Cyberspace and the Legal Matrix: Laws or Confusion?

SUBMITTED BY: mschosting

DATE: Feb. 27, 2016, 12:07 p.m.

FORMAT: Text only

SIZE: 21.2 kB

Raw Download

HITS: 701

Report
  1. Cyberspace, the "digital world", is emerging as a global arena of
  2. social, commercial and political relations. By "Cyberspace", I mean
  3. the sum total of all electronic messaging and information systems,
  4. including BBS's, commercial data services, research data networks,
  5. electronic publishing, networks and network nodes, e-mail systems,
  6. electronic data interchange systems, and electronic funds transfer
  7. systems.
  9. Many like to view life in the electronic networks as a "new frontier",
  10. and in certain ways that remains true. Nonetheless, people remain
  11. people, even behind the high tech shimmer. Not surprisingly, a vast
  12. matrix of laws and regulations has trailed people right into
  13. cyberspace.
  15. Most of these laws are still under construction for the new electronic
  16. environment. Nobody is quite sure of exactly how they actually apply
  17. to electronic network situations. Nonetheless, the major subjects of
  18. legal concern can now be mapped out fairly well, which we will do in
  19. this section of the article. In the second section, we will look at
  20. some of the ways in which the old laws have trouble fitting together
  21. in cyberspace, and suggest general directions for improvement.
  23. LAWS ON PARADE
  25. - Privacy laws. These include the federal Electronic Communications
  26. Privacy Act ("ECPA"), originally enacted in response to Watergate, and
  27. which now prohibits many electronic variations on wiretapping by both
  28. government and private parties. There are also many other federal and
  29. state privacy laws and, of course, Constitutional protections against
  30. unreasonable search and seizure.
  32. - 1st Amendment. The Constitutional rights to freedom of speech and
  33. freedom of the press apply fully to electronic messaging operations of
  34. all kinds.
  36. - Criminal laws. There are two major kinds of criminal laws. First,
  37. the "substantive" laws that define and outlaw certain activities.
  38. These include computer-specific laws, like the Computer Fraud and
  39. Abuse Act and Counterfeit Access Device Act on the federal level, and
  40. many computer crime laws on the state level. Many criminal laws not
  41. specific to "computer crime" can also apply in a network context,
  42. including laws against stealing credit card codes, laws against
  43. obscenity, wire fraud laws, RICO, drug laws, gambling laws, etc.
  45. The other major set of legal rules, "procedural" rules, puts limits on
  46. law enforcement activities. These are found both in statutes, and in
  47. rulings of the Supreme Court and other high courts on the permissible
  48. conduct of government agents. Such rules include the ECPA, which
  49. prohibits wiretapping without a proper warrant; and federal and state
  50. rules and laws spelling out warrant requirements, arrest requirements,
  51. and evidence seizure and retention requirements.
  53. - Copyrights. Much of the material found in on-line systems and in
  54. networks is copyrightable, including text files, image files, audio
  55. files, and software.
  57. - Moral Rights. Closely related to copyrights, they include the
  58. rights of paternity (choosing to have your name associated or not
  59. associated with your "work") and integrity (the right not to have your
  60. "work" altered or mutilated). These rights are brand new in U.S. law
  61. (they originated in Europe), and their shape in electronic networks
  62. will not be settled for quite a while.
  64. - Trademarks. Anything used as a "brand name" in a network context
  65. can be a trademark. This includes all BBS names, and names for
  66. on-line services of all kinds. Materials other than names might also
  67. be protected under trademark law as "trade dress": distinctive sign-on
  68. screen displays for BBS's, the recurring visual motifs used throughout
  69. videotext services, etc.
  71. - Right of Publicity. Similar to trademarks, it gives people the
  72. right to stop others from using their name to make money. Someone
  73. with a famous on-line name or handle has a property right in that
  74. name.
  76. - Confidential Information. Information that is held in secrecy by
  77. the owner, transferred only under non-disclosure agreements, and
  78. preferably handled only in encrypted form, can be owned as a trade
  79. secret or other confidential property. This type of legal protection
  80. is used as a means of asserting ownership in confidential databases,
  81. >from mailing lists to industrial research.
  83. - Contracts. Contracts account for as much of the regulation of
  84. network operations as all of the other laws put together.
  86. The contract between an on-line service user and the service provider
  87. is the basic source of rights between them. You can use contracts to
  88. create new rights, and to alter or surrender your existing rights
  89. under state and federal laws.
  91. For example, if a bulletin board system operator "censors" a user by
  92. removing a public posting, that user will have a hard time showing his
  93. freedom of speech was violated. Private system operators are not
  94. subject to the First Amendment (which is focused on government, not
  95. private, action). However, the user may have rights to prevent
  96. censorship under his direct contract with the BBS or system operators.
  98. You can use contracts to create entire on-line legal regimes. For
  99. example, banks use contracts to create private electronic funds
  100. transfer networks, with sets of rules that apply only within those
  101. networks. These rules specify on a global level which activities are
  102. permitted and which are not, the terms of access to nearby systems and
  103. (sometimes) to remote systems, and how to resolve problems between
  104. network members.
  106. Beyond the basic contract between system and user, there are many
  107. other contracts made on-line. These include the services you find in
  108. a CompuServe, GEnie or Prodigy, such as stock quote services, airline
  109. reservation services, trademark search services, and on-line stores.
  110. They also include user-to-user contracts formed through e-mail. In
  111. fact, there is a billion-dollar "industry" referred to as "EDI" (for
  112. Electronic Data Interchange), in which companies exchange purchase
  113. orders for goods and services directly via computers and computer
  114. networks.
  116. - Peoples' Rights Not to be Injured. People have the right not to be
  117. injured when they venture into cyberspace. These rights include the
  118. right not to be libelled or defamed by others on-line, rights against
  119. having your on-line materials stolen or damaged, rights against having
  120. your computer damaged by intentionally harmful files that you have
  121. downloaded (such as files containing computer "viruses"), and so on.
  123. There is no question these rights exist and can be enforced against
  124. other users who cause such injuries. Currently, it is uncertain
  125. whether system operators who oversee the systems can also be held
  126. responsible for such user injuries.
  128. - Financial Laws. These include laws like Regulations E & Z of the
  129. Federal Reserve Board, which are consumer protection laws that apply
  130. to credit cards, cash cards, and all other forms of electronic
  131. banking.
  133. - Securities Laws. The federal and state securities laws apply to
  134. various kinds of on-line investment related activities, such as
  135. trading in securities and other investment vehicles, investment
  136. advisory services, market information services and investment
  137. management services.
  139. - Education Laws. Some organizations are starting to offer on-line
  140. degree programs. State education laws and regulations come into play
  141. on all aspects of such services.
  143. The list goes on, but we have to end it somewhere. As it stands, this
  144. list should give the reader a good idea of just how regulated
  145. cyberspace already is.
  148. LAWS OR CONFUSION?
  150. The legal picture in cyberspace is very confused, for several reasons.
  152. First, the sheer number of laws in cyberspace, in itself, can create a
  153. great deal of confusion. Second, there can be several different kinds
  154. of laws relating to a single activity, with each law pointing to a
  155. different result.
  157. Third, conflicts can arise in networks between different laws on the
  158. same subject. These include conflicts between federal and state laws,
  159. as in the areas of criminal laws and the right to privacy; conflicts
  160. between the laws of two or more states, which will inevitably arise
  161. for networks whose user base crosses state lines; and even conflicts
  162. between laws from the same governmental authority where two or more
  163. different laws overlap. The last is very common, especially in laws
  164. relating to networks and computer law.
  166. Some examples of the interactions between conflicting laws are
  167. considered below, from the viewpoint of an on-line system operator.
  169. 1. System operators Liability for "Criminal" Activities.
  171. Many different activities can create criminal liabilities for service
  172. providers, including:
  174. - distributing viruses and other dangerous program code;
  176. - publishing "obscene" materials;
  178. - trafficking in stolen credit card numbers and other unauthorized
  179. access data;
  181. - trafficking in pirated software;
  183. - and acting as an accomplice, accessory or conspirator in these and
  184. other activities.
  186. The acts comprising these different violations are separately defined
  187. in statutes and court cases on both the state and federal levels.
  189. For prosecutors and law enforcers, this is a vast array of options for
  190. pursuing wrongdoers. For service providers, it's a roulette wheel of
  191. risk.
  193. Faced with such a huge diversity of criminal possibilities, few
  194. service providers will carefully analyze the exact laws that may
  195. apply, nor the latest case law developments for each type of criminal
  196. activity. Who has the time? For system operators who just want to
  197. "play it safe", there is a strong incentive to do something much
  198. simpler: Figure out ways to restrict user conduct on their systems
  199. that will minimize their risk under *any* criminal law.
  201. The system operator that chooses this highly restrictive route may not
  202. allow any e-mail, for fear that he might be liable for the activities
  203. of some secret drug ring, kiddie porn ring or stolen credit card code
  204. ring. The system operator may ban all sexually suggestive materials,
  205. for fear that the extreme anti-obscenity laws of some user's home town
  206. might apply to his system. The system operator may not permit
  207. transfer of program files through his system, except for files he
  208. personally checks out, for fear that he could be accused of assisting
  209. in distributing viruses, trojans or pirated software; and so on.
  211. In this way, the most restrictive criminal laws that might apply to a
  212. given on-line service (which could emanate, for instance, from one
  213. very conservative state within the system's service area) could end up
  214. restricting the activities of system operators all over the nation, if
  215. they happen to have a significant user base in that state. This
  216. results in less freedom for everyone in the network environment.
  218. 2. Federal vs. State Rights of Privacy.
  220. Few words have been spoken in the press about network privacy laws in
  221. each of the fifty states (as opposed to federal laws). However, what
  222. the privacy protection of the federal Electronic Communications
  223. Privacy Act ("ECPA") does not give you, state laws may.
  225. This was the theory of the recent Epson e-mail case. An ex-employee
  226. claimed that Epson acted illegally in requiring her to monitor e-mail
  227. conversations of other employees. She did not sue under the ECPA, but
  228. under the California Penal Code section prohibiting employee
  229. surveillance of employee conversations.
  231. The trial judge denied her claim. In his view, the California law
  232. only applied to interceptions of oral telephone discussions, and not
  233. to visual communication on video display monitors. Essentially, he
  234. held that the California law had not caught up to modern technology -
  235. making this law apply to e-mail communications was a job for the state
  236. legislature, not local judges.
  238. Beyond acknowledging that the California law was archaic and not
  239. applicable to e-mail, we should understand that the Epson case takes
  240. place in a special legal context - the workplace. E-mail user rights
  241. against workplace surveillance are undeniably important, but in our
  242. legal and political system they always must be "balanced" (ie.,
  243. weakened) against the right of the employer to run his shop his own
  244. way. Employers' rights may end up weighing more heavily against
  245. workers' rights for company e-mail systems than for voice telephone
  246. conversations, at least for employers who use intra-company e-mail
  247. systems as an essential backbone of their business. Fortunately, this
  248. particular skewing factor does not apply to *public* communications
  249. systems.
  251. I believe that many more attempts to establish e-mail privacy under
  252. state laws are possible, and will be made in the future. This is good
  253. news for privacy advocates, a growing and increasingly vocal group
  254. these days.
  256. It is mixed news, however, for operators of BBS's and other on-line
  257. services. Most on-line service providers operate on an interstate
  258. basis - all it takes to gain this status is a few calls from other
  259. states every now and then. If state privacy laws apply to on-line
  260. systems, then every BBS operator will be subject to the privacy laws
  261. of every state in which one or more of his users are located! This
  262. can lead to confusion, and inability to set reasonable or predictable
  263. system privacy standards.
  265. It can also lead to the effect described above in the discussion of
  266. criminal liability. On-line systems might be set up "defensively", to
  267. cope with the most restrictive privacy laws that might apply to them.
  268. This could result in declarations of *absolutely no privacy* on some
  269. systems, and highly secure setups on others, depending on the
  270. individual system operator's inclinations.
  272. 3. Pressure on Privacy Rights Created by Risks to Service Providers.
  274. There are two main kinds of legal risks faced by a system operator.
  275. First, the risk that the system operator himself will be found
  276. criminally guilty or civilly liable for being involved in illegal
  277. activities on his system, leading to fines, jail, money damages,
  278. confiscation of system, criminal record, etc.
  280. Second, the risk of having his system confiscated, not because he did
  281. anything wrong, but because someone else did something suspicious on
  282. his system. As discussed above, a lot of criminal activity can take
  283. place on a system when the system operator isn't looking. In
  284. addition, certain non-criminal activities on the system could lead to
  285. system confiscation, such copyright or trade secret infringement.
  287. This second kind of risk is very real. It is exactly what happened to
  288. Steve Jackson Games last year. Law enforcement agents seized Steve's
  289. computer (which ran a BBS), not because they thought he did anything
  290. wrong, but because they were tracking an allegedly evil computer
  291. hacker group called the "Legion of Doom". Apparently, they thought
  292. the group "met" and conspired on his BBS. A year later, much of the
  293. dust has cleared, and the Electronic Frontier Foundation is funding a
  294. lawsuit against the federal agents who seized the system.
  295. Unfortunately, even if he wins the case Steve can't get back the
  296. business he lost. To this day, he still has not regained all of his
  297. possessions that were seized by the authorities.
  299. For now, system operators do not have a great deal of control over
  300. government or legal interference with their systems. You can be a
  301. solid citizen and report every crime you suspect may be happening
  302. using your system. Yet the chance remains that tonight, the feds will
  303. be knocking on *your* door looking for an "evil hacker group" hiding
  304. in your BBS.
  306. This Keystone Kops style of "law enforcement" can turn system
  307. operators into surrogate law enforcement agents. System operators who
  308. fear random system confiscation will be tempted to monitor private
  309. activities on their systems, intruding on the privacy of their users.
  310. Such intrusion can take different forms. Some system operators may
  311. declare that there will be no private discussions, so they can review
  312. and inspect everything. More hauntingly, system operators may indulge
  313. in surreptitious sampling of private e-mail, just to make sure no
  314. one's doing anything that will make the cops come in and haul away
  315. their BBS computer systems (By the way, I personally don't advocate
  316. either of these things).
  318. This situation can be viewed as a way for law enforcement agents to do
  319. an end run around the ECPA's bar on government interception of
  320. electronic messages. What the agents can't intercept directly, they
  321. might get through fearful system operators. Even if you don't go for
  322. such conspiracy theories, the random risk of system confiscation puts
  323. great pressure on the privacy rights of on-line system users.
  325. 4. Contracts Versus Other Rights.
  327. Most, perhaps all, of the rights between system operators and system
  328. users can be modified by the basic service contract between them. For
  329. instance, the federal ECPA gives on-line service users certain privacy
  330. rights. It conspicuously falls short, however, by not protecting
  331. users from privacy intrusions by the system operator himself.
  333. Through contract, the system operator and the user can in effect
  334. override the ECPA exception, and agree that the system operator will
  335. not read private e-mail. Some system operators may go the opposite
  336. direction, and impose a contractual rule that users should not expect
  337. any privacy in their e-mail.
  339. Another example of the power of contracts in the on-line environment
  340. occurred recently on the Well, a national system based in San
  341. Francisco (and highly recommended to all those interested in
  342. discussing on-line legal issues). A Well user complained that a
  343. message he had posted in one Well conference area had been
  344. cross-posted by other users to a different conference area without his
  345. permission.
  347. A lengthy, lively discussion among Well users followed, debating the
  348. problem. One of the major benchmarks for this discussion was the
  349. basic service agreement between the Well and its users. And a
  350. proposed resolution of the issue was to clarify the wording of that
  351. fundamental agreement. Although "copyrights" were discussed, the
  352. agreement between the Well and its users was viewed as a more
  353. important source of the legitimate rights and expectations of Well
  354. users.
  356. Your state and federal "rights" against other on-line players may not
  357. be worth fighting over if you can get a contract giving you the rights
  358. you want. In the long run, the contractual solution may be the best
  359. way to set up a decent networked on-line system environment, except
  360. for the old bogeyman of government intrusion (against whom we will all
  361. still need our "rights", Constitutional and otherwise).
  363. CONCLUSION
  365. There are many different laws that system operators must heed in
  366. running their on-line services. This can lead to restricting system
  367. activities under the most oppressive legal standards, and to
  368. unpredictable, system-wide interactions between the effects of the
  369. different laws.
  371. The "net" result of this problem can be undue restrictions on the
  372. activities of system operators and users alike.
  374. The answers to this problem are simple in concept, but not easy to
  375. execute. First, enact (or re-enact) all laws regarding electronic
  376. services on a national level only, overriding individual state control
  377. of system operators activities in cyberspace. It's time to realize
  378. that provincial state laws only hinder proper development of
  379. interstate electronic systems.
  381. As yet, there is little movement in enacting nationally effective
  382. laws. Isolated instances include the Electronic Communications
  383. Privacy Act and the Computer Fraud and Abuse Act, which place federal
  384. "floors" beneath privacy protection and certain types of computer
  385. crime, respectively. On the commercial side, the new Article 4A of
  386. the Uniform Commercial Code, which normalizes on-line commercial
  387. transactions, is ready for adoption by the fifty states.
  389. Second, all laws regulating on-line systems must be carefully designed
  390. to interact well with other such laws. The goal is to create a
  391. well-defined, reasonable legal environment for system operators and
  392. users.
  394. The EFF is fighting hard on this front, especially in the areas of
  395. freedom of the press, rights of privacy, and rights against search and
  396. seizure for on-line systems. Reducing government intrusion in these
  397. areas will help free up cyberspace for bigger and better things.
  399. However, the fight is just beginning today.
  401. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
  403. Lance Rose is an attorney who works primarily in the fields of
  404. computer and high technology law and intellectual property. His
  405. clients include on-line publishers, electronic funds transfer
  406. networks, data transmission services, individual system operators, and
  407. shareware authors and vendors. He is currently revising SYSLAW, The
  408. Sysop's Legal Manual. Lance is a partner in the New York City firm of
  409. Greenspoon, Srager, Gaynin, Daichman & Marino, and can be reached by
  410. voice at (212)888-6880, on the Well as "elrose", and on CompuServe at
  411. 72230,2044.
comments powered by Disqus