421 lines
20 KiB
Plaintext
421 lines
20 KiB
Plaintext
|
From: elrose@well.sf.ca.us (Lance Rose)
|
||
|
|
|
||
|
|
Cyberspace and the Legal Matrix: Laws or Confusion?
|
||
|
|
|
||
|
|
Cyberspace, the "digital world", is emerging as a global arena of
|
||
|
|
social, commercial and political relations. By "Cyberspace", I mean
|
||
|
|
the sum total of all electronic messaging and information systems,
|
||
|
|
including BBS's, commercial data services, research data networks,
|
||
|
|
electronic publishing, networks and network nodes, e-mail systems,
|
||
|
|
electronic data interchange systems, and electronic funds transfer
|
||
|
|
systems.
|
||
|
|
|
||
|
|
Many like to view life in the electronic networks as a "new frontier",
|
||
|
|
and in certain ways that remains true. Nonetheless, people remain
|
||
|
|
people, even behind the high tech shimmer. Not surprisingly, a vast
|
||
|
|
matrix of laws and regulations has trailed people right into
|
||
|
|
cyberspace.
|
||
|
|
|
||
|
|
Most of these laws are still under construction for the new electronic
|
||
|
|
environment. Nobody is quite sure of exactly how they actually apply
|
||
|
|
to electronic network situations. Nonetheless, the major subjects of
|
||
|
|
legal concern can now be mapped out fairly well, which we will do in
|
||
|
|
this section of the article. In the second section, we will look at
|
||
|
|
some of the ways in which the old laws have trouble fitting together
|
||
|
|
in cyberspace, and suggest general directions for improvement.
|
||
|
|
|
||
|
|
LAWS ON PARADE
|
||
|
|
|
||
|
|
- Privacy laws. These include the federal Electronic Communications
|
||
|
|
Privacy Act ("ECPA"), originally enacted in response to Watergate, and
|
||
|
|
which now prohibits many electronic variations on wiretapping by both
|
||
|
|
government and private parties. There are also many other federal and
|
||
|
|
state privacy laws and, of course, Constitutional protections against
|
||
|
|
unreasonable search and seizure.
|
||
|
|
|
||
|
|
- 1st Amendment. The Constitutional rights to freedom of speech and
|
||
|
|
freedom of the press apply fully to electronic messaging operations of
|
||
|
|
all kinds.
|
||
|
|
|
||
|
|
- Criminal laws. There are two major kinds of criminal laws. First,
|
||
|
|
the "substantive" laws that define and outlaw certain activities.
|
||
|
|
These include computer-specific laws, like the Computer Fraud and
|
||
|
|
Abuse Act and Counterfeit Access Device Act on the federal level, and
|
||
|
|
many computer crime laws on the state level. Many criminal laws not
|
||
|
|
specific to "computer crime" can also apply in a network context,
|
||
|
|
including laws against stealing credit card codes, laws against
|
||
|
|
obscenity, wire fraud laws, RICO, drug laws, gambling laws, etc.
|
||
|
|
|
||
|
|
The other major set of legal rules, "procedural" rules, puts limits on
|
||
|
|
law enforcement activities. These are found both in statutes, and in
|
||
|
|
rulings of the Supreme Court and other high courts on the permissible
|
||
|
|
conduct of government agents. Such rules include the ECPA, which
|
||
|
|
prohibits wiretapping without a proper warrant; and federal and state
|
||
|
|
rules and laws spelling out warrant requirements, arrest requirements,
|
||
|
|
and evidence seizure and retention requirements.
|
||
|
|
|
||
|
|
- Copyrights. Much of the material found in on-line systems and in
|
||
|
|
networks is copyrightable, including text files, image files, audio
|
||
|
|
files, and software.
|
||
|
|
|
||
|
|
- Moral Rights. Closely related to copyrights, they include the
|
||
|
|
rights of paternity (choosing to have your name associated or not
|
||
|
|
associated with your "work") and integrity (the right not to have your
|
||
|
|
"work" altered or mutilated). These rights are brand new in U.S. law
|
||
|
|
(they originated in Europe), and their shape in electronic networks
|
||
|
|
will not be settled for quite a while.
|
||
|
|
|
||
|
|
- Trademarks. Anything used as a "brand name" in a network context
|
||
|
|
can be a trademark. This includes all BBS names, and names for
|
||
|
|
on-line services of all kinds. Materials other than names might also
|
||
|
|
be protected under trademark law as "trade dress": distinctive sign-on
|
||
|
|
screen displays for BBS's, the recurring visual motifs used throughout
|
||
|
|
videotext services, etc.
|
||
|
|
|
||
|
|
- Right of Publicity. Similar to trademarks, it gives people the
|
||
|
|
right to stop others from using their name to make money. Someone
|
||
|
|
with a famous on-line name or handle has a property right in that
|
||
|
|
name.
|
||
|
|
|
||
|
|
- Confidential Information. Information that is held in secrecy by
|
||
|
|
the owner, transferred only under non-disclosure agreements, and
|
||
|
|
preferably handled only in encrypted form, can be owned as a trade
|
||
|
|
secret or other confidential property. This type of legal protection
|
||
|
|
is used as a means of asserting ownership in confidential databases,
|
||
|
|
>from mailing lists to industrial research.
|
||
|
|
|
||
|
|
- Contracts. Contracts account for as much of the regulation of
|
||
|
|
network operations as all of the other laws put together.
|
||
|
|
|
||
|
|
The contract between an on-line service user and the service provider
|
||
|
|
is the basic source of rights between them. You can use contracts to
|
||
|
|
create new rights, and to alter or surrender your existing rights
|
||
|
|
under state and federal laws.
|
||
|
|
|
||
|
|
For example, if a bulletin board system operator "censors" a user by
|
||
|
|
removing a public posting, that user will have a hard time showing his
|
||
|
|
freedom of speech was violated. Private system operators are not
|
||
|
|
subject to the First Amendment (which is focused on government, not
|
||
|
|
private, action). However, the user may have rights to prevent
|
||
|
|
censorship under his direct contract with the BBS or system operators.
|
||
|
|
|
||
|
|
You can use contracts to create entire on-line legal regimes. For
|
||
|
|
example, banks use contracts to create private electronic funds
|
||
|
|
transfer networks, with sets of rules that apply only within those
|
||
|
|
networks. These rules specify on a global level which activities are
|
||
|
|
permitted and which are not, the terms of access to nearby systems and
|
||
|
|
(sometimes) to remote systems, and how to resolve problems between
|
||
|
|
network members.
|
||
|
|
|
||
|
|
Beyond the basic contract between system and user, there are many
|
||
|
|
other contracts made on-line. These include the services you find in
|
||
|
|
a CompuServe, GEnie or Prodigy, such as stock quote services, airline
|
||
|
|
reservation services, trademark search services, and on-line stores.
|
||
|
|
They also include user-to-user contracts formed through e-mail. In
|
||
|
|
fact, there is a billion-dollar "industry" referred to as "EDI" (for
|
||
|
|
Electronic Data Interchange), in which companies exchange purchase
|
||
|
|
orders for goods and services directly via computers and computer
|
||
|
|
networks.
|
||
|
|
|
||
|
|
- Peoples' Rights Not to be Injured. People have the right not to be
|
||
|
|
injured when they venture into cyberspace. These rights include the
|
||
|
|
right not to be libelled or defamed by others on-line, rights against
|
||
|
|
having your on-line materials stolen or damaged, rights against having
|
||
|
|
your computer damaged by intentionally harmful files that you have
|
||
|
|
downloaded (such as files containing computer "viruses"), and so on.
|
||
|
|
|
||
|
|
There is no question these rights exist and can be enforced against
|
||
|
|
other users who cause such injuries. Currently, it is uncertain
|
||
|
|
whether system operators who oversee the systems can also be held
|
||
|
|
responsible for such user injuries.
|
||
|
|
|
||
|
|
- Financial Laws. These include laws like Regulations E & Z of the
|
||
|
|
Federal Reserve Board, which are consumer protection laws that apply
|
||
|
|
to credit cards, cash cards, and all other forms of electronic
|
||
|
|
banking.
|
||
|
|
|
||
|
|
- Securities Laws. The federal and state securities laws apply to
|
||
|
|
various kinds of on-line investment related activities, such as
|
||
|
|
trading in securities and other investment vehicles, investment
|
||
|
|
advisory services, market information services and investment
|
||
|
|
management services.
|
||
|
|
|
||
|
|
- Education Laws. Some organizations are starting to offer on-line
|
||
|
|
degree programs. State education laws and regulations come into play
|
||
|
|
on all aspects of such services.
|
||
|
|
|
||
|
|
The list goes on, but we have to end it somewhere. As it stands, this
|
||
|
|
list should give the reader a good idea of just how regulated
|
||
|
|
cyberspace already is.
|
||
|
|
|
||
|
|
|
||
|
|
LAWS OR CONFUSION?
|
||
|
|
|
||
|
|
The legal picture in cyberspace is very confused, for several reasons.
|
||
|
|
|
||
|
|
First, the sheer number of laws in cyberspace, in itself, can create a
|
||
|
|
great deal of confusion. Second, there can be several different kinds
|
||
|
|
of laws relating to a single activity, with each law pointing to a
|
||
|
|
different result.
|
||
|
|
|
||
|
|
Third, conflicts can arise in networks between different laws on the
|
||
|
|
same subject. These include conflicts between federal and state laws,
|
||
|
|
as in the areas of criminal laws and the right to privacy; conflicts
|
||
|
|
between the laws of two or more states, which will inevitably arise
|
||
|
|
for networks whose user base crosses state lines; and even conflicts
|
||
|
|
between laws from the same governmental authority where two or more
|
||
|
|
different laws overlap. The last is very common, especially in laws
|
||
|
|
relating to networks and computer law.
|
||
|
|
|
||
|
|
Some examples of the interactions between conflicting laws are
|
||
|
|
considered below, from the viewpoint of an on-line system operator.
|
||
|
|
|
||
|
|
1. System operators Liability for "Criminal" Activities.
|
||
|
|
|
||
|
|
Many different activities can create criminal liabilities for service
|
||
|
|
providers, including:
|
||
|
|
|
||
|
|
- distributing viruses and other dangerous program code;
|
||
|
|
|
||
|
|
- publishing "obscene" materials;
|
||
|
|
|
||
|
|
- trafficking in stolen credit card numbers and other unauthorized
|
||
|
|
access data;
|
||
|
|
|
||
|
|
- trafficking in pirated software;
|
||
|
|
|
||
|
|
- and acting as an accomplice, accessory or conspirator in these and
|
||
|
|
other activities.
|
||
|
|
|
||
|
|
The acts comprising these different violations are separately defined
|
||
|
|
in statutes and court cases on both the state and federal levels.
|
||
|
|
|
||
|
|
For prosecutors and law enforcers, this is a vast array of options for
|
||
|
|
pursuing wrongdoers. For service providers, it's a roulette wheel of
|
||
|
|
risk.
|
||
|
|
|
||
|
|
Faced with such a huge diversity of criminal possibilities, few
|
||
|
|
service providers will carefully analyze the exact laws that may
|
||
|
|
apply, nor the latest case law developments for each type of criminal
|
||
|
|
activity. Who has the time? For system operators who just want to
|
||
|
|
"play it safe", there is a strong incentive to do something much
|
||
|
|
simpler: Figure out ways to restrict user conduct on their systems
|
||
|
|
that will minimize their risk under *any* criminal law.
|
||
|
|
|
||
|
|
The system operator that chooses this highly restrictive route may not
|
||
|
|
allow any e-mail, for fear that he might be liable for the activities
|
||
|
|
of some secret drug ring, kiddie porn ring or stolen credit card code
|
||
|
|
ring. The system operator may ban all sexually suggestive materials,
|
||
|
|
for fear that the extreme anti-obscenity laws of some user's home town
|
||
|
|
might apply to his system. The system operator may not permit
|
||
|
|
transfer of program files through his system, except for files he
|
||
|
|
personally checks out, for fear that he could be accused of assisting
|
||
|
|
in distributing viruses, trojans or pirated software; and so on.
|
||
|
|
|
||
|
|
In this way, the most restrictive criminal laws that might apply to a
|
||
|
|
given on-line service (which could emanate, for instance, from one
|
||
|
|
very conservative state within the system's service area) could end up
|
||
|
|
restricting the activities of system operators all over the nation, if
|
||
|
|
they happen to have a significant user base in that state. This
|
||
|
|
results in less freedom for everyone in the network environment.
|
||
|
|
|
||
|
|
2. Federal vs. State Rights of Privacy.
|
||
|
|
|
||
|
|
Few words have been spoken in the press about network privacy laws in
|
||
|
|
each of the fifty states (as opposed to federal laws). However, what
|
||
|
|
the privacy protection of the federal Electronic Communications
|
||
|
|
Privacy Act ("ECPA") does not give you, state laws may.
|
||
|
|
|
||
|
|
This was the theory of the recent Epson e-mail case. An ex-employee
|
||
|
|
claimed that Epson acted illegally in requiring her to monitor e-mail
|
||
|
|
conversations of other employees. She did not sue under the ECPA, but
|
||
|
|
under the California Penal Code section prohibiting employee
|
||
|
|
surveillance of employee conversations.
|
||
|
|
|
||
|
|
The trial judge denied her claim. In his view, the California law
|
||
|
|
only applied to interceptions of oral telephone discussions, and not
|
||
|
|
to visual communication on video display monitors. Essentially, he
|
||
|
|
held that the California law had not caught up to modern technology -
|
||
|
|
making this law apply to e-mail communications was a job for the state
|
||
|
|
legislature, not local judges.
|
||
|
|
|
||
|
|
Beyond acknowledging that the California law was archaic and not
|
||
|
|
applicable to e-mail, we should understand that the Epson case takes
|
||
|
|
place in a special legal context - the workplace. E-mail user rights
|
||
|
|
against workplace surveillance are undeniably important, but in our
|
||
|
|
legal and political system they always must be "balanced" (ie.,
|
||
|
|
weakened) against the right of the employer to run his shop his own
|
||
|
|
way. Employers' rights may end up weighing more heavily against
|
||
|
|
workers' rights for company e-mail systems than for voice telephone
|
||
|
|
conversations, at least for employers who use intra-company e-mail
|
||
|
|
systems as an essential backbone of their business. Fortunately, this
|
||
|
|
particular skewing factor does not apply to *public* communications
|
||
|
|
systems.
|
||
|
|
|
||
|
|
I believe that many more attempts to establish e-mail privacy under
|
||
|
|
state laws are possible, and will be made in the future. This is good
|
||
|
|
news for privacy advocates, a growing and increasingly vocal group
|
||
|
|
these days.
|
||
|
|
|
||
|
|
It is mixed news, however, for operators of BBS's and other on-line
|
||
|
|
services. Most on-line service providers operate on an interstate
|
||
|
|
basis - all it takes to gain this status is a few calls from other
|
||
|
|
states every now and then. If state privacy laws apply to on-line
|
||
|
|
systems, then every BBS operator will be subject to the privacy laws
|
||
|
|
of every state in which one or more of his users are located! This
|
||
|
|
can lead to confusion, and inability to set reasonable or predictable
|
||
|
|
system privacy standards.
|
||
|
|
|
||
|
|
It can also lead to the effect described above in the discussion of
|
||
|
|
criminal liability. On-line systems might be set up "defensively", to
|
||
|
|
cope with the most restrictive privacy laws that might apply to them.
|
||
|
|
This could result in declarations of *absolutely no privacy* on some
|
||
|
|
systems, and highly secure setups on others, depending on the
|
||
|
|
individual system operator's inclinations.
|
||
|
|
|
||
|
|
3. Pressure on Privacy Rights Created by Risks to Service Providers.
|
||
|
|
|
||
|
|
There are two main kinds of legal risks faced by a system operator.
|
||
|
|
First, the risk that the system operator himself will be found
|
||
|
|
criminally guilty or civilly liable for being involved in illegal
|
||
|
|
activities on his system, leading to fines, jail, money damages,
|
||
|
|
confiscation of system, criminal record, etc.
|
||
|
|
|
||
|
|
Second, the risk of having his system confiscated, not because he did
|
||
|
|
anything wrong, but because someone else did something suspicious on
|
||
|
|
his system. As discussed above, a lot of criminal activity can take
|
||
|
|
place on a system when the system operator isn't looking. In
|
||
|
|
addition, certain non-criminal activities on the system could lead to
|
||
|
|
system confiscation, such copyright or trade secret infringement.
|
||
|
|
|
||
|
|
This second kind of risk is very real. It is exactly what happened to
|
||
|
|
Steve Jackson Games last year. Law enforcement agents seized Steve's
|
||
|
|
computer (which ran a BBS), not because they thought he did anything
|
||
|
|
wrong, but because they were tracking an allegedly evil computer
|
||
|
|
hacker group called the "Legion of Doom". Apparently, they thought
|
||
|
|
the group "met" and conspired on his BBS. A year later, much of the
|
||
|
|
dust has cleared, and the Electronic Frontier Foundation is funding a
|
||
|
|
lawsuit against the federal agents who seized the system.
|
||
|
|
Unfortunately, even if he wins the case Steve can't get back the
|
||
|
|
business he lost. To this day, he still has not regained all of his
|
||
|
|
possessions that were seized by the authorities.
|
||
|
|
|
||
|
|
For now, system operators do not have a great deal of control over
|
||
|
|
government or legal interference with their systems. You can be a
|
||
|
|
solid citizen and report every crime you suspect may be happening
|
||
|
|
using your system. Yet the chance remains that tonight, the feds will
|
||
|
|
be knocking on *your* door looking for an "evil hacker group" hiding
|
||
|
|
in your BBS.
|
||
|
|
|
||
|
|
This Keystone Kops style of "law enforcement" can turn system
|
||
|
|
operators into surrogate law enforcement agents. System operators who
|
||
|
|
fear random system confiscation will be tempted to monitor private
|
||
|
|
activities on their systems, intruding on the privacy of their users.
|
||
|
|
Such intrusion can take different forms. Some system operators may
|
||
|
|
declare that there will be no private discussions, so they can review
|
||
|
|
and inspect everything. More hauntingly, system operators may indulge
|
||
|
|
in surreptitious sampling of private e-mail, just to make sure no
|
||
|
|
one's doing anything that will make the cops come in and haul away
|
||
|
|
their BBS computer systems (By the way, I personally don't advocate
|
||
|
|
either of these things).
|
||
|
|
|
||
|
|
This situation can be viewed as a way for law enforcement agents to do
|
||
|
|
an end run around the ECPA's bar on government interception of
|
||
|
|
electronic messages. What the agents can't intercept directly, they
|
||
|
|
might get through fearful system operators. Even if you don't go for
|
||
|
|
such conspiracy theories, the random risk of system confiscation puts
|
||
|
|
great pressure on the privacy rights of on-line system users.
|
||
|
|
|
||
|
|
4. Contracts Versus Other Rights.
|
||
|
|
|
||
|
|
Most, perhaps all, of the rights between system operators and system
|
||
|
|
users can be modified by the basic service contract between them. For
|
||
|
|
instance, the federal ECPA gives on-line service users certain privacy
|
||
|
|
rights. It conspicuously falls short, however, by not protecting
|
||
|
|
users from privacy intrusions by the system operator himself.
|
||
|
|
|
||
|
|
Through contract, the system operator and the user can in effect
|
||
|
|
override the ECPA exception, and agree that the system operator will
|
||
|
|
not read private e-mail. Some system operators may go the opposite
|
||
|
|
direction, and impose a contractual rule that users should not expect
|
||
|
|
any privacy in their e-mail.
|
||
|
|
|
||
|
|
Another example of the power of contracts in the on-line environment
|
||
|
|
occurred recently on the Well, a national system based in San
|
||
|
|
Francisco (and highly recommended to all those interested in
|
||
|
|
discussing on-line legal issues). A Well user complained that a
|
||
|
|
message he had posted in one Well conference area had been
|
||
|
|
cross-posted by other users to a different conference area without his
|
||
|
|
permission.
|
||
|
|
|
||
|
|
A lengthy, lively discussion among Well users followed, debating the
|
||
|
|
problem. One of the major benchmarks for this discussion was the
|
||
|
|
basic service agreement between the Well and its users. And a
|
||
|
|
proposed resolution of the issue was to clarify the wording of that
|
||
|
|
fundamental agreement. Although "copyrights" were discussed, the
|
||
|
|
agreement between the Well and its users was viewed as a more
|
||
|
|
important source of the legitimate rights and expectations of Well
|
||
|
|
users.
|
||
|
|
|
||
|
|
Your state and federal "rights" against other on-line players may not
|
||
|
|
be worth fighting over if you can get a contract giving you the rights
|
||
|
|
you want. In the long run, the contractual solution may be the best
|
||
|
|
way to set up a decent networked on-line system environment, except
|
||
|
|
for the old bogeyman of government intrusion (against whom we will all
|
||
|
|
still need our "rights", Constitutional and otherwise).
|
||
|
|
|
||
|
|
CONCLUSION
|
||
|
|
|
||
|
|
There are many different laws that system operators must heed in
|
||
|
|
running their on-line services. This can lead to restricting system
|
||
|
|
activities under the most oppressive legal standards, and to
|
||
|
|
unpredictable, system-wide interactions between the effects of the
|
||
|
|
different laws.
|
||
|
|
|
||
|
|
The "net" result of this problem can be undue restrictions on the
|
||
|
|
activities of system operators and users alike.
|
||
|
|
|
||
|
|
The answers to this problem are simple in concept, but not easy to
|
||
|
|
execute. First, enact (or re-enact) all laws regarding electronic
|
||
|
|
services on a national level only, overriding individual state control
|
||
|
|
of system operators activities in cyberspace. It's time to realize
|
||
|
|
that provincial state laws only hinder proper development of
|
||
|
|
interstate electronic systems.
|
||
|
|
|
||
|
|
As yet, there is little movement in enacting nationally effective
|
||
|
|
laws. Isolated instances include the Electronic Communications
|
||
|
|
Privacy Act and the Computer Fraud and Abuse Act, which place federal
|
||
|
|
"floors" beneath privacy protection and certain types of computer
|
||
|
|
crime, respectively. On the commercial side, the new Article 4A of
|
||
|
|
the Uniform Commercial Code, which normalizes on-line commercial
|
||
|
|
transactions, is ready for adoption by the fifty states.
|
||
|
|
|
||
|
|
Second, all laws regulating on-line systems must be carefully designed
|
||
|
|
to interact well with other such laws. The goal is to create a
|
||
|
|
well-defined, reasonable legal environment for system operators and
|
||
|
|
users.
|
||
|
|
|
||
|
|
The EFF is fighting hard on this front, especially in the areas of
|
||
|
|
freedom of the press, rights of privacy, and rights against search and
|
||
|
|
seizure for on-line systems. Reducing government intrusion in these
|
||
|
|
areas will help free up cyberspace for bigger and better things.
|
||
|
|
|
||
|
|
However, the fight is just beginning today.
|
||
|
|
|
||
|
|
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|
||
|
|
|
||
|
|
Lance Rose is an attorney who works primarily in the fields of
|
||
|
|
computer and high technology law and intellectual property. His
|
||
|
|
clients include on-line publishers, electronic funds transfer
|
||
|
|
networks, data transmission services, individual system operators, and
|
||
|
|
shareware authors and vendors. He is currently revising SYSLAW, The
|
||
|
|
Sysop's Legal Manual. Lance is a partner in the New York City firm of
|
||
|
|
Greenspoon, Srager, Gaynin, Daichman & Marino, and can be reached by
|
||
|
|
voice at (212)888-6880, on the Well as "elrose", and on CompuServe at
|
||
|
|
72230,2044.
|
||
|
|
|
||
|
|
Copyright 1991 Lance Rose
|
||
|
|
|
||
|
|
The above article was originally published in Boardwatch, June, 1991
|
||
|
|
|