cyberspace and the legal matrix- laws or confusion.txt

黑客培训教程

personally checks out, for fear that he could be accused of assisting
in distributing viruses, trojans or pirated software; and so on.

In this way, the most restrictive criminal laws that might apply to a
given on-line service (which could emanate, for instance, from one
very conservative state within the system's service area) could end up
restricting the activities of system operators all over the nation, if
they happen to have a significant user base in that state.  This
results in less freedom for everyone in the network environment.

2.  Federal vs. State Rights of Privacy.

Few words have been spoken in the press about network privacy laws in
each of the fifty states (as opposed to federal laws).  However, what
the privacy protection of the federal Electronic Communications
Privacy Act ("ECPA") does not give you, state laws may.

This was the theory of the recent Epson e-mail case.  An ex-employee
claimed that Epson acted illegally in requiring her to monitor e-mail
conversations of other employees.  She did not sue under the ECPA, but
under the California Penal Code section prohibiting employee
surveillance of employee conversations.

The trial judge denied her claim.  In his view, the California law
only applied to interceptions of oral telephone discussions, and not
to visual communication on video display monitors.  Essentially, he
held that the California law had not caught up to modern technology -
making this law apply to e-mail communications was a job for the state
legislature, not local judges.

Beyond acknowledging that the California law was archaic and not
applicable to e-mail, we should understand that the Epson case takes
place in a special legal context - the workplace.  E-mail user rights
against workplace surveillance are undeniably important, but in our
legal and political system they always must be "balanced" (ie.,
weakened) against the right of the employer to run his shop his own
way.  Employers' rights may end up weighing more heavily against
workers' rights for company e-mail systems than for voice telephone
conversations, at least for employers who use intra-company e-mail
systems as an essential backbone of their business.  Fortunately, this
particular skewing factor does not apply to *public* communications
systems.

I believe that many more attempts to establish e-mail privacy under
state laws are possible, and will be made in the future.  This is good
news for privacy advocates, a growing and increasingly vocal group
these days.

It is mixed news, however, for operators of BBS's and other on-line
services.  Most on-line service providers operate on an interstate
basis - all it takes to gain this status is a few calls from other
states every now and then.  If state privacy laws apply to on-line
systems, then every BBS operator will be subject to the privacy laws
of every state in which one or more of his users are located!  This
can lead to confusion, and inability to set reasonable or predictable
system privacy standards.

It can also lead to the effect described above in the discussion of
criminal liability.  On-line systems might be set up "defensively", to
cope with the most restrictive privacy laws that might apply to them.
This could result in declarations of *absolutely no privacy* on some
systems, and highly secure setups on others, depending on the
individual system operator's inclinations.

3.   Pressure on Privacy Rights Created by Risks to Service Providers.

There are two main kinds of legal risks faced by a system operator.
First, the risk that the system operator himself will be found
criminally guilty or civilly liable for being involved in illegal
activities on his system, leading to fines, jail, money damages,
confiscation of system, criminal record, etc.

Second, the risk of having his system confiscated, not because he did
anything wrong, but because someone else did something suspicious on
his system.  As discussed above, a lot of criminal activity can take
place on a system when the system operator isn't looking.  In
addition, certain non-criminal activities on the system could lead to
system confiscation, such copyright or trade secret infringement.

This second kind of risk is very real.  It is exactly what happened to
Steve Jackson Games last year.  Law enforcement agents seized Steve's
computer (which ran a BBS), not because they thought he did anything
wrong, but because they were tracking an allegedly evil computer
hacker group called the "Legion of Doom".  Apparently, they thought
the group "met" and conspired on his BBS.  A year later, much of the
dust has cleared, and the Electronic Frontier Foundation is funding a
lawsuit against the federal agents who seized the system.
Unfortunately, even if he wins the case Steve can't get back the
business he lost.  To this day, he still has not regained all of his
possessions that were seized by the authorities.

For now, system operators do not have a great deal of control over
government or legal interference with their systems.  You can be a
solid citizen and report every crime you suspect may be happening
using your system.  Yet the chance remains that tonight, the feds will
be knocking on *your* door looking for an "evil hacker group" hiding
in your BBS.

This Keystone Kops style of "law enforcement" can turn system
operators into surrogate law enforcement agents.  System operators who
fear random system confiscation will be tempted to monitor private
activities on their systems, intruding on the privacy of their users.
Such intrusion can take different forms.  Some system operators may
declare that there will be no private discussions, so they can review
and inspect everything.  More hauntingly, system operators may indulge
in surreptitious sampling of private e-mail, just to make sure no
one's doing anything that will make the cops come in and haul away
their BBS computer systems (By the way, I personally don't advocate
either of these things).

This situation can be viewed as a way for law enforcement agents to do
an end run around the ECPA's bar on government interception of
electronic messages.  What the agents can't intercept directly, they
might get through fearful system operators.  Even if you don't go for
such conspiracy theories, the random risk of system confiscation puts
great pressure on the privacy rights of on-line system users.

4.   Contracts Versus Other Rights.

Most, perhaps all, of the rights between system operators and system
users can be modified by the basic service contract between them.  For
instance, the federal ECPA gives on-line service users certain privacy
rights.  It conspicuously falls short, however, by not protecting
users from privacy intrusions by the system operator himself.

Through contract, the system operator and the user can in effect
override the ECPA exception, and agree that the system operator will
not read private e-mail.  Some system operators may go the opposite
direction, and impose a contractual rule that users should not expect
any privacy in their e-mail.

Another example of the power of contracts in the on-line environment
occurred recently on the Well, a national system based in San
Francisco (and highly recommended to all those interested in
discussing on-line legal issues).  A Well user complained that a
message he had posted in one Well conference area had been
cross-posted by other users to a different conference area without his
permission.

A lengthy, lively discussion among Well users followed, debating the
problem.  One of the major benchmarks for this discussion was the
basic service agreement between the Well and its users.  And a
proposed resolution of the issue was to clarify the wording of that
fundamental agreement.  Although "copyrights" were discussed, the
agreement between the Well and its users was viewed as a more
important source of the legitimate rights and expectations of Well
users.

Your state and federal "rights" against other on-line players may not
be worth fighting over if you can get a contract giving you the rights
you want.  In the long run, the contractual solution may be the best
way to set up a decent networked on-line system environment, except
for the old bogeyman of government intrusion (against whom we will all
still need our "rights", Constitutional and otherwise).

CONCLUSION

There are many different laws that system operators must heed in
running their on-line services.  This can lead to restricting system
activities under the most oppressive legal standards, and to
unpredictable, system-wide interactions between the effects of the
different laws.

The "net" result of this problem can be undue restrictions on the
activities of system operators and users alike.

The answers to this problem are simple in concept, but not easy to
execute.  First, enact (or re-enact) all laws regarding electronic
services on a national level only, overriding individual state control
of system operators activities in cyberspace.  It's time to realize
that provincial state laws only hinder proper development of
interstate electronic systems.

As yet, there is little movement in enacting nationally effective
laws.  Isolated instances include the Electronic Communications
Privacy Act and the Computer Fraud and Abuse Act, which place federal
"floors" beneath privacy protection and certain types of computer
crime, respectively.  On the commercial side, the new Article 4A of
the Uniform Commercial Code, which normalizes on-line commercial
transactions, is ready for adoption by the fifty states.

Second, all laws regulating on-line systems must be carefully designed
to interact well with other such laws.  The goal is to create a
well-defined, reasonable legal environment for system operators and
users.

The EFF is fighting hard on this front, especially in the areas of
freedom of the press, rights of privacy, and rights against search and
seizure for on-line systems.  Reducing government intrusion in these
areas will help free up cyberspace for bigger and better things.

However, the fight is just beginning today.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Lance Rose is an attorney who works primarily in the fields of
computer and high technology law and intellectual property.  His
clients include on-line publishers, electronic funds transfer
networks, data transmission services, individual system operators, and
shareware authors and vendors.  He is currently revising SYSLAW, The
Sysop's Legal Manual.  Lance is a partner in the New York City firm of
Greenspoon, Srager, Gaynin, Daichman & Marino, and can be reached by
voice at (212)888-6880, on the Well as "elrose", and on CompuServe at
72230,2044.

Copyright 1991 Lance Rose

The above article was originally published in Boardwatch, June, 1991