451 lines
22 KiB
Plaintext
451 lines
22 KiB
Plaintext
|
|
Cyberspace and the Legal Matrix: Laws or Confusion?
|
|
|
|
Cyberspace, the "digital world", is emerging as a global
|
|
arena of social, commercial and political relations. By
|
|
"Cyberspace", I mean the sum total of all electronic messaging
|
|
and information systems, including BBS's, commercial data
|
|
services, research data networks, electronic publishing, networks
|
|
and network nodes, e-mail systems, electronic data interchange
|
|
systems, and electronic funds transfer systems.
|
|
|
|
Many like to view life in the electronic networks as a "new
|
|
frontier", and in certain ways that remains true. Nonetheless,
|
|
people remain people, even behind the high tech shimmer. Not
|
|
surprisingly, a vast matrix of laws and regulations has trailed
|
|
people right into cyberspace.
|
|
|
|
Most of these laws are still under construction for the new
|
|
electronic environment. Nobody is quite sure of exactly how they
|
|
actually apply to electronic network situations. Nonetheless,
|
|
the major subjects of legal concern can now be mapped out fairly
|
|
well, which we will do in this section of the article. In the
|
|
second section, we will look at some of the ways in which the old
|
|
laws have trouble fitting together in cyberspace, and suggest
|
|
general directions for improvement.
|
|
|
|
LAWS ON PARADE
|
|
|
|
- Privacy laws. These include the federal Electronic
|
|
Communications Privacy Act ("ECPA"), originally enacted in
|
|
response to Watergate, and which now prohibits many
|
|
electronic variations on wiretapping by both government and
|
|
private parties. There are also many other federal and
|
|
state privacy laws and, of course, Constitutional
|
|
protections against unreasonable search and seizure.
|
|
|
|
- 1st Amendment. The Constitutional rights to freedom of
|
|
speech and freedom of the press apply fully to electronic
|
|
messaging operations of all kinds.
|
|
|
|
- Criminal laws. There are two major kinds of criminal laws.
|
|
First, the "substantive" laws that define and outlaw certain
|
|
activities. These include computer-specific laws, like the
|
|
Computer Fraud and Abuse Act and Counterfeit Access Device
|
|
Act on the federal level, and many computer crime laws on
|
|
the state level. Many criminal laws not specific to
|
|
"computer crime" can also apply in a network context,
|
|
including laws against stealing credit card codes, laws
|
|
against obscenity, wire fraud laws, RICO, drug laws,
|
|
gambling laws, etc.
|
|
|
|
The other major set of legal rules, "procedural" rules, puts
|
|
limits on law enforcement activities. These are found both
|
|
in statutes, and in rulings of the Supreme Court and other
|
|
high courts on the permissible conduct of government agents.
|
|
Such rules include the ECPA, which prohibits wiretapping
|
|
without a proper warrant; and federal and state rules and
|
|
laws spelling out warrant requirements, arrest requirements,
|
|
and evidence seizure and retention requirements.
|
|
|
|
- Copyrights. Much of the material found in on-line systems
|
|
and in networks is copyrightable, including text files,
|
|
image files, audio files, and software.
|
|
|
|
- Moral Rights. Closely related to copyrights, they include
|
|
the rights of paternity (choosing to have your name
|
|
associated or not associated with your "work") and integrity
|
|
(the right not to have your "work" altered or mutilated).
|
|
These rights are brand new in U.S. law (they originated in
|
|
Europe), and their shape in electronic networks will not be
|
|
settled for quite a while.
|
|
|
|
- Trademarks. Anything used as a "brand name" in a network
|
|
context can be a trademark. This includes all BBS names,
|
|
and names for on-line services of all kinds. Materials
|
|
other than names might also be protected under trademark law
|
|
as "trade dress": distinctive sign-on screen displays for
|
|
BBS's, the recurring visual motifs used throughout videotext
|
|
services, etc.
|
|
|
|
- Right of Publicity. Similar to trademarks, it gives people
|
|
the right to stop others from using their name to make
|
|
money. Someone with a famous on-line name or handle has a
|
|
property right in that name.
|
|
|
|
- Confidential Information. Information that is held in
|
|
secrecy by the owner, transferred only under non-disclosure
|
|
agreements, and preferably handled only in encrypted form,
|
|
can be owned as a trade secret or other confidential
|
|
property. This type of legal protection is used as a means
|
|
of asserting ownership in confidential databases, from
|
|
mailing lists to industrial research.
|
|
|
|
- Contracts. Contracts account for as much of the regulation
|
|
of network operations as all of the other laws put together.
|
|
|
|
The contract between an on-line service user and the service
|
|
provider is the basic source of rights between them. You
|
|
can use contracts to create new rights, and to alter or
|
|
surrender your existing rights under state and federal laws.
|
|
|
|
For example, if a bulletin board system operator "censors" a
|
|
user by removing a public posting, that user will have a
|
|
hard time showing his freedom of speech was violated.
|
|
Private system operators are not subject to the First
|
|
Amendment (which is focused on government, not private,
|
|
action). However, the user may have rights to prevent
|
|
censorship under his direct contract with the BBS or system
|
|
operators.
|
|
|
|
You can use contracts to create entire on-line legal
|
|
regimes. For example, banks use contracts to create private
|
|
electronic funds transfer networks, with sets of rules that
|
|
apply only within those networks. These rules specify on a
|
|
global level which activities are permitted and which are
|
|
not, the terms of access to nearby systems and (sometimes)
|
|
to remote systems, and how to resolve problems between
|
|
network members.
|
|
|
|
Beyond the basic contract between system and user, there are
|
|
many other contracts made on-line. These include the
|
|
services you find in a CompuServe, GEnie or Prodigy, such as
|
|
stock quote services, airline reservation services,
|
|
trademark search services, and on-line stores. They also
|
|
include user-to-user contracts formed through e-mail. In
|
|
fact, there is a billion-dollar "industry" referred to as
|
|
"EDI" (for Electronic Data Interchange), in which companies
|
|
exchange purchase orders for goods and services directly via
|
|
computers and computer networks.
|
|
|
|
- Peoples' Rights Not to be Injured. People have the right
|
|
not to be injured when they venture into cyberspace. These
|
|
rights include the right not to be libelled or defamed by
|
|
others on-line, rights against having your on-line materials
|
|
stolen or damaged, rights against having your computer
|
|
damaged by intentionally harmful files that you have
|
|
downloaded (such as files containing computer "viruses"),
|
|
and so on.
|
|
|
|
There is no question these rights exist and can be enforced
|
|
against other users who cause such injuries. Currently, it
|
|
is uncertain whether system operators who oversee the
|
|
systems can also be held responsible for such user injuries.
|
|
|
|
- Financial Laws. These include laws like Regulations E & Z
|
|
of the Federal Reserve Board, which are consumer protection
|
|
laws that apply to credit cards, cash cards, and all other
|
|
forms of electronic banking.
|
|
|
|
- Securities Laws. The federal and state securities laws
|
|
apply to various kinds of on-line investment related
|
|
activities, such as trading in securities and other
|
|
investment vehicles, investment advisory services, market
|
|
information services and investment management services.
|
|
|
|
- Education Laws. Some organizations are starting to offer
|
|
on-line degree programs. State education laws and
|
|
regulations come into play on all aspects of such services.
|
|
|
|
The list goes on, but we have to end it somewhere. As it
|
|
stands, this list should give the reader a good idea of just how
|
|
regulated cyberspace already is.
|
|
|
|
|
|
LAWS OR CONFUSION?
|
|
|
|
The legal picture in cyberspace is very confused, for
|
|
several reasons.
|
|
|
|
First, the sheer number of laws in cyberspace, in itself,
|
|
can create a great deal of confusion. Second, there can be
|
|
several different kinds of laws relating to a single activity,
|
|
with each law pointing to a different result.
|
|
|
|
Third, conflicts can arise in networks between different
|
|
laws on the same subject. These include conflicts between
|
|
federal and state laws, as in the areas of criminal laws and the
|
|
right to privacy; conflicts between the laws of two or more
|
|
states, which will inevitably arise for networks whose user base
|
|
crosses state lines; and even conflicts between laws from the
|
|
same governmental authority where two or more different laws
|
|
overlap. The last is very common, especially in laws relating to
|
|
networks and computer law.
|
|
|
|
Some examples of the interactions between conflicting laws
|
|
are considered below, from the viewpoint of an on-line system
|
|
operator.
|
|
|
|
1. System operators Liability for "Criminal" Activities.
|
|
|
|
Many different activities can create criminal liabilities
|
|
for service providers, including:
|
|
|
|
- distributing viruses and other dangerous program code;
|
|
|
|
- publishing "obscene" materials;
|
|
|
|
- trafficking in stolen credit card numbers and other
|
|
unauthorized access data;
|
|
|
|
- trafficking in pirated software;
|
|
|
|
- and acting as an accomplice, accessory or conspirator in
|
|
these and other activities.
|
|
|
|
The acts comprising these different violations are separately
|
|
defined in statutes and court cases on both the state and federal
|
|
levels.
|
|
|
|
For prosecutors and law enforcers, this is a vast array of
|
|
options for pursuing wrongdoers. For service providers, it's a
|
|
roulette wheel of risk.
|
|
|
|
Faced with such a huge diversity of criminal possibilities,
|
|
few service providers will carefully analyze the exact laws that
|
|
may apply, nor the latest case law developments for each type of
|
|
criminal activity. Who has the time? For system operators who
|
|
just want to "play it safe", there is a strong incentive to do
|
|
something much simpler: Figure out ways to restrict user conduct
|
|
on their systems that will minimize their risk under *any*
|
|
criminal law.
|
|
|
|
The system operator that chooses this highly restrictive
|
|
route may not allow any e-mail, for fear that he might be liable
|
|
for the activities of some secret drug ring, kiddie porn ring or
|
|
stolen credit card code ring. The system operator may ban all
|
|
sexually suggestive materials, for fear that the extreme anti-
|
|
obscenity laws of some user's home town might apply to his
|
|
system. The system operator may not permit transfer of program
|
|
files through his system, except for files he personally checks
|
|
out, for fear that he could be accused of assisting in
|
|
distributing viruses, trojans or pirated software; and so on.
|
|
|
|
In this way, the most restrictive criminal laws that might
|
|
apply to a given on-line service (which could emanate, for
|
|
instance, from one very conservative state within the system's
|
|
service area) could end up restricting the activities of system
|
|
operators all over the nation, if they happen to have a
|
|
significant user base in that state. This results in less
|
|
freedom for everyone in the network environment.
|
|
|
|
2. Federal vs. State Rights of Privacy.
|
|
|
|
Few words have been spoken in the press about network
|
|
privacy laws in each of the fifty states (as opposed to federal
|
|
laws). However, what the privacy protection of the federal
|
|
Electronic Communications Privacy Act ("ECPA") does not give you,
|
|
state laws may.
|
|
|
|
This was the theory of the recent Epson e-mail case. An ex-
|
|
employee claimed that Epson acted illegally in requiring her to
|
|
monitor e-mail conversations of other employees. She did not sue
|
|
under the ECPA, but under the California Penal Code section
|
|
prohibiting employee surveillance of employee conversations.
|
|
|
|
The trial judge denied her claim. In his view, the
|
|
California law only applied to interceptions of oral telephone
|
|
discussions, and not to visual communication on video display
|
|
monitors. Essentially, he held that the California law had not
|
|
caught up to modern technology - making this law apply to e-mail
|
|
communications was a job for the state legislature, not local
|
|
judges.
|
|
|
|
Beyond acknowledging that the California law was archaic and
|
|
not applicable to e-mail, we should understand that the Epson
|
|
case takes place in a special legal context - the workplace. E-
|
|
mail user rights against workplace surveillance are undeniably
|
|
important, but in our legal and political system they always must
|
|
be "balanced" (ie., weakened) against the right of the employer
|
|
to run his shop his own way. Employers' rights may end up
|
|
weighing more heavily against workers' rights for company e-mail
|
|
systems than for voice telephone conversations, at least for
|
|
employers who use intra-company e-mail systems as an essential
|
|
backbone of their business. Fortunately, this particular skewing
|
|
factor does not apply to *public* communications systems.
|
|
|
|
I believe that many more attempts to establish e-mail
|
|
privacy under state laws are possible, and will be made in the
|
|
future. This is good news for privacy advocates, a growing and
|
|
increasingly vocal group these days.
|
|
|
|
It is mixed news, however, for operators of BBS's and other
|
|
on-line services. Most on-line service providers operate on an
|
|
interstate basis - all it takes to gain this status is a few
|
|
calls from other states every now and then. If state privacy
|
|
laws apply to on-line systems, then every BBS operator will be
|
|
subject to the privacy laws of every state in which one or more
|
|
of his users are located! This can lead to confusion, and
|
|
inability to set reasonable or predictable system privacy
|
|
standards.
|
|
|
|
It can also lead to the effect described above in the
|
|
discussion of criminal liability. On-line systems might be set
|
|
up "defensively", to cope with the most restrictive privacy laws
|
|
that might apply to them. This could result in declarations of
|
|
*absolutely no privacy* on some systems, and highly secure setups
|
|
on others, depending on the individual system operator's
|
|
inclinations.
|
|
|
|
3. Pressure on Privacy Rights Created by Risks to Service
|
|
Providers.
|
|
|
|
There are two main kinds of legal risks faced by a system
|
|
operator. First, the risk that the system operator himself will
|
|
be found criminally guilty or civilly liable for being involved
|
|
in illegal activities on his system, leading to fines, jail,
|
|
money damages, confiscation of system, criminal record, etc.
|
|
|
|
Second, the risk of having his system confiscated, not
|
|
because he did anything wrong, but because someone else did
|
|
something suspicious on his system. As discussed above, a lot of
|
|
criminal activity can take place on a system when the system
|
|
operator isn't looking. In addition, certain non-criminal
|
|
activities on the system could lead to system confiscation, such
|
|
copyright or trade secret infringement.
|
|
|
|
This second kind of risk is very real. It is exactly what
|
|
happened to Steve Jackson Games last year. Law enforcement
|
|
agents seized Steve's computer (which ran a BBS), not because
|
|
they thought he did anything wrong, but because they were
|
|
tracking an allegedly evil computer hacker group called the
|
|
"Legion of Doom". Apparently, they thought the group "met" and
|
|
conspired on his BBS. A year later, much of the dust has
|
|
cleared, and the Electronic Frontier Foundation is funding a
|
|
lawsuit against the federal agents who seized the system.
|
|
Unfortunately, even if he wins the case Steve can't get back the
|
|
business he lost. To this day, he still has not regained all of
|
|
his possessions that were seized by the authorities.
|
|
|
|
For now, system operators do not have a great deal of
|
|
control over government or legal interference with their systems.
|
|
You can be a solid citizen and report every crime you suspect may
|
|
be happening using your system. Yet the chance remains that
|
|
tonight, the feds will be knocking on *your* door looking for an
|
|
"evil hacker group" hiding in your BBS.
|
|
|
|
This Keystone Kops style of "law enforcement" can turn
|
|
system operators into surrogate law enforcement agents. System
|
|
operators who fear random system confiscation will be tempted to
|
|
monitor private activities on their systems, intruding on the
|
|
privacy of their users. Such intrusion can take different forms.
|
|
Some system operators may declare that there will be no private
|
|
discussions, so they can review and inspect everything. More
|
|
hauntingly, system operators may indulge in surreptitious
|
|
sampling of private e-mail, just to make sure no one's doing
|
|
anything that will make the cops come in and haul away their BBS
|
|
computer systems (By the way, I personally don't advocate either
|
|
of these things).
|
|
|
|
This situation can be viewed as a way for law enforcement
|
|
agents to do an end run around the ECPA's bar on government
|
|
interception of electronic messages. What the agents can't
|
|
intercept directly, they might get through fearful system
|
|
operators. Even if you don't go for such conspiracy theories,
|
|
the random risk of system confiscation puts great pressure on the
|
|
privacy rights of on-line system users.
|
|
|
|
4. Contracts Versus Other Rights.
|
|
|
|
Most, perhaps all, of the rights between system operators
|
|
and system users can be modified by the basic service contract
|
|
between them. For instance, the federal ECPA gives on-line
|
|
service users certain privacy rights. It conspicuously falls
|
|
short, however, by not protecting users from privacy intrusions
|
|
by the system operator himself.
|
|
|
|
Through contract, the system operator and the user can in
|
|
effect override the ECPA exception, and agree that the system
|
|
operator will not read private e-mail. Some system operators may
|
|
go the opposite direction, and impose a contractual rule that
|
|
users should not expect any privacy in their e-mail.
|
|
|
|
Another example of the power of contracts in the on-line
|
|
environment occurred recently on the Well, a national system
|
|
based in San Francisco (and highly recommended to all those
|
|
interested in discussing on-line legal issues). A Well user
|
|
complained that a message he had posted in one Well conference
|
|
area had been cross-posted by other users to a different
|
|
conference area without his permission.
|
|
|
|
A lengthy, lively discussion among Well users followed,
|
|
debating the problem. One of the major benchmarks for this
|
|
discussion was the basic service agreement between the Well and
|
|
its users. And a proposed resolution of the issue was to clarify
|
|
the wording of that fundamental agreement. Although "copyrights"
|
|
were discussed, the agreement between the Well and its users was
|
|
viewed as a more important source of the legitimate rights and
|
|
expectations of Well users.
|
|
|
|
Your state and federal "rights" against other on-line
|
|
players may not be worth fighting over if you can get a contract
|
|
giving you the rights you want. In the long run, the contractual
|
|
solution may be the best way to set up a decent networked on-
|
|
line system environment, except for the old bogeyman of
|
|
government intrusion (against whom we will all still need our
|
|
"rights", Constitutional and otherwise).
|
|
|
|
CONCLUSION
|
|
|
|
There are many different laws that system operators must
|
|
heed in running their on-line services. This can lead to
|
|
restricting system activities under the most oppressive legal
|
|
standards, and to unpredictable, system-wide interactions between
|
|
the effects of the different laws.
|
|
|
|
The "net" result of this problem can be undue restrictions
|
|
on the activities of system operators and users alike.
|
|
|
|
The answers to this problem are simple in concept, but not
|
|
easy to execute. First, enact (or re-enact) all laws regarding
|
|
electronic services on a national level only, overriding
|
|
individual state control of system operators activities in
|
|
cyberspace. It's time to realize that provincial state laws only
|
|
hinder proper development of interstate electronic systems.
|
|
|
|
As yet, there is little movement in enacting nationally
|
|
effective laws. Isolated instances include the Electronic
|
|
Communications Privacy Act and the Computer Fraud and Abuse Act,
|
|
which place federal "floors" beneath privacy protection and
|
|
certain types of computer crime, respectively. On the commercial
|
|
side, the new Article 4A of the Uniform Commercial Code, which
|
|
normalizes on-line commercial transactions, is ready for adoption
|
|
by the fifty states.
|
|
|
|
Second, all laws regulating on-line systems must be
|
|
carefully designed to interact well with other such laws. The
|
|
goal is to create a well-defined, reasonable legal environment
|
|
for system operators and users.
|
|
|
|
The EFF is fighting hard on this front, especially in the
|
|
areas of freedom of the press, rights of privacy, and rights
|
|
against search and seizure for on-line systems. Reducing
|
|
government intrusion in these areas will help free up cyberspace
|
|
for bigger and better things.
|
|
|
|
However, the fight is just beginning today.
|
|
|
|
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|
|
|
|
Lance Rose is an attorney who works primarily in the fields of
|
|
computer and high technology law and intellectual property. His
|
|
clients include on-line publishers, electronic funds transfer
|
|
networks, data transmission services, individual system
|
|
operators, and shareware authors and vendors. He is currently
|
|
revising SYSLAW, The Sysop's Legal Manual. Lance is a partner in
|
|
the New York City firm of Greenspoon, Srager, Gaynin, Daichman &
|
|
Marino, and can be reached by voice at (212)888-6880, on the Well
|
|
as "elrose", and on CompuServe at 72230,2044.
|
|
|
|
Copyright 1991 Lance Rose
|