TUCoPS :: Cyber Law :: cysplm.txt

Cyberspace and the legal matrix: laws or confusion?


[Note: First published in _Boardwatch_, June 1991.]

Cyberspace and the Legal Matrix: Laws or Confusion?
by Lance Rose <elrose@well.sf.ca.us>

Cyberspace, the "digital world", is emerging as a global arena of social,
commercial and political relations. By "Cyberspace", I mean the sum total
of all electronic messaging and information systems, including BBS's,
commercial data services, research data networks, electronic publishing,
networks and network nodes, e-mail systems, electronic data interchange
systems, and electronic funds transfer systems.

Many like to view life in the electronic networks as a "new frontier", and
in certain ways that remains true. Nonetheless, people remain people, even
behind the high tech shimmer. Not surprisingly, a vast matrix of laws and
regulations has trailed people right into cyberspace.

Most of these laws are still under construction for the new electronic
environment. Nobody is quite sure of exactly how they actually apply to
electronic network situations. Nonetheless, the major subjects of legal
concern can now be mapped out fairly well, which we will do in this section
of the article. In the second section, we will look at some of the ways in
which the old laws have trouble fitting together in cyberspace, and suggest
general directions for improvement.

LAWS ON PARADE

- Privacy laws. These include the federal Electronic Communications Privacy
Act ("ECPA"), originally enacted in response to Watergate, and which now
prohibits many electronic variations on wiretapping by both government and
private parties. There are also many other federal and state privacy laws
and, of course, Constitutional protections against unreasonable search and
seizure.

- 1st Amendment. The Constitutional rights to freedom of speech and freedom
of the press apply fully to electronic messaging operations of all kinds.

- Criminal laws. There are two major kinds of criminal laws.  First, the
"substantive" laws that define and outlaw certain activities. These include
computer-specific laws, like the Computer Fraud and Abuse Act and
Counterfeit Access Device Act on the federal level, and many computer crime
laws on the state level. Many criminal laws not specific to "computer
crime" can also apply in a network context, including laws against stealing
credit card codes, laws against obscenity, wire fraud laws, RICO, drug
laws, gambling laws, etc.

The other major set of legal rules, "procedural" rules, puts limits on law
enforcement activities. These are found both in statutes, and in rulings of
the Supreme Court and other high courts on the permissible conduct of
government agents. Such rules include the ECPA, which prohibits wiretapping
without a proper warrant; and federal and state rules and laws spelling out
warrant requirements, arrest requirements, and evidence seizure and
retention requirements.

- Copyrights. Much of the material found in on-line systems and in networks
is copyrightable, including text files, image files, audio files, and
software.

- Moral Rights. Closely related to copyrights, they include the rights of
paternity (choosing to have your name associated or not associated with
your "work") and integrity (the right not to have your "work" altered or
mutilated). These rights are brand new in U.S. law (they originated in
Europe), and their shape in electronic networks will not be settled for
quite a while.

- Trademarks. Anything used as a "brand name" in a network context can be a
trademark. This includes all BBS names, and names for on-line services of
all kinds. Materials other than names might also be protected under
trademark law as "trade dress": distinctive sign-on screen displays for
BBS's, the recurring visual motifs used throughout videotext services, etc.

- Right of Publicity. Similar to trademarks, it gives people the right to
stop others from using their name to make money. Someone with a famous
on-line name or handle has a property right in that name.

- Confidential Information. Information that is held in secrecy by the
owner, transferred only under non-disclosure agreements, and preferably
handled only in encrypted form, can be owned as a trade secret or other
confidential property. This type of legal protection is used as a means of
asserting ownership in confidential databases, from mailing lists to
industrial research.

- Contracts. Contracts account for as much of the regulation of network
operations as all of the other laws put together.

The contract between an on-line service user and the service provider is
the basic source of rights between them. You can use contracts to create
new rights, and to alter or surrender your existing rights under state and
federal laws.

For example, if a bulletin board system operator "censors" a user by
removing a public posting, that user will have a hard time showing his
freedom of speech was violated. Private system operators are not subject to
the First Amendment (which is focused on government, not private, action).
However, the user may have rights to prevent censorship under his direct
contract with the BBS or system operators.

You can use contracts to create entire on-line legal regimes. For example,
banks use contracts to create private electronic funds transfer networks,
with sets of rules that apply only within those networks. These rules
specify on a global level which activities are permitted and which are not,
the terms of access to nearby systems and (sometimes) to remote systems,
and how to resolve problems between network members.

Beyond the basic contract between system and user, there are many other
contracts made on-line. These include the services you find in a
CompuServe, GEnie or Prodigy, such as stock quote services, airline
reservation services, trademark search services, and on-line stores. They
also include user-to-user contracts formed through e-mail. In fact, there
is a billion-dollar "industry" referred to as "EDI" (for Electronic Data
Interchange), in which companies exchange purchase orders for goods and
services directly via computers and computer networks.

- Peoples' Rights Not to be Injured. People have the right not to be
injured when they venture into cyberspace. These rights include the right
not to be libelled or defamed by others on-line, rights against having your
on-line materials stolen or damaged, rights against having your computer
damaged by intentionally harmful files that you have downloaded (such as
files containing computer "viruses"), and so on.

There is no question these rights exist and can be enforced against other
users who cause such injuries. Currently, it is uncertain whether system
operators who oversee the systems can also be held responsible for such
user injuries.

- Financial Laws. These include laws like Regulations E & Z of the Federal
Reserve Board, which are consumer protection laws that apply to credit
cards, cash cards, and all other forms of electronic banking.

- Securities Laws. The federal and state securities laws apply to various
kinds of on-line investment related activities, such as trading in
securities and other investment vehicles, investment advisory services,
market information services and investment management services.

- Education Laws. Some organizations are starting to offer on-line degree
programs. State education laws and regulations come into play on all
aspects of such services.

The list goes on, but we have to end it somewhere. As it stands, this list
should give the reader a good idea of just how regulated cyberspace already
is.


LAWS OR CONFUSION?

The legal picture in cyberspace is very confused, for several reasons.

First, the sheer number of laws in cyberspace, in itself, can create a
great deal of confusion. Second, there can be several different kinds of
laws relating to a single activity, with each law pointing to a different
result.

Third, conflicts can arise in networks between different laws on the same
subject. These include conflicts between federal and state laws, as in the
areas of criminal laws and the right to privacy; conflicts between the laws
of two or more states, which will inevitably arise for networks whose user
base crosses state lines; and even conflicts between laws from the same
governmental authority where two or more different laws overlap. The last
is very common, especially in laws relating to networks and computer law.

Some examples of the interactions between conflicting laws are considered
below, from the viewpoint of an on-line system operator.

1. System operators Liability for "Criminal" Activities.

Many different activities can create criminal liabilities for service
providers, including:

- distributing viruses and other dangerous program code;

- publishing "obscene" materials;

- trafficking in stolen credit card numbers and other unauthorized access
data;

- trafficking in pirated software;

- and acting as an accomplice, accessory or conspirator in these and other
activities.

The acts comprising these different violations are separately defined in
statutes and court cases on both the state and federal levels.

For prosecutors and law enforcers, this is a vast array of options for
pursuing wrongdoers. For service providers, it's a roulette wheel of risk.

Faced with such a huge diversity of criminal possibilities, few service
providers will carefully analyze the exact laws that may apply, nor the
latest case law developments for each type of criminal activity. Who has
the time? For system operators who just want to "play it safe", there is a
strong incentive to do something much simpler: Figure out ways to restrict
user conduct on their systems that will minimize their risk under *any*
criminal law.

The system operator that chooses this highly restrictive route may not
allow any e-mail, for fear that he might be liable for the activities of
some secret drug ring, kiddie porn ring or stolen credit card code ring.
The system operator may ban all sexually suggestive materials, for fear
that the extreme anti- obscenity laws of some user's home town might apply
to his system. The system operator may not permit transfer of program files
through his system, except for files he personally checks out, for fear
that he could be accused of assisting in distributing viruses, trojans or
pirated software; and so on.

In this way, the most restrictive criminal laws that might apply to a given
on-line service (which could emanate, for instance, from one very
conservative state within the system's service area) could end up
restricting the activities of system operators all over the nation, if they
happen to have a significant user base in that state. This results in less
freedom for everyone in the network environment.

2. Federal vs. State Rights of Privacy.

Few words have been spoken in the press about network privacy laws in each
of the fifty states (as opposed to federal laws). However, what the privacy
protection of the federal Electronic Communications Privacy Act ("ECPA")
does not give you, state laws may.

This was the theory of the recent Epson e-mail case. An ex- employee
claimed that Epson acted illegally in requiring her to monitor e-mail
conversations of other employees. She did not sue under the ECPA, but under
the California Penal Code section prohibiting employee surveillance of
employee conversations.

The trial judge denied her claim. In his view, the California law only
applied to interceptions of oral telephone discussions, and not to visual
communication on video display monitors. Essentially, he held that the
California law had not caught up to modern technology - making this law
apply to e-mail communications was a job for the state legislature, not
local judges.

Beyond acknowledging that the California law was archaic and not applicable
to e-mail, we should understand that the Epson case takes place in a
special legal context - the workplace. E- mail user rights against
workplace surveillance are undeniably important, but in our legal and
political system they always must be "balanced" (ie., weakened) against the
right of the employer to run his shop his own way. Employers' rights may
end up weighing more heavily against workers' rights for company e-mail
systems than for voice telephone conversations, at least for employers who
use intra-company e-mail systems as an essential backbone of their
business. Fortunately, this particular skewing factor does not apply to
*public* communications systems.

I believe that many more attempts to establish e-mail privacy under state
laws are possible, and will be made in the future. This is good news for
privacy advocates, a growing and increasingly vocal group these days.

It is mixed news, however, for operators of BBS's and other on-line
services. Most on-line service providers operate on an interstate basis -
all it takes to gain this status is a few calls from other states every now
and then. If state privacy laws apply to on-line systems, then every BBS
operator will be subject to the privacy laws of every state in which one or
more of his users are located! This can lead to confusion, and inability to
set reasonable or predictable system privacy standards.

It can also lead to the effect described above in the discussion of
criminal liability. On-line systems might be set up "defensively", to cope
with the most restrictive privacy laws that might apply to them. This could
result in declarations of *absolutely no privacy* on some systems, and
highly secure setups on others, depending on the individual system
operator's inclinations.

3. Pressure on Privacy Rights Created by Risks to Service Providers.

There are two main kinds of legal risks faced by a system operator. First,
the risk that the system operator himself will be found criminally guilty
or civilly liable for being involved in illegal activities on his system,
leading to fines, jail, money damages, confiscation of system, criminal
record, etc.

Second, the risk of having his system confiscated, not because he did
anything wrong, but because someone else did something suspicious on his
system. As discussed above, a lot of criminal activity can take place on a
system when the system operator isn't looking. In addition, certain
non-criminal activities on the system could lead to system confiscation,
such copyright or trade secret infringement.

This second kind of risk is very real. It is exactly what happened to Steve
Jackson Games last year. Law enforcement agents seized Steve's computer
(which ran a BBS), not because they thought he did anything wrong, but
because they were tracking an allegedly evil computer hacker group called
the "Legion of Doom". Apparently, they thought the group "met" and
conspired on his BBS. A year later, much of the dust has cleared, and the
Electronic Frontier Foundation is funding a lawsuit against the federal
agents who seized the system. Unfortunately, even if he wins the case Steve
can't get back the business he lost. To this day, he still has not regained
all of his possessions that were seized by the authorities.

For now, system operators do not have a great deal of control over
government or legal interference with their systems. You can be a solid
citizen and report every crime you suspect may be happening using your
system. Yet the chance remains that tonight, the feds will be knocking on
*your* door looking for an "evil hacker group" hiding in your BBS.

This Keystone Kops style of "law enforcement" can turn system operators
into surrogate law enforcement agents. System operators who fear random
system confiscation will be tempted to monitor private activities on their
systems, intruding on the privacy of their users. Such intrusion can take
different forms. Some system operators may declare that there will be no
private discussions, so they can review and inspect everything. More
hauntingly, system operators may indulge in surreptitious sampling of
private e-mail, just to make sure no one's doing anything that will make
the cops come in and haul away their BBS computer systems (By the way, I
personally don't advocate either of these things).

This situation can be viewed as a way for law enforcement agents to do an
end run around the ECPA's bar on government interception of electronic
messages. What the agents can't intercept directly, they might get through
fearful system operators. Even if you don't go for such conspiracy
theories, the random risk of system confiscation puts great pressure on the
privacy rights of on-line system users.

4. Contracts Versus Other Rights.

Most, perhaps all, of the rights between system operators and system users
can be modified by the basic service contract between them. For instance,
the federal ECPA gives on-line service users certain privacy rights. It
conspicuously falls short, however, by not protecting users from privacy
intrusions by the system operator himself.

Through contract, the system operator and the user can in effect override
the ECPA exception, and agree that the system operator will not read
private e-mail. Some system operators may go the opposite direction, and
impose a contractual rule that users should not expect any privacy in their
e-mail.

Another example of the power of contracts in the on-line environment
occurred recently on the Well, a national system based in San Francisco
(and highly recommended to all those interested in discussing on-line legal
issues). A Well user complained that a message he had posted in one Well
conference area had been cross-posted by other users to a different
conference area without his permission.

A lengthy, lively discussion among Well users followed, debating the
problem. One of the major benchmarks for this discussion was the basic
service agreement between the Well and its users. And a proposed resolution
of the issue was to clarify the wording of that fundamental agreement.
Although "copyrights" were discussed, the agreement between the Well and
its users was viewed as a more important source of the legitimate rights
and expectations of Well users.

Your state and federal "rights" against other on-line players may not be
worth fighting over if you can get a contract giving you the rights you
want. In the long run, the contractual solution may be the best way to set
up a decent networked on- line system environment, except for the old
bogeyman of government intrusion (against whom we will all still need our
"rights", Constitutional and otherwise).

CONCLUSION

There are many different laws that system operators must heed in running
their on-line services. This can lead to restricting system activities
under the most oppressive legal standards, and to unpredictable,
system-wide interactions between the effects of the different laws.

The "net" result of this problem can be undue restrictions on the
activities of system operators and users alike.

The answers to this problem are simple in concept, but not easy to execute.
First, enact (or re-enact) all laws regarding electronic services on a
national level only, overriding individual state control of system
operators activities in cyberspace. It's time to realize that provincial
state laws only hinder proper development of interstate electronic systems.

As yet, there is little movement in enacting nationally effective laws.
Isolated instances include the Electronic Communications Privacy Act and
the Computer Fraud and Abuse Act, which place federal "floors" beneath
privacy protection and certain types of computer crime, respectively. On
the commercial side, the new Article 4A of the Uniform Commercial Code,
which normalizes on-line commercial transactions, is ready for adoption by
the fifty states.

Second, all laws regulating on-line systems must be carefully designed to
interact well with other such laws. The goal is to create a well-defined,
reasonable legal environment for system operators and users.

The EFF is fighting hard on this front, especially in the areas of freedom
of the press, rights of privacy, and rights against search and seizure for
on-line systems. Reducing government intrusion in these areas will help
free up cyberspace for bigger and better things.

However, the fight is just beginning today.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Lance Rose is an attorney who works primarily in the fields of computer and
high technology law and intellectual property. His clients include on-line
publishers, electronic funds transfer networks, data transmission services,
individual system operators, and shareware authors and vendors. He is
currently revising SYSLAW, The Sysop's Legal Manual. Lance is a partner in
the New York City firm of Greenspoon, Srager, Gaynin, Daichman & Marino,
and can be reached by voice at (212)888-6880, on the Well as "elrose", and
on CompuServe at 72230,2044.

Copyright 1991 Lance Rose





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH