked.
The issue which gives me pause for thought is the fact that Mr Marziano only wished to improve Orange Liberia’s financial position as a means of benefiting Cellcom BVI, through the earn out provisions in the SPA, and ultimately himself (I will assume for this purpose that this is true of the entire DDOS Attack period: cf. [216(ix)] above). However, I am not persuaded that this makes any difference. It will usually be the case that an employee who pursues his responsibilities or seeks to achieve a financial benefit for his employer through tortious means does so ultimately to benefit himself, through a bonus, promotion or simply greater prospects of job retention. Wholly altruistic employee torts must be a rarity. I am not persuaded that the interposition of Cellcom BVI changes the analysis (any more than a case in which the employee hoped to realise their personal benefit through a shareholding in the employer’s holding company, which might attract an indirect benefit from the financial benefit to the subsidiary). I am satisfied, therefore, that Mr Marziano’s involvement in the DDOS Attacks fell within the scope of his employment with Orange Liberia.
In these circumstances, it is not strictly necessary to consider the position of Mr Polani. It is more difficult, on the evidence before me, to characterise the personal scope of his employment as extending to winning business from Lonestar, although, at least in the B2B sphere, he had some business development responsibilities. There is a marginally stronger case for arguing that his employment with Orange Liberia assisted him in supporting Mr Kaye. What is ultimately decisive, in my view, is that his role at Orange Liberia clearly included supporting Mr Marziano, as CEO, in discharging his duties. In these circumstances, it would be wholly artificial in my view to distinguish between Mr Marziano and Mr Polani on the issue of whether their involvement in the DDOS Attacks fell within their scope of employment. I am satisfied that in Mr Polani’s case, as well, the answer is that it did.
G3 The Liability of Cellcom BVI
Mr Marziano was Group CEO of Cellcom BVI from November 2013 to 22 January 2019, and he was held out as such to third parties, including in the “Information Memorandum” prepared in March 2014 in relation to a proposed sale of Cellcom BVI. I have found his contract of employment was with Cellcom BVI. On the evidence, he played an important role in the sale of Cellcom Liberia to the Orange Group. He prepared financial analyses for the beneficial owners of Cellcom BVI and attended due diligence meetings with the Orange Group. He provided input into the drafting of the SPA and the consulting services agreement.
The extent of his involvement can be seen in the $2.8m bonus he received on the closing of the sale (calculated at 3% of the sale price). Mr Adam Cohen, a director of Cellcom BVI, wrote to Mr Marziano in December 2015 saying:
“Avishai Fantastic performance today. Great outcome for Cellcom owners and for the employees who also deserve recognition. Your 3% is very well earned on the value you delivered and will continue to generate!”
Cellcom BVI paid Mr Marziano a bonus of US$170,000 in December 2016, when Cellcom BVI received the last Earn Out Payment, and a further bonus of US$90,000 in April 2017 when that part of the purchase price which had been paid into escrow was released. There is at least some evidence of Mr Marziano reporting on Orange Liberia’s performance to Cellcom BVI (his emails of 12 August 2016 and 31 January 2007, sent from a Cellcom BVI address). Neither Mr Marziano nor Cellcom BVI have chosen to offer any explanation for their interactions during the period from the TSA, and whether Mr Marziano continued to perform a role for Cellcom BVI in relation to the SPA during the period when he was acting as CEO of Orange Liberia. Finally, I have found that Mr Marziano instigated the DDOS Attacks in order to increase the amounts payable by the Orange Group to Cellcom BVI under the Earn Out provisions of the SPA. Cleary it was his employment by Cellcom BVI, and the opportunity for reward which that provided, which led him to instigate the DDOS Attacks.
In these circumstances, I am satisfied that the scope of Mr Marziano’s employment for Cellcom BVI throughout the DDOS Attack period included protecting its interests and maximising its return under the SpA, and that the DDOS Attacks fell within that scope of employment.
I do not propose, in the circumstances, to address the position of Mr Polani, or Lonestar’s attribution argument under the law of the British Virgin Islands.
H Cellcom BVI’s limitation defence
Cellcom BVI, but not Orange Liberia, advances a limitation defence in the event (as I have held) that it is liable to Lonestar on the basis of the action of damages for wrong, but not otherwise. This is because the claim on the action of damages for wrong was only introduced into these proceedings by amendment on 29 September 2021, and the applicable limitation period under the Foreign Limitation Periods Act 1984 (FLPA 1984) is three years under the 1972 Act.
I am satisfied that there is nothing in this point:
CPR 17.4 allows a court to add a new claim after a limitation period (including one applicable by virtue of FLPA 1984 or “any other enactment which allows such an amendment, or under which such an amendment is allowed”) has expired, provided the new claim “arises out of the same facts, or substantially the same facts” as those in respect of which the claimant has already claimed a remedy.
It has been held that the Rome II Regulation falls within the phrase “any other enactment” for the purpose of CPR 17.4, and that it allows an amendment for CPR 17.4 purposes (PJS Tatneft v Bogolyubov [2017] EWCA Civ 1581, [77]-[81] and Qatar Airways Group QCSC v Middle Eastern News FZ-LLC [2021] EWHC 2180 (QB), [15]-[16]).
If relevant, Counsellors Musu-Scott and Padmore accept that “relation back” is also allowed under Liberian law, by virtue of s.9.10(4) of the 1972 Act.
I am satisfied that the action of damages for wrong arises, or substantially arises, out of the claims which Lonestar had already pleaded.
I WHAT LOSS HAS LONESTAR SUFFERED?
Lonestar’s causation and quantum case was advanced (in broad terms) by calculating (i) how many subscribers Lonestar was alleged to have lost as a result of the DDOS Attacks and (ii) how far Lonestar’s ARPU fell as a result of the DDOS Attacks.
The issues between the parties are explored in the following sections.
I1 Subscriber losses
In relation to the first element (lost subscribers), it is common ground that after a period of steady growth, the number of Lonestar’s subscribers (voice and data) began to decline from August 2016 to April 2017. Of the total subscriber loss of 220,000 over this period, Mr Nicholson says that 150,000 were lost as a result of the DDOS Attacks. Mr Thomas suggests that the correct figure is 90,000 subscribers. The difference between them turns on three issues.
The first issue is how many of those subscribers were lost as a result of integration with another mobile network acquired by Lonestar in July 2016, Novafone. While this was initially a source of additional subscribers, difficulties encountered with the integration process led to 50% of those “new” subscribers being lost.
Mr Thomas’ opinion is that 60,000 subscribers were lost through the Novafone integration process, a figure taken from a September 2017 Executive Committee Paper which refers to the Novafone acquisition adding a 4% market share. A four percent market share would equate to 120,000 subscribers. Mr Nicholson agrees with the broad mechanics of this calculation, but suggests that the starting point of 120,000 subscribers acquired from Novafone is too high. He relies on a spreadsheet referring to 70,000 2G and 3G voice subscribers (but not data subscribers).
This is a question on which it should have been possible for Lonestar to adduce clear evidence. However, the overall effect of the documents is that a figure of 70,000 additional subscribers is too low. Lonestar’s due diligence report on the Novafone acquisition refers to Novafone having 130,000 subscribers as at March 2015, 75,000 voice and 55,000 data. If 55,000 data subscribers are added to the voice subscribers identified in the document relied upon by Mr Nicholson, a total figure of in excess of 120,000 for voice and data subscribers is arrived at. Other documents would point to even higher figures. While a December 2015 operations review document prepared by Lonestar refers to Novafone having 45,000 subscribers, this must be viewed in the light of the fact that Lonestar was significantly overestimating its own market share at this point (and hence underestimating Novafone’s).
The second issue concerns the effect of Lonestar’s decision to pass on the 1c per minute excise tax in January 2017. Lonestar’s contemporaneous assessment was that this caused the loss of 70,000 customers. Mr Nicholson thinks that estimate was too high by a factor of two. However, there are other internal Lonestar documents supporting an impact at or even above the 70,000 level, and Lonestar called no witness to support a lower figure.
Finally, there is an issue of whether allowance should be made for other factors causing lost subscribers. Mr Nicholson originally allowed 10% for losses due to other factors. Mr Thomas has never sought to effect a further allowance, but has maintained his 90,000 figure. I accept that figure may well be conservative, but in circumstances in which Mr Thomas put that figure forward to the court as the figure it should find, and did not put forward or justify an alternative figure, I am satisfied that the figure for lost subscribers established on the evidence is 90,000.
I2 The Loss of Data and Voice ARPU
I2(1) Lonestar’s case
So far as the second element (reduction in ARPU) is concerned, Lonestar’s case is as follows:
While Lonestar’s ARPU for voice and data customers had fallen for a number of years in the face of competition from Cellcom Liberia, the respective ARPUs of the two competitors on a combined voice/data basis had achieved a level of stability for a 6-month period before the DDOS Attacks began.
However, from October 2015 Lonestar’s combined ARPU began to fall relative to that of Cellcom/Orange Liberia, which decline continued to February 2017. The relative ARPUs of Lonestar and Cellcom/Orange Liberia over the period moved such that the change in the average difference between the two amounts to $2.39. Of this, Mr Nicholson attributed 70% (US$1.67) to the DDOS Attacks. The 70% figure is arrived at by:
quantifying the effect of one specific event (the January 2017 decision by Lonestar to pass on the excise tax) at 24% of the swing which happened between December 2016 and February 2017, which he rounded to “at least 20%” (meaning 80% was down to something else);
assuming that ordinary competition could not have been responsible for more than 40% of the ARPU swing, because otherwise Lonestar’s ARPU would have fallen below Cellcom/Orange Liberia’s during “a relatively short period of time”, a period significantly shorter than that seen in an analysis of “two player” mobile phone markets in other West African states (meaning that 60% was down to something else);
taking 70% as the midpoint.
It will be apparent that Mr Nicholson’s ARPU analysis is performed on a combined voice/data basis, even though the DDOS Attacks only directly impacted users of Lonestar’s data offering. Mr Singla KC explained in closing that, on Lonestar’s case, “what was happening was customers from Lonestar, high value customers, were switching their data usage and then the voice usage was following the data usage”.
In my assessment, it is necessary to analyse data and voice ARPU separately. This approach is analytically sounder, accords with Lonestar’s internal approach and better reflects the different nature of the two markets, and the different factors impacting upon them.
Turning to the underlying data:
Lonestar’s combined ARPU was 3.67 in October 2015, 3.66 in November, 3.70 in December, 3.29 in January and 2.86 in February. The fall in combined voice/data ARPU, therefore, did not take place until January and February 2016.
Lonestar’s voice ARPU follows the same course: 3.32 in October, 3.33 in November, 3.32 in December, 2.96 in January and 2.54 in February.
Lonestar’s data ARPU – where the principal and initial impact of the DDOS Attacks would be felt – remained relatively steady throughout: 0.35 in October, 0.32 in November, 0.32 in December, 0.33 in January and 0.32 in February.
Lonestar’s voice usage grew from October to December 2015, and then fell dramatically: 136 in October, 139 in November, 147 in December, 127 in January and 121 in February.
Lonestar’s data usage – as to which I repeat the observation in (iii) above – was 19 in October, 18 in November, 24 in December, 27 in January and 26 in February. It increased by 28% in Q1 2016 as against Q4 2015, and increased again in Q2 2016.
Once allowance has been made for Lonestar’s January 2017 decision to pass on the excise tax, the swing in combined voice/data ARPU largely occurred during the first half of 2016 (at a stage when there had been relatively few effective DDOS Attacks), not the period from July 2016 onwards, when the DDOS Attacks were most effective. Of a total swing of $1.90 after taking the January 2017 tax assessment out of the picture, $1.64 occurs before July 2016 and $0.25 afterwards. Looking at voice and data separately:
The voice swing also largely occurred in the first half of 2016. Of the total swing of $1.99, $1.55 occurred before July 2016. Lonestar’s voice ARPU then largely levelled off until the January 2017 decision to pass on the excise tax:
Only in data is the swing greater in the second half of 2016 (of the total swing of $0.40, $0.30 occurred after 30 June 2016), something which is consistent with the more intense DDOS Attacks in that period (together with Cellcom/Orange Liberia’s 4G becoming available from April 2016):
This chronology is wholly inconsistent with the DDOS Attacks having impacted data users, and then had a knock-on effect on the voice spend of those users.
As Mr Kitchener KC put it, drawing on his own stripling studies, the narrative underlying Mr Nicholson’s report lacked the explanatory power to accommodate the chronology of events, particularly in the face of the much more compelling narrative which emerges from the contemporaneous documents. I am satisfied that the reduction in Lonestar’s ARPU occurred in January 2016 because that was when Lonestar opened up its DYO offering to HVCs and imposed capping and throttling, slashing its ARPU overnight, and this was the reason why it was voice ARPU rather than data ARPU which fell in early 2016, and why voice usage fell while data usage did not.
There are other problems with Lonestar’s approach. Mr Nicholson’s methodology is noticeably indirect, rather than looking at what Lonestar’s internal assessment was of the reasons why it was losing revenue per customer relative to Cellcom/Orange Liberia. As will be apparent from the chronological summary set out in Section D above, and as would be expected, there was extensive analysis within Lonestar of why its HVCs were reducing their average spend, which did not attribute the fall in voice spend to the DDOS Attacks, and only identified the DDOS Attacks as impacting data revenue when those attacks became much more intense in the second half of 2016. It is as if the court is being asked to find that an injured man was run over because there is a higher rate of traffic offences and a lower rate of violent acquisitive crime in the wider region, and to ignore the victim’s “res gestae” statement to a passer-by that he was robbed.
Further, Mr Nicholson’s decision to isolate one unilateral pricing decision by Lonestar (the decision to pass on the 1c excise tax in January 2017) when analysing the ARPU swing, but not the other significant unilateral decisions taken by Lonestar which impacted on pricing, or what was received in return from pricing, was never satisfactorily explained. The different responses by Lonestar and Orange Liberia to the excise tax (one absorbing it and therefore cutting its pre-tax price, the other passing it on) do not appear to be different in kind to any of the other occasions on which one party made a price move which was not matched by the other for a period of time (in March 2017 the excise tax was withdrawn). The January 2017 event does not appear to differ from any of the other unilateral price moves, yet it is treated differently by Mr Nicholson.
There are also very real difficulties with Lonestar’s case as to the causal mechanism by which the DDOS Attacks impacting the user experience of data subscribers would lead to a reduction in the ARPU from voice services. Two causal theories were advanced:
It was Mr Toriola’s evidence that the DDOS Attacks caused Lonestar customers who wished to use a primary number for both voice and data to reduce their use of both services when Lonestar’s data services were impacted by the DDOS Attacks, without actually ceasing to be subscribers. However, the only contemporary document pointed to by Mr Toriola as evidence of this phenomenon (a Q4 2016 market performance report covering the period from Q3 2015) does not show any change in primary or secondary usage during this period. The chart was clearly not a measure only of movements within each service provider (as suggested to Mr Thomas in the course of cross-examination) but of movements across the market as a whole.
It was also suggested that, with voice and data being sold (inter alia) in combined bundles, the effect of DDOS Attacks on data usage impacted voice usage. I accept that, in theory, this is a plausible causal mechanism. However, in addition to the chronological difficulty, Mr Thomas’ analysis showed that take-up of Lonestar’s DYO combined voice-data bundle did not change during the most intense period of DDOS Attacks (from July 2016 onwards). In my view, this was because the data element in the DYO was very small, essentially being a “taster”, with voice use being the principal attraction of the DYO. While I accept that some voice revenue may well have been lost through this mechanism, I am satisfied it would have been very limited.
Finally, as regards both theories, the suggestion that voice track followed data track in the sense that winning HVCs’ data usage would bring with it their voice usage in the Liberian market was difficult to square with the fact that Cellcom/Orange Liberia had been the dominant data provider for 18 months before October 2015, without becoming dominant in voice off the back of that data dominance, and with the widespread practice of “multi-SIM-ing” which made the use of separate networks (and hence numbers) for data and voice commonplace. On the evidence, by Q4 2016, 70% of HVCs were multi-SIM users, and by 2018 this was the position for 100% of the market.
In addition, Lonestar’s case offers no credible account of the chronological intervals between the the limited periods of effective DDOS Attacks (as I have found them to be) and the impact on voice revenue. Mr Nicholson’s approach assumes that the DDOS Attacks rapidly caused a significant reduction in average voice/revenue spend in January and February 2016. However, the “data to voice” causation case advanced by Lonestar assumed a period of unhappiness by combined customers with Lonestar’s data services building up to a point when it began to impact the use of Lonestar’s voice network as well. It is noteworthy that the DDOS Attacks did not lead to any loss of subscribers until September 2016, once the more intense phase of DDOS Attacks had begun (indeed Lonestar added subscribers and took market share from Cellcom/Orange Liberia up to that point). The evidence of the impact on data ARPU suggests that it was really only in the second half of 2016 that the DDOS Attacks had sustained effects, such that any effect on voice revenue would, on Lonestar’s case, have followed that. Indeed it was Mr Toriola’s evidence that it was only after February 2017 that customers had become sufficiently frustrated with the DDOS Attacks to reduce their MOU.
The many difficulties in reconciling Lonestar’s theory that the movement in its relative combined voice/data ARPU over the period from October 2015 to February 2017 was the result of the DDOS Attacks with:
Lonestar’s contemporaneous analysis;
the timing of data and voice ARPU movements; and
the absence of a sufficiently plausible causal mechanism;
cannot be overcome by Mr Nicholson’s comparative “macro” analysis of other West African mobile telecommunications markets. I was not persuaded that the performances of the markets he considered were as homogenous as the comparison assumed, so as to make Liberia a clear outlier rather than one of a number of individual narratives each reflecting the circumstances of and events in that market. In some markets, the incumbent does not appear to have had a historical ARPU advantage, in some it was lost very rapidly and some had more than two major operators. In any event it is entirely possible that there were other factors, or combinations of factors, at work in Liberia (including the fact that, by October 2015, Cellcom/Orange Liberia was already clearly the data incumbent, and launched 3G and 4G/LTE services significantly in advance of Lonestar) which can explain the particular course of events in the Liberian market.
I2(2) Data ARPU
There was a swing in the data ARPU during the DDOS Attack period of $0.40. Mr Thomas’ loss calculation allocated 50% of this swing to the DDOS Attacks, which he said was a conservative figure. I am satisfied that it is the appropriate figure to use:
I have already explained that I am not persuaded that Mr Nicholson’s attribution of 70% of the combined voice/data ARPU swing to the DDOS Attacks is reliable: [238]-[244].
Cellcom/Orange Liberia was the data incumbent before the DDOS Attacks, and also enjoyed a major advantage in being the first to launch both 3G and 4G/LTE data services in Liberia, and in its superior data network and infrastructure.
Lonestar’s pricing decisions for bundles which included a (small) data allowance, which were taken for reasons other than the DDOS Attacks, would themselves have had an adverse effect on Lonestar’s data ARPU, and the April 2016 price review involved a significant cut to Lonestar’s PAYG data prices, and marked the start of a data price war which adversely impacted data ARPU. I accept, however, that some element of Lonestar’s price reduction for data was a response to the DDOS Attacks, particularly from late 2016 (when this linkage is specifically referred to in contemporary documents).
The allocation of the data ARPU swing across these various causes is inevitably rough and ready. Mr Thomas’ initial application of 1/3:1/3:1/3 for superior network/technology, price decisions and the DDOS Attacks does not disclose a reasoned basis for the assumed equivalence of these factors, and does not specifically account for the indirect effect of the DDOS Attacks on Lonestar’s data pricing. However, I am satisfied that the 50% attribution Mr Thomas uses in his final calculation does fairly allow for this, and that this is the appropriate figure to use.
I2(3) Voice ARPU losses
For the reasons I have set out at [238] to [244] above, I am unable to accept Lonestar’s case as to the existence of an appreciable effect of the DDOS Attacks on its voice revenue beyond that already accounted for within the figure for lost subscribers addressed at I2(1) above. However, I accept that:
there are two documents which emerge late in the story which suggest there may well have been some “slow” loss of voice traffic from lost data users who did not become lost subscribers (albeit they do not provide any basis for quantifying it);
the combined bundle provides a possible causal mechanism for lost data subscribers to impact voice revenue;
it is unlikely that levels of customer dissatisfaction which were enough to drive many customers away would have had absolutely no voice impact at all on those who remained subscribers.
However, the overall tenor of Lonestar’s internal assessments is that the most significant consequence of the DDOS Attacks was lost data revenue. In my assessment, it is appropriate to remove the voice ARPU swing which happened in the first half of 2016, and the effect of the January 2017 decision to pass on the excise tax in order to arrive at the figure for voice ARPU swing which is unaccounted for. In the time-honoured phrase, doing the best that I can on the material available to me, I am satisfied that it would be appropriate to attribute 50% of that remaining voice ARPU swing to the DDOS Attacks. I asked the parties to agree the calculation of the loss of profit figure on that basis.
I received two very different figures:
from Lonestar, a figure for total loss of profit of $5,239,826 (supported by a new set of calculations from Mr Nicholson); and
from Orange Liberia, a figure for total loss of profit of $3,602,349.
The difference between the two figures turns on the following:
the start date of the voice ARPU swing, which Mr Nicholson has taken as October 2015 when the DDOS Attacks began, and which Orange Liberia has taken as 1 July 2016; and
the amount of the voice ARPU swing attributed to Lonestar’s decision to pass on the excise tax, which Mr Nicholson had previously quantified at 40c and which he now suggests should be quantified at 15c.
As to (i), I am satisfied that this would be inconsistent with my finding that the DDOS Attacks did not cause any impact on voice ARPU before the second half of 2016 and it is not therefore open to Lonestar to seek to revisit that issue.
As to (ii), the figure of 40c was put forward by Mr Nicholson before and at the trial, and agreed to by Mr Thomas. Mr Nicholson was cross-examined on that basis and agreed that if the combined ARPU swing before July 2016 was removed, and the swing due to the decision to pass on the excise tax was also removed, that left a combined voice/ARPU swing of 23c (of which voice makes up 4c). The figure now put forward reflects a change in Mr Nicholson’s model. This had proceeded on the basis of a comparison between the three months from September to November 2016 with the three months from March to May 2017. Mr Nicholson now suggests that the voice ARPU swing should be calculated solely from December 2016, which should be compared with the six months from March to August 2017.
In the course of closing arguments, the issue of how any voice ARPU swing due to the DDOS Attacks should be calculated was raised. Mr Singla KC referred to the fact that Mr Thomas has not produced his own calculation of lost voice ARPU, having reached the view that the DDOS Attacks had had no effect on voice ARPU. Addressing a scenario in which I concluded that there had been some effect on voice ARPU, but not that calculated by Mr Nicholson, I asked:
“What happens in that situation? It is not a baseball arbitration, where I have to choose one or other salary offering. I have to be satisfied -- if the situation is I end up saying there is some voice but I think it is less, do I ask for more submissions or ...?”
The exchanges which followed were as follows:
“Mr Singla: I think it can be dealt with through the model.
Foxton J: Okay, so you adjust inputs, do you?
Mr Singla: I think so.
Foxton J As long as I'm not asked to run the model myself.
Mr Singla: I think it is a case of once you know what percentage and what youconfine to that can be worked out, and that shouldn't controversial.”
I am not willing to allow Lonestar to depart from the case which was maintained through the trial, or change the model which was agreed to by Mr Thomas and which it was accepted would form the basis of any alternative calculation. Lonestar has accepted (in Freshfields Bruckhaus Deringer’s letter of 23 February 2023) that the 2c figure put forward by Orange Liberia is that which follows “from the approach adopted by the parties’ quantum experts”. It is not appropriate for Mr Nicholson, or Lonestar, to seek to revisit their methodology after the draft judgment was circulated (cf. Royal & Sun Alliance Insurance Limited v Tughans [2022] EWHC 2825 (Comm), [16]).
I3 Future losses
I have found that the DDOS Attacks caused:
the loss of 90,000 subscribers;
50% of the data ARPU losses; and
2c of the voice ARPU swing.
That leaves the issue of how long these losses continued after the end of the DDOS Attack period.
Taking loss of subscribers first, it was common ground that subscriber loss would continue to April 2020, and I understand both sets of calculations proceed on this basis.
So far as the ARPU loss is concerned (which involved Lonestar data customers spending less than they would otherwise have done on data and voice), Mr Thomas’ calculation assumes that the effect would have been exhausted by September 2019, when the new price floor was introduced. I am not persuaded that the price floor itself would have been a factor in ending the significance of the DDOS Attacks on the market for Lonestar’s ARPUs. Its effect was to equalise the pricing between Lonestar and Orange Liberia, but there is no reason why that would, of itself, have reversed the prior effects of the DDOS Attacks on customer behaviour. However, I accept that, by September 2019, the effects of the DDOS Attacks on Lonestar were largely coming to an end (which was broadly the evidence of Mr Toriola in his witness statement: see in particular paragraphs 36(a), 38 and 47). I am satisfied that the April 2020 end-date for subscriber losses also represents the end date for these other losses (it would be surprising if it took more time for data and voice spending of retained Lonestar customers to recover to the level it would have had, but for DDOS Attacks, than for the position with respect to lost subscribers to reach the same position).
I4 Loss of profit: conclusion
On the basis of the findings I have made, the loss of profit caused by the DDOS Attacks falls to be quantified at $3,602,349.
Lonestar’s argument at times appeared to suggest that a figure at or around this level was inherently too small to be a realistic assessment of the effect of the DDOS Attacks given their scale. However:
As I have explained, I am satisfied that the practical effects of the DDOS Attacks on users of Lonestar’s network were much more isolated, and limited, than Lonestar’s case theory assumes.
I have no basis for concluding that a figure of $3.6m is somehow “too small”, such that it must fail a sense-check on size alone. In any event, Lonestar’s profit in 2015 (before the DDOS Attacks became effective) was $1.95m. Viewed against that figure, and given my findings as to the actual impacts and duration of the DDOS Attacks, there is nothing about the size of the figure I have arrived at which leads me to question whether it is a fair quantification of Lonestar’s loss.
By contrast, although routinely described as the product of a conservative analysis, I found Mr Nicholson’s figure of just over $46.7m wholly inconsistent with Lonestar’s financial performance in 2015, the downward trajectory of its financial performance and Lonestar’s own internal assessments of the effect of the DDOS Attacks.
I5 Failure to mitigate
Orange Liberia argued that Lonestar’s network capacity and DDOS defences were not fit for purpose and that it should have increased cleaning capacity quicker than it did. I am not persuaded that there is anything in this argument. Indeed, to a significant extent, I suspect that Orange Liberia’s “failure to mitigate” argument was advanced only to address the possibility that the court accepted Lonestar’s case that the DDOS Attacks began having very serious effects on Lonestar’s network on a near-continuous basis from October 2015. I have rejected that contention. Viewed in the light of the actual effect of the DDOS Attacks, and the intermittent nature of those effects, I am not persuaded that Lonestar acted unreasonably in its response to the attacks. Nor am I persuaded that it is open to Orange Liberia to advance a mitigation argument premised on Lonestar’s failure to install a higher capacity DDOS defence system before the DDOS Attacks began. Seat-belts and crash helmets apart (and English law deals with those through the concept of contributory negligence: cf. Glanville Williams, Joint Torts and Contributory Negligence (1951), Ch.11), complaints about mitigation involve the steps taken (or not taken) after the tort, and I was taken to nothing which suggested that the law of Liberia was any different in this respect.
I6 Unnecessary expenditure
Finally, Lonestar claimed $878,170 in expenditure. This part of the claim was, for understandable reasons, only explored briefly at trial, but the absence of any witness able to speak to the expenses and a clear audit trail has allowed for some dispute as to whether, and if so why, these costs were incurred. Taking the individual elements in turn:
The upgrade of MTN Liberia’s Point of Presence infrastructure on 30 May 2016 at a cost of $143,685: There is an unsigned CAPEX proposal of February 2016 approving this acquisition which expressly links at least parts of the expense to “the mitigation efforts for the DDOS attacks of 2015”. However, the proposal appears to have first been put forward before the DDOS Attacks began (having been budgeted for in the 2015 business plan). I am unable to identify which parts, if any, of this expense were caused by the DDOS Attacks, and which were simply the implementation of a pre-DDOS Attacks project. The claim for this head of expense fails.
The purchase of the Arbor Networks UK Ltd Anti-DDOS solution on 24 August 2016 for $368,757: This expense is supported by a purchaser order of this date and a CAPEX approval which states that “persistent DDOS attacks on MTN Liberia Data Services have led to Productivity & Revenue losses, Reputational Damage”. The Arbor Cloud service was installed in September 2016. This head of expense is sufficiently proved and is recoverable.
The upgrade of MTN Liberia’s POP infrastructure on 30 August 2016 for $89,650: This appears in an unsigned CAPEX proposal which notes that “the mitigation efforts for the DDOS attacks of 2015” required the installation of the anti-DDOS functionality. It appears to duplicate the first item in certain respects. However, I am satisfied that at least $63,243.36 of this figure relates to anti-DDOS capable Fortigate nodes, and I will award that amount.
The acquisition of the Arbor Networks UK Ltd Availability Protection System on 16 November 2016 for $275,078: There is an invoice in this amount from Arbor. There is no dispute that this system was installed, and it must have been paid for. This figure is recoverable.
J EXEMPLARY DAMAGES
I will first consider the position of the Individual Defendants.
So far as Mr Kaye is concerned, he has served a sentence of imprisonment for his role in the DDOS Attacks. The criminal justice process has appropriately served the goal of punishing Mr Kaye for his actions, and I do not believe it would be appropriate for an award of punitive damages to be made against him in those circumstances.
So far as Mr Marziano is concerned, he was the principal mover in the DDOS Attacks. He lied to Cellcom BVI about his involvement when asked to comment on this claim, and has avoided participation in these proceedings. He has not, as yet, been subject to any form of criminal process in respect of his involvement, and the chances of this happening must be limited given the interval of time which has now elapsed. He was ultimately motivated by his own personal benefit, and clearly did benefit to some degree, although the extent to which the bonuses received by him were increased as a result of the DDOS Attacks is not clear on the evidence before me. I am satisfied that an order of punitive damages in the amount of US$170,000 (the amount of the bonus paid to him after Cellcom BVI received the final Earn Out Payment in December 2016) is appropriate.
I am not persuaded that it would be appropriate to award punitive damages against Mr Polani. He was significantly junior to Mr Marziano, had a much more limited role, and I have seen no evidence that he obtained a significant financial benefit from his involvement with the DDOS Attacks.
I am not persuaded that it would be appropriate to order punitive damages against Orange Liberia. The vicarious nature of its liability is a very relevant factor in this respect, as is the essentially commercial nature of the dispute and the financial nature of the harm inflicted on Lonestar. Having regard to the order for compensatory damages made against it, and the payments it made to Cellcom BVI the recovery of which now looks highly questionable, I am not persuaded that it has made any net benefit from the DDOS Attacks, particularly when regard is had to the management time which this litigation will have consumed, and the inevitability of uncompensated costs (whatever costs order might be made).
For essentially similar reasons, I do not believe an order for punitive damages is appropriate against Cellcom BVI. It will now face a claim from Orange Liberia under the warranties in the SPA, as well as the damages award made in this judgment. It is likely to face real difficulties in recovering the amounts it has paid to Mr Marziano.
K CONTRIBUTION
Finally, Orange Liberia seeks orders for 100% contribution from Cellcom BVI and the Individual Defendants under the Civil Liability (Contribution) Act 1978. Section 2(1) of that Act provides that the amount of contribution shall be “such sum as may be found by the court to be just and equitable having regard to that person’s responsibility for the damage in question”. In determining that amount, the case law suggests that I should have regard to:
the causative potency of the various defendants’ actions;
their respective moral blameworthiness (whether or not the blameworthy acts caused the damage);
organisational responsibility; and
other factors which have a “sufficient relationship” to the damage in question;
(Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366, [72]; Brian Warwicker Partnership Plc v HOL International Ltd [2005] EWCA Civ 962, [37]-[38], [45], [51]; Parkman Consulting Engineers v Cumbrian Industrials Ltd [2001] EWCA Civ 1621, [108]).
In relation to the Individual Defendants, I am satisfied that the appropriate level of contribution should be 100%. They were entirely responsible for the acts which caused the loss, and are the only parties who acted in a morally blameworthy way. I do not believe this order involves any risk of Orange Liberia retaining an ultimate benefit from the wrongful acts, given the factors identified in [262] above, and the fact that it has made the Earn Out Payments.
As regards Cellcom BVI, I am going to put Orange Liberia’s contractual rights against Cellcom BVI on one side. No claims under the SPA or TSA were pleaded, and I heard no argument upon them. However, it follows that this order for contribution is not in any way intended to limit Orange Liberia’s contractual rights against Cellcom BVI.
On that basis, and given the absence of any personal fault by Orange Liberia or Cellcom BVI, both of whom have been found liable on a vicarious basis for the acts of Mr Marziano, I am satisfied that the order for contribution should be 50%: Viasystems (Tyneside) Ltd v Thermal Transfer (Northern) Ltd [2005] EWCA 1151, [2006] QB 510, [84]-[85].
L CONCLUSION
On the basis set out above, it follows that:
Lonestar is entitled to judgment against each of the Individual Defendants, Orange Liberia and Cellcom BVI in the sum of $3,602,349 lost profits and $707,738.36 unnecessary expenditure, and further entitled to punitive damages of $170,000 against Mr Marziano.
Orange Liberia is entitled to 100% contribution from each of the Individual Defendants, and 50% contribution from Cellcom BVI.
I would like to conclude by expressing my gratitude to the legal representatives for all their hard work, and in particular for their successful efforts to present a complex case using written opening and closing submissions of manageable proportions.