elrose@well.sf.ca.us (Lance Rose) (06/19/91)
Cyberspace and the Legal Matrix: Laws or Confusion?
Cyberspace, the "digital world", is emerging as a global
arena of social, commercial and political relations. By
"Cyberspace", I mean the sum total of all electronic messaging
and information systems, including BBS's, commercial data
services, research data networks, electronic publishing, networks
and network nodes, e-mail systems, electronic data interchange
systems, and electronic funds transfer systems.
Many like to view life in the electronic networks as a "new
frontier", and in certain ways that remains true. Nonetheless,
people remain people, even behind the high tech shimmer. Not
surprisingly, a vast matrix of laws and regulations has trailed
people right into cyberspace.
Most of these laws are still under construction for the new
electronic environment. Nobody is quite sure of exactly how they
actually apply to electronic network situations. Nonetheless,
the major subjects of legal concern can now be mapped out fairly
well, which we will do in this section of the article. In the
second section, we will look at some of the ways in which the old
laws have trouble fitting together in cyberspace, and suggest
general directions for improvement.
LAWS ON PARADE
- Privacy laws. These include the federal Electronic
Communications Privacy Act ("ECPA"), originally enacted in
response to Watergate, and which now prohibits many
electronic variations on wiretapping by both government and
private parties. There are also many other federal and
state privacy laws and, of course, Constitutional
protections against unreasonable search and seizure.
- 1st Amendment. The Constitutional rights to freedom of
speech and freedom of the press apply fully to electronic
messaging operations of all kinds.
- Criminal laws. There are two major kinds of criminal laws.
First, the "substantive" laws that define and outlaw certain
activities. These include computer-specific laws, like the
Computer Fraud and Abuse Act and Counterfeit Access Device
Act on the federal level, and many computer crime laws on
the state level. Many criminal laws not specific to
"computer crime" can also apply in a network context,
including laws against stealing credit card codes, laws
against obscenity, wire fraud laws, RICO, drug laws,
gambling laws, etc.
The other major set of legal rules, "procedural" rules, puts
limits on law enforcement activities. These are found both
in statutes, and in rulings of the Supreme Court and other
high courts on the permissible conduct of government agents.
Such rules include the ECPA, which prohibits wiretapping
without a proper warrant; and federal and state rules and
laws spelling out warrant requirements, arrest requirements,
and evidence seizure and retention requirements.
- Copyrights. Much of the material found in on-line systems
and in networks is copyrightable, including text files,
image files, audio files, and software.
- Moral Rights. Closely related to copyrights, they include
the rights of paternity (choosing to have your name
associated or not associated with your "work") and integrity
(the right not to have your "work" altered or mutilated).
These rights are brand new in U.S. law (they originated in
Europe), and their shape in electronic networks will not be
settled for quite a while.
- Trademarks. Anything used as a "brand name" in a network
context can be a trademark. This includes all BBS names,
and names for on-line services of all kinds. Materials
other than names might also be protected under trademark law
as "trade dress": distinctive sign-on screen displays for
BBS's, the recurring visual motifs used throughout videotext
services, etc.
- Right of Publicity. Similar to trademarks, it gives people
the right to stop others from using their name to make
money. Someone with a famous on-line name or handle has a
property right in that name.
- Confidential Information. Information that is held in
secrecy by the owner, transferred only under non-disclosure
agreements, and preferably handled only in encrypted form,
can be owned as a trade secret or other confidential
property. This type of legal protection is used as a means
of asserting ownership in confidential databases, from
mailing lists to industrial research.
- Contracts. Contracts account for as much of the regulation
of network operations as all of the other laws put together.
The contract between an on-line service user and the service
provider is the basic source of rights between them. You
can use contracts to create new rights, and to alter or
surrender your existing rights under state and federal laws.
For example, if a bulletin board system operator "censors" a
user by removing a public posting, that user will have a
hard time showing his freedom of speech was violated.
Private system operators are not subject to the First
Amendment (which is focused on government, not private,
action). However, the user may have rights to prevent
censorship under his direct contract with the BBS or system
operators.
You can use contracts to create entire on-line legal
regimes. For example, banks use contracts to create private
electronic funds transfer networks, with sets of rules that
apply only within those networks. These rules specify on a
global level which activities are permitted and which are
not, the terms of access to nearby systems and (sometimes)
to remote systems, and how to resolve problems between
network members.
Beyond the basic contract between system and user, there are
many other contracts made on-line. These include the
services you find in a CompuServe, GEnie or Prodigy, such as
stock quote services, airline reservation services,
trademark search services, and on-line stores. They also
include user-to-user contracts formed through e-mail. In
fact, there is a billion-dollar "industry" referred to as
"EDI" (for Electronic Data Interchange), in which companies
exchange purchase orders for goods and services directly via
computers and computer networks.
- Peoples' Rights Not to be Injured. People have the right
not to be injured when they venture into cyberspace. These
rights include the right not to be libelled or defamed by
others on-line, rights against having your on-line materials
stolen or damaged, rights against having your computer
damaged by intentionally harmful files that you have
downloaded (such as files containing computer "viruses"),
and so on.
There is no question these rights exist and can be enforced
against other users who cause such injuries. Currently, it
is uncertain whether system operators who oversee the
systems can also be held responsible for such user injuries.
- Financial Laws. These include laws like Regulations E & Z
of the Federal Reserve Board, which are consumer protection
laws that apply to credit cards, cash cards, and all other
forms of electronic banking.
- Securities Laws. The federal and state securities laws
apply to various kinds of on-line investment related
activities, such as trading in securities and other
investment vehicles, investment advisory services, market
information services and investment management services.
- Education Laws. Some organizations are starting to offer
on-line degree programs. State education laws and
regulations come into play on all aspects of such services.
The list goes on, but we have to end it somewhere. As it
stands, this list should give the reader a good idea of just how
regulated cyberspace already is.
LAWS OR CONFUSION?
The legal picture in cyberspace is very confused, for
several reasons.
First, the sheer number of laws in cyberspace, in itself,
can create a great deal of confusion. Second, there can be
several different kinds of laws relating to a single activity,
with each law pointing to a different result.
Third, conflicts can arise in networks between different
laws on the same subject. These include conflicts between
federal and state laws, as in the areas of criminal laws and the
right to privacy; conflicts between the laws of two or more
states, which will inevitably arise for networks whose user base
crosses state lines; and even conflicts between laws from the
same governmental authority where two or more different laws
overlap. The last is very common, especially in laws relating to
networks and computer law.
Some examples of the interactions between conflicting laws
are considered below, from the viewpoint of an on-line system
operator.
1. System operators Liability for "Criminal" Activities.
Many different activities can create criminal liabilities
for service providers, including:
- distributing viruses and other dangerous program code;
- publishing "obscene" materials;
- trafficking in stolen credit card numbers and other
unauthorized access data;
- trafficking in pirated software;
- and acting as an accomplice, accessory or conspirator in
these and other activities.
The acts comprising these different violations are separately
defined in statutes and court cases on both the state and federal
levels.
For prosecutors and law enforcers, this is a vast array of
options for pursuing wrongdoers. For service providers, it's a
roulette wheel of risk.
Faced with such a huge diversity of criminal possibilities,
few service providers will carefully analyze the exact laws that
may apply, nor the latest case law developments for each type of
criminal activity. Who has the time? For system operators who
just want to "play it safe", there is a strong incentive to do
something much simpler: Figure out ways to restrict user conduct
on their systems that will minimize their risk under *any*
criminal law.
The system operator that chooses this highly restrictive
route may not allow any e-mail, for fear that he might be liable
for the activities of some secret drug ring, kiddie porn ring or
stolen credit card code ring. The system operator may ban all
sexually suggestive materials, for fear that the extreme anti-
obscenity laws of some user's home town might apply to his
system. The system operator may not permit transfer of program
files through his system, except for files he personally checks
out, for fear that he could be accused of assisting in
distributing viruses, trojans or pirated software; and so on.
In this way, the most restrictive criminal laws that might
apply to a given on-line service (which could emanate, for
instance, from one very conservative state within the system's
service area) could end up restricting the activities of system
operators all over the nation, if they happen to have a
significant user base in that state. This results in less
freedom for everyone in the network environment.
2. Federal vs. State Rights of Privacy.
Few words have been spoken in the press about network
privacy laws in each of the fifty states (as opposed to federal
laws). However, what the privacy protection of the federal
Electronic Communications Privacy Act ("ECPA") does not give you,
state laws may.
This was the theory of the recent Epson e-mail case. An ex-
employee claimed that Epson acted illegally in requiring her to
monitor e-mail conversations of other employees. She did not sue
under the ECPA, but under the California Penal Code section
prohibiting employee surveillance of employee conversations.
The trial judge denied her claim. In his view, the
California law only applied to interceptions of oral telephone
discussions, and not to visual communication on video display
monitors. Essentially, he held that the California law had not
caught up to modern technology - making this law apply to e-mail
communications was a job for the state legislature, not local
judges.
Beyond acknowledging that the California law was archaic and
not applicable to e-mail, we should understand that the Epson
case takes place in a special legal context - the workplace. E-
mail user rights against workplace surveillance are undeniably
important, but in our legal and political system they always must
be "balanced" (ie., weakened) against the right of the employer
to run his shop his own way. Employers' rights may end up
weighing more heavily against workers' rights for company e-mail
systems than for voice telephone conversations, at least for
employers who use intra-company e-mail systems as an essential
backbone of their business. Fortunately, this particular skewing
factor does not apply to *public* communications systems.
I believe that many more attempts to establish e-mail
privacy under state laws are possible, and will be made in the
future. This is good news for privacy advocates, a growing and
increasingly vocal group these days.
It is mixed news, however, for operators of BBS's and other
on-line services. Most on-line service providers operate on an
interstate basis - all it takes to gain this status is a few
calls from other states every now and then. If state privacy
laws apply to on-line systems, then every BBS operator will be
subject to the privacy laws of every state in which one or more
of his users are located! This can lead to confusion, and
inability to set reasonable or predictable system privacy
standards.
It can also lead to the effect described above in the
discussion of criminal liability. On-line systems might be set
up "defensively", to cope with the most restrictive privacy laws
that might apply to them. This could result in declarations of
*absolutely no privacy* on some systems, and highly secure setups
on others, depending on the individual system operator's
inclinations.
3. Pressure on Privacy Rights Created by Risks to Service
Providers.
There are two main kinds of legal risks faced by a system
operator. First, the risk that the system operator himself will
be found criminally guilty or civilly liable for being involved
in illegal activities on his system, leading to fines, jail,
money damages, confiscation of system, criminal record, etc.
Second, the risk of having his system confiscated, not
because he did anything wrong, but because someone else did
something suspicious on his system. As discussed above, a lot of
criminal activity can take place on a system when the system
operator isn't looking. In addition, certain non-criminal
activities on the system could lead to system confiscation, such
copyright or trade secret infringement.
This second kind of risk is very real. It is exactly what
happened to Steve Jackson Games last year. Law enforcement
agents seized Steve's computer (which ran a BBS), not because
they thought he did anything wrong, but because they were
tracking an allegedly evil computer hacker group called the
"Legion of Doom". Apparently, they thought the group "met" and
conspired on his BBS. A year later, much of the dust has
cleared, and the Electronic Frontier Foundation is funding a
lawsuit against the federal agents who seized the system.
Unfortunately, even if he wins the case Steve can't get back the
business he lost. To this day, he still has not regained all of
his possessions that were seized by the authorities.
For now, system operators do not have a great deal of
control over government or legal interference with their systems.
You can be a solid citizen and report every crime you suspect may
be happening using your system. Yet the chance remains that
tonight, the feds will be knocking on *your* door looking for an
"evil hacker group" hiding in your BBS.
This Keystone Kops style of "law enforcement" can turn
system operators into surrogate law enforcement agents. System
operators who fear random system confiscation will be tempted to
monitor private activities on their systems, intruding on the
privacy of their users. Such intrusion can take different forms.
Some system operators may declare that there will be no private
discussions, so they can review and inspect everything. More
hauntingly, system operators may indulge in surreptitious
sampling of private e-mail, just to make sure no one's doing
anything that will make the cops come in and haul away their BBS
computer systems (By the way, I personally don't advocate either
of these things).
This situation can be viewed as a way for law enforcement
agents to do an end run around the ECPA's bar on government
interception of electronic messages. What the agents can't
intercept directly, they might get through fearful system
operators. Even if you don't go for such conspiracy theories,
the random risk of system confiscation puts great pressure on the
privacy rights of on-line system users.
4. Contracts Versus Other Rights.
Most, perhaps all, of the rights between system operators
and system users can be modified by the basic service contract
between them. For instance, the federal ECPA gives on-line
service users certain privacy rights. It conspicuously falls
short, however, by not protecting users from privacy intrusions
by the system operator himself.
Through contract, the system operator and the user can in
effect override the ECPA exception, and agree that the system
operator will not read private e-mail. Some system operators may
go the opposite direction, and impose a contractual rule that
users should not expect any privacy in their e-mail.
Another example of the power of contracts in the on-line
environment occurred recently on the Well, a national system
based in San Francisco (and highly recommended to all those
interested in discussing on-line legal issues). A Well user
complained that a message he had posted in one Well conference
area had been cross-posted by other users to a different
conference area without his permission.
A lengthy, lively discussion among Well users followed,
debating the problem. One of the major benchmarks for this
discussion was the basic service agreement between the Well and
its users. And a proposed resolution of the issue was to clarify
the wording of that fundamental agreement. Although "copyrights"
were discussed, the agreement between the Well and its users was
viewed as a more important source of the legitimate rights and
expectations of Well users.
Your state and federal "rights" against other on-line
players may not be worth fighting over if you can get a contract
giving you the rights you want. In the long run, the contractual
solution may be the best way to set up a decent networked on-
line system environment, except for the old bogeyman of
government intrusion (against whom we will all still need our
"rights", Constitutional and otherwise).
CONCLUSION
There are many different laws that system operators must
heed in running their on-line services. This can lead to
restricting system activities under the most oppressive legal
standards, and to unpredictable, system-wide interactions between
the effects of the different laws.
The "net" result of this problem can be undue restrictions
on the activities of system operators and users alike.
The answers to this problem are simple in concept, but not
easy to execute. First, enact (or re-enact) all laws regarding
electronic services on a national level only, overriding
individual state control of system operators activities in
cyberspace. It's time to realize that provincial state laws only
hinder proper development of interstate electronic systems.
As yet, there is little movement in enacting nationally
effective laws. Isolated instances include the Electronic
Communications Privacy Act and the Computer Fraud and Abuse Act,
which place federal "floors" beneath privacy protection and
certain types of computer crime, respectively. On the commercial
side, the new Article 4A of the Uniform Commercial Code, which
normalizes on-line commercial transactions, is ready for adoption
by the fifty states.
Second, all laws regulating on-line systems must be
carefully designed to interact well with other such laws. The
goal is to create a well-defined, reasonable legal environment
for system operators and users.
The EFF is fighting hard on this front, especially in the
areas of freedom of the press, rights of privacy, and rights
against search and seizure for on-line systems. Reducing
government intrusion in these areas will help free up cyberspace
for bigger and better things.
However, the fight is just beginning today.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Lance Rose is an attorney who works primarily in the fields of
computer and high technology law and intellectual property. His
clients include on-line publishers, electronic funds transfer
networks, data transmission services, individual system
operators, and shareware authors and vendors. He is currently
revising SYSLAW, The Sysop's Legal Manual. Lance is a partner in
the New York City firm of Greenspoon, Srager, Gaynin, Daichman &
Marino, and can be reached by voice at (212)888-6880, on the Well
as "elrose", and on CompuServe at 72230,2044.
Copyright 1991 Lance Rose
The above article was originally published in Boardwatch, June, 1991