398 lines
21 KiB
Plaintext
398 lines
21 KiB
Plaintext
Cyberspace and the Legal Matrix: Laws or Confusion?
|
|
|
|
Cyberspace, the "digital world", is emerging as a global arena of social,
|
|
commercial and political relations. By "Cyberspace", I mean the sum total
|
|
of all electronic messaging and information systems, including BBS's,
|
|
commercial data services, research data networks, electronic publishing,
|
|
networks and network nodes, e-mail systems, electronic data interchange
|
|
systems, and electronic funds transfer systems.
|
|
|
|
Many like to view life in the electronic networks as a "new frontier", and
|
|
in certain ways that remains true. Nonetheless, people remain people, even
|
|
behind the high tech shimmer. Not surprisingly, a vast matrix of laws and
|
|
regulations has trailed people right into cyberspace.
|
|
|
|
Most of these laws are still under construction for the new electronic
|
|
environment. Nobody is quite sure of exactly how they actually apply to
|
|
electronic network situations. Nonetheless, the major subjects of legal
|
|
concern can now be mapped out fairly well, which we will do in this section
|
|
of the article. In the second section, we will look at some of the ways in
|
|
which the old laws have trouble fitting together in cyberspace, and suggest
|
|
general directions for improvement.
|
|
|
|
LAWS ON PARADE
|
|
|
|
- Privacy laws. These include the federal Electronic Communications Privacy
|
|
Act ("ECPA"), originally enacted in response to Watergate, and which now
|
|
prohibits many electronic variations on wiretapping by both government and
|
|
private parties. There are also many other federal and state privacy laws
|
|
and, of course, Constitutional protections against unreasonable search and
|
|
seizure.
|
|
|
|
- 1st Amendment. The Constitutional rights to freedom of speech and freedom
|
|
of the press apply fully to electronic messaging operations of all kinds.
|
|
|
|
- Criminal laws. There are two major kinds of criminal laws. First, the
|
|
"substantive" laws that define and outlaw certain activities. These include
|
|
computer-specific laws, like the Computer Fraud and Abuse Act and
|
|
Counterfeit Access Device Act on the federal level, and many computer crime
|
|
laws on the state level. Many criminal laws not specific to "computer
|
|
crime" can also apply in a network context, including laws against stealing
|
|
credit card codes, laws against obscenity, wire fraud laws, RICO, drug
|
|
laws, gambling laws, etc.
|
|
|
|
The other major set of legal rules, "procedural" rules, puts limits on law
|
|
enforcement activities. These are found both in statutes, and in rulings of
|
|
the Supreme Court and other high courts on the permissible conduct of
|
|
government agents. Such rules include the ECPA, which prohibits wiretapping
|
|
without a proper warrant; and federal and state rules and laws spelling out
|
|
warrant requirements, arrest requirements, and evidence seizure and
|
|
retention requirements.
|
|
|
|
- Copyrights. Much of the material found in on-line systems and in networks
|
|
is copyrightable, including text files, image files, audio files, and
|
|
software.
|
|
|
|
- Moral Rights. Closely related to copyrights, they include the rights of
|
|
paternity (choosing to have your name associated or not associated with
|
|
your "work") and integrity (the right not to have your "work" altered or
|
|
mutilated). These rights are brand new in U.S. law (they originated in
|
|
Europe), and their shape in electronic networks will not be settled for
|
|
quite a while.
|
|
|
|
- Trademarks. Anything used as a "brand name" in a network context can be a
|
|
trademark. This includes all BBS names, and names for on-line services of
|
|
all kinds. Materials other than names might also be protected under
|
|
trademark law as "trade dress": distinctive sign-on screen displays for
|
|
BBS's, the recurring visual motifs used throughout videotext services, etc.
|
|
|
|
- Right of Publicity. Similar to trademarks, it gives people the right to
|
|
stop others from using their name to make money. Someone with a famous
|
|
on-line name or handle has a property right in that name.
|
|
|
|
- Confidential Information. Information that is held in secrecy by the
|
|
owner, transferred only under non-disclosure agreements, and preferably
|
|
handled only in encrypted form, can be owned as a trade secret or other
|
|
confidential property. This type of legal protection is used as a means of
|
|
asserting ownership in confidential databases, from mailing lists to
|
|
industrial research.
|
|
|
|
- Contracts. Contracts account for as much of the regulation of network
|
|
operations as all of the other laws put together.
|
|
|
|
The contract between an on-line service user and the service provider is
|
|
the basic source of rights between them. You can use contracts to create
|
|
new rights, and to alter or surrender your existing rights under state and
|
|
federal laws.
|
|
|
|
For example, if a bulletin board system operator "censors" a user by
|
|
removing a public posting, that user will have a hard time showing his
|
|
freedom of speech was violated. Private system operators are not subject to
|
|
the First Amendment (which is focused on government, not private, action).
|
|
However, the user may have rights to prevent censorship under his direct
|
|
contract with the BBS or system operators.
|
|
|
|
You can use contracts to create entire on-line legal regimes. For example,
|
|
banks use contracts to create private electronic funds transfer networks,
|
|
with sets of rules that apply only within those networks. These rules
|
|
specify on a global level which activities are permitted and which are not,
|
|
the terms of access to nearby systems and (sometimes) to remote systems,
|
|
and how to resolve problems between network members.
|
|
|
|
Beyond the basic contract between system and user, there are many other
|
|
contracts made on-line. These include the services you find in a
|
|
CompuServe, GEnie or Prodigy, such as stock quote services, airline
|
|
reservation services, trademark search services, and on-line stores. They
|
|
also include user-to-user contracts formed through e-mail. In fact, there
|
|
is a billion-dollar "industry" referred to as "EDI" (for Electronic Data
|
|
Interchange), in which companies exchange purchase orders for goods and
|
|
services directly via computers and computer networks.
|
|
|
|
- Peoples' Rights Not to be Injured. People have the right not to be
|
|
injured when they venture into cyberspace. These rights include the right
|
|
not to be libelled or defamed by others on-line, rights against having your
|
|
on-line materials stolen or damaged, rights against having your computer
|
|
damaged by intentionally harmful files that you have downloaded (such as
|
|
files containing computer "viruses"), and so on.
|
|
|
|
There is no question these rights exist and can be enforced against other
|
|
users who cause such injuries. Currently, it is uncertain whether system
|
|
operators who oversee the systems can also be held responsible for such
|
|
user injuries.
|
|
|
|
- Financial Laws. These include laws like Regulations E & Z of the Federal
|
|
Reserve Board, which are consumer protection laws that apply to credit
|
|
cards, cash cards, and all other forms of electronic banking.
|
|
|
|
- Securities Laws. The federal and state securities laws apply to various
|
|
kinds of on-line investment related activities, such as trading in
|
|
securities and other investment vehicles, investment advisory services,
|
|
market information services and investment management services.
|
|
|
|
- Education Laws. Some organizations are starting to offer on-line degree
|
|
programs. State education laws and regulations come into play on all
|
|
aspects of such services.
|
|
|
|
The list goes on, but we have to end it somewhere. As it stands, this list
|
|
should give the reader a good idea of just how regulated cyberspace already
|
|
is.
|
|
|
|
|
|
LAWS OR CONFUSION?
|
|
|
|
The legal picture in cyberspace is very confused, for several reasons.
|
|
|
|
First, the sheer number of laws in cyberspace, in itself, can create a
|
|
great deal of confusion. Second, there can be several different kinds of
|
|
laws relating to a single activity, with each law pointing to a different
|
|
result.
|
|
|
|
Third, conflicts can arise in networks between different laws on the same
|
|
subject. These include conflicts between federal and state laws, as in the
|
|
areas of criminal laws and the right to privacy; conflicts between the laws
|
|
of two or more states, which will inevitably arise for networks whose user
|
|
base crosses state lines; and even conflicts between laws from the same
|
|
governmental authority where two or more different laws overlap. The last
|
|
is very common, especially in laws relating to networks and computer law.
|
|
|
|
Some examples of the interactions between conflicting laws are considered
|
|
below, from the viewpoint of an on-line system operator.
|
|
|
|
1. System operators Liability for "Criminal" Activities.
|
|
|
|
Many different activities can create criminal liabilities for service
|
|
providers, including:
|
|
|
|
- distributing viruses and other dangerous program code;
|
|
|
|
- publishing "obscene" materials;
|
|
|
|
- trafficking in stolen credit card numbers and other unauthorized access
|
|
data;
|
|
|
|
- trafficking in pirated software;
|
|
|
|
- and acting as an accomplice, accessory or conspirator in these and other
|
|
activities.
|
|
|
|
The acts comprising these different violations are separately defined in
|
|
statutes and court cases on both the state and federal levels.
|
|
|
|
For prosecutors and law enforcers, this is a vast array of options for
|
|
pursuing wrongdoers. For service providers, it's a roulette wheel of risk.
|
|
|
|
Faced with such a huge diversity of criminal possibilities, few service
|
|
providers will carefully analyze the exact laws that may apply, nor the
|
|
latest case law developments for each type of criminal activity. Who has
|
|
the time? For system operators who just want to "play it safe", there is a
|
|
strong incentive to do something much simpler: Figure out ways to restrict
|
|
user conduct on their systems that will minimize their risk under *any*
|
|
criminal law.
|
|
|
|
The system operator that chooses this highly restrictive route may not
|
|
allow any e-mail, for fear that he might be liable for the activities of
|
|
some secret drug ring, kiddie porn ring or stolen credit card code ring.
|
|
The system operator may ban all sexually suggestive materials, for fear
|
|
that the extreme anti- obscenity laws of some user's home town might apply
|
|
to his system. The system operator may not permit transfer of program files
|
|
through his system, except for files he personally checks out, for fear
|
|
that he could be accused of assisting in distributing viruses, trojans or
|
|
pirated software; and so on.
|
|
|
|
In this way, the most restrictive criminal laws that might apply to a given
|
|
on-line service (which could emanate, for instance, from one very
|
|
conservative state within the system's service area) could end up
|
|
restricting the activities of system operators all over the nation, if they
|
|
happen to have a significant user base in that state. This results in less
|
|
freedom for everyone in the network environment.
|
|
|
|
2. Federal vs. State Rights of Privacy.
|
|
|
|
Few words have been spoken in the press about network privacy laws in each
|
|
of the fifty states (as opposed to federal laws). However, what the privacy
|
|
protection of the federal Electronic Communications Privacy Act ("ECPA")
|
|
does not give you, state laws may.
|
|
|
|
This was the theory of the recent Epson e-mail case. An ex- employee
|
|
claimed that Epson acted illegally in requiring her to monitor e-mail
|
|
conversations of other employees. She did not sue under the ECPA, but under
|
|
the California Penal Code section prohibiting employee surveillance of
|
|
employee conversations.
|
|
|
|
The trial judge denied her claim. In his view, the California law only
|
|
applied to interceptions of oral telephone discussions, and not to visual
|
|
communication on video display monitors. Essentially, he held that the
|
|
California law had not caught up to modern technology - making this law
|
|
apply to e-mail communications was a job for the state legislature, not
|
|
local judges.
|
|
|
|
Beyond acknowledging that the California law was archaic and not applicable
|
|
to e-mail, we should understand that the Epson case takes place in a
|
|
special legal context - the workplace. E- mail user rights against
|
|
workplace surveillance are undeniably important, but in our legal and
|
|
political system they always must be "balanced" (ie., weakened) against the
|
|
right of the employer to run his shop his own way. Employers' rights may
|
|
end up weighing more heavily against workers' rights for company e-mail
|
|
systems than for voice telephone conversations, at least for employers who
|
|
use intra-company e-mail systems as an essential backbone of their
|
|
business. Fortunately, this particular skewing factor does not apply to
|
|
*public* communications systems.
|
|
|
|
I believe that many more attempts to establish e-mail privacy under state
|
|
laws are possible, and will be made in the future. This is good news for
|
|
privacy advocates, a growing and increasingly vocal group these days.
|
|
|
|
It is mixed news, however, for operators of BBS's and other on-line
|
|
services. Most on-line service providers operate on an interstate basis -
|
|
all it takes to gain this status is a few calls from other states every now
|
|
and then. If state privacy laws apply to on-line systems, then every BBS
|
|
operator will be subject to the privacy laws of every state in which one or
|
|
more of his users are located! This can lead to confusion, and inability to
|
|
set reasonable or predictable system privacy standards.
|
|
|
|
It can also lead to the effect described above in the discussion of
|
|
criminal liability. On-line systems might be set up "defensively", to cope
|
|
with the most restrictive privacy laws that might apply to them. This could
|
|
result in declarations of *absolutely no privacy* on some systems, and
|
|
highly secure setups on others, depending on the individual system
|
|
operator's inclinations.
|
|
|
|
3. Pressure on Privacy Rights Created by Risks to Service Providers.
|
|
|
|
There are two main kinds of legal risks faced by a system operator. First,
|
|
the risk that the system operator himself will be found criminally guilty
|
|
or civilly liable for being involved in illegal activities on his system,
|
|
leading to fines, jail, money damages, confiscation of system, criminal
|
|
record, etc.
|
|
|
|
Second, the risk of having his system confiscated, not because he did
|
|
anything wrong, but because someone else did something suspicious on his
|
|
system. As discussed above, a lot of criminal activity can take place on a
|
|
system when the system operator isn't looking. In addition, certain
|
|
non-criminal activities on the system could lead to system confiscation,
|
|
such copyright or trade secret infringement.
|
|
|
|
This second kind of risk is very real. It is exactly what happened to Steve
|
|
Jackson Games last year. Law enforcement agents seized Steve's computer
|
|
(which ran a BBS), not because they thought he did anything wrong, but
|
|
because they were tracking an allegedly evil computer hacker group called
|
|
the "Legion of Doom". Apparently, they thought the group "met" and
|
|
conspired on his BBS. A year later, much of the dust has cleared, and the
|
|
Electronic Frontier Foundation is funding a lawsuit against the federal
|
|
agents who seized the system. Unfortunately, even if he wins the case Steve
|
|
can't get back the business he lost. To this day, he still has not regained
|
|
all of his possessions that were seized by the authorities.
|
|
|
|
For now, system operators do not have a great deal of control over
|
|
government or legal interference with their systems. You can be a solid
|
|
citizen and report every crime you suspect may be happening using your
|
|
system. Yet the chance remains that tonight, the feds will be knocking on
|
|
*your* door looking for an "evil hacker group" hiding in your BBS.
|
|
|
|
This Keystone Kops style of "law enforcement" can turn system operators
|
|
into surrogate law enforcement agents. System operators who fear random
|
|
system confiscation will be tempted to monitor private activities on their
|
|
systems, intruding on the privacy of their users. Such intrusion can take
|
|
different forms. Some system operators may declare that there will be no
|
|
private discussions, so they can review and inspect everything. More
|
|
hauntingly, system operators may indulge in surreptitious sampling of
|
|
private e-mail, just to make sure no one's doing anything that will make
|
|
the cops come in and haul away their BBS computer systems (By the way, I
|
|
personally don't advocate either of these things).
|
|
|
|
This situation can be viewed as a way for law enforcement agents to do an
|
|
end run around the ECPA's bar on government interception of electronic
|
|
messages. What the agents can't intercept directly, they might get through
|
|
fearful system operators. Even if you don't go for such conspiracy
|
|
theories, the random risk of system confiscation puts great pressure on the
|
|
privacy rights of on-line system users.
|
|
|
|
4. Contracts Versus Other Rights.
|
|
|
|
Most, perhaps all, of the rights between system operators and system users
|
|
can be modified by the basic service contract between them. For instance,
|
|
the federal ECPA gives on-line service users certain privacy rights. It
|
|
conspicuously falls short, however, by not protecting users from privacy
|
|
intrusions by the system operator himself.
|
|
|
|
Through contract, the system operator and the user can in effect override
|
|
the ECPA exception, and agree that the system operator will not read
|
|
private e-mail. Some system operators may go the opposite direction, and
|
|
impose a contractual rule that users should not expect any privacy in their
|
|
e-mail.
|
|
|
|
Another example of the power of contracts in the on-line environment
|
|
occurred recently on the Well, a national system based in San Francisco
|
|
(and highly recommended to all those interested in discussing on-line legal
|
|
issues). A Well user complained that a message he had posted in one Well
|
|
conference area had been cross-posted by other users to a different
|
|
conference area without his permission.
|
|
|
|
A lengthy, lively discussion among Well users followed, debating the
|
|
problem. One of the major benchmarks for this discussion was the basic
|
|
service agreement between the Well and its users. And a proposed resolution
|
|
of the issue was to clarify the wording of that fundamental agreement.
|
|
Although "copyrights" were discussed, the agreement between the Well and
|
|
its users was viewed as a more important source of the legitimate rights
|
|
and expectations of Well users.
|
|
|
|
Your state and federal "rights" against other on-line players may not be
|
|
worth fighting over if you can get a contract giving you the rights you
|
|
want. In the long run, the contractual solution may be the best way to set
|
|
up a decent networked on- line system environment, except for the old
|
|
bogeyman of government intrusion (against whom we will all still need our
|
|
"rights", Constitutional and otherwise).
|
|
|
|
CONCLUSION
|
|
|
|
There are many different laws that system operators must heed in running
|
|
their on-line services. This can lead to restricting system activities
|
|
under the most oppressive legal standards, and to unpredictable,
|
|
system-wide interactions between the effects of the different laws.
|
|
|
|
The "net" result of this problem can be undue restrictions on the
|
|
activities of system operators and users alike.
|
|
|
|
The answers to this problem are simple in concept, but not easy to execute.
|
|
First, enact (or re-enact) all laws regarding electronic services on a
|
|
national level only, overriding individual state control of system
|
|
operators activities in cyberspace. It's time to realize that provincial
|
|
state laws only hinder proper development of interstate electronic systems.
|
|
|
|
As yet, there is little movement in enacting nationally effective laws.
|
|
Isolated instances include the Electronic Communications Privacy Act and
|
|
the Computer Fraud and Abuse Act, which place federal "floors" beneath
|
|
privacy protection and certain types of computer crime, respectively. On
|
|
the commercial side, the new Article 4A of the Uniform Commercial Code,
|
|
which normalizes on-line commercial transactions, is ready for adoption by
|
|
the fifty states.
|
|
|
|
Second, all laws regulating on-line systems must be carefully designed to
|
|
interact well with other such laws. The goal is to create a well-defined,
|
|
reasonable legal environment for system operators and users.
|
|
|
|
The EFF is fighting hard on this front, especially in the areas of freedom
|
|
of the press, rights of privacy, and rights against search and seizure for
|
|
on-line systems. Reducing government intrusion in these areas will help
|
|
free up cyberspace for bigger and better things.
|
|
|
|
However, the fight is just beginning today.
|
|
|
|
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|
|
|
|
Lance Rose is an attorney who works primarily in the fields of computer and
|
|
high technology law and intellectual property. His clients include on-line
|
|
publishers, electronic funds transfer networks, data transmission services,
|
|
individual system operators, and shareware authors and vendors. He is
|
|
currently revising SYSLAW, The Sysop's Legal Manual. Lance is a partner in
|
|
the New York City firm of Greenspoon, Srager, Gaynin, Daichman & Marino,
|
|
and can be reached by voice at (212)888-6880, on the Well as "elrose", and
|
|
on CompuServe at 72230,2044.
|
|
|
|
Copyright 1991 Lance Rose
|
|
|
|
|
|
|
|
|
|
Downloaded From P-80 International Information Systems 304-744-2253
|