PRIVACY AND CYBERSPACE LAW

It cannot be helped, it is as it should be, that the law is behind the times. (Oliver Wendell Holmes) This Constitution's protections for the freedoms of speech, press, petition, and assembly, and its protections against unreasonable searches and seizures and the deprivation of life, liberty, or property without due process of law, shall be construed as fully applicable without regard to the technological method or medium through which information content is generated, stored, altered, transmitted, or controlled. (Prof. Lawrence Tribe's proposed 28th Amendment) One of the most transforming technologies ever developed was the Internet. Different people, of course, have different uses for it, but it's rapidly becoming the main source for information and connecting people to one another. Technology in the form of print, you'll remember, brought privacy concerns into law in the first place, but a computer hooked up to the Internet is a publishing company, telephone, television, and more all rolled into one. It has generated more than a few problems no one ever expected. This lecture expands on the basics of privacy that we covered in a previous lecture, and introduces students to the emerging area of cyberspace law. People belong to the world, and they should be connected with others. This is important for social and personal development. It's not that anyone would devolve into apes if they shunned technology; it's just that the whole process of self-discovery requires comparison. You can't be an autonomous individual with a unique personality unless you're capable of distinguishing your persona from everyone else's. A net persona, however, is based on anonymity. The right to privacy is all about persona -- that special uniqueness, self, or personal life, and you can't obtain the personal without having a life. Privacy is not the same as secrecy, or completely withdrawing from society. Hence the dilemma: we need privacy from technology, but we need technology in order to obtain privacy. THE CONCEPT OF INFORMATION PRIVACY The traditional approach to Constitutional study of privacy involves thinking in terms of certain protected zones or spheres of activity -- home, reading, sex, reproduction, health, etc. In part, this way of thinking is due to the precedent (case-by-case) nature of our legal system, and the other reason is that we're not really sure where in the Constitution privacy is guaranteed, our best guess being the Fourth Amendment, which forces us to think in terms of zones or spheres because of the particularity clause. The Internet and information technology changes all that. Information isn't considered a commodity. You can't treat cyberspace as a zone or sphere of activity. Nobody really owns it, nobody considers it "home", not many people expect privacy from it, and not too many people want the government or anybody else sniffing, snooping, or regulating every part of it. You'd tie up a Congress of legislators for years trying to come up with a comprehensive set of cyberspace regulations, and then there's that whole jurisdiction problem. Where exactly does cyberspace begin and end?

Traditional ways of thinking in law enforcement aren't much better. The good news for police is that computer hard drives are like digital diaries of every voyage on the Internet, so all they need to do is swear out warrants to confiscate hard drives (and all related computer equipment, which is usually overkill). The process is similar to swearing out warrants for the confiscation of drugs. However, all they're doing is fighting the problem on the demand-side or supply-side, with the receivers or suppliers. The objectionable Internet content is probably still out there somewhere, in a multiplicity of multiple copies, posts, aliases, finger and mirror sites. It would take an army of cybercops years to track down every last piece of something. Instead, what's important in terms of information privacy is the flow of information -- not who has what, but how much and the mode it takes. It's an equity concern. Some people don't have access, some people don't know how, some people won't take the risk, and most unfortunately, some people don't care, even though there might be a doctored photo of them out there, a hate page posted by their worst enemy, or information about their credit history. Imagine your surprise when you walk into a police station to file a complaint about some Internet information on you that you don't think should be there, and the police say if it hasn't got anything to do with child pornography they can't help you. Consumer protection is also kind of weak, with most laws aimed at spammers or telemarketers while multinational corporations operate in freewheeling fashion. Workers essentially have no anti-surveillance rights in the workplace. The criminal justice system concentrates on hackers while e-commerce invasions promise to rob us of more than what any trojan virus or worm could ever do. THE CONCEPT OF CYBERSPACE The term cyberspace was first coined by William Gibson in the 1984 sci-fi novel Neuromancer, and it has since come to mean any non-physical terrain created by online computer systems. It's the impression that what one is experiencing is real, as real as talking to somebody face-to-face, doing library research, or window shopping. It doesn't require virtual reality or tactile sensation, and at a minimum, only consequences that are real. People can get married in cyberspace, obtain college degrees, and order things that are delivered to their door. If the marriages, college degrees, and shopping experiences are real, then the question becomes how real are the virtual rapes that go on in MUDs or MOOs, the stalking and harassment that goes on in email and chat rooms, the plagiarism that is rampant on web pages, and the installation of cookies on your hard drive every time you visit a site to develop your consumer interest profile or put you on a mailing list? Another unanswered question is how important it is to protect children on the Internet? How many crimes are possible to commit in cyberspace? The main problem is our limited legal concept of jurisdiction. Generally, any government's jurisdiction only extends to those individuals who reside within its borders or to the transactions or events which occur within those borders. The Internet doesn't have any borders, or if it does, a global one. Courts simply cannot accept cases unless they have

jurisdiction. A few states have been daring, claiming that the flow of commerce, or financial stream, across their borders gives them jurisdiction over the Internet. However, it's unlikely that any U.S. state is issuing warrants for Internet offenders overseas, or who have only minimal physical contact with U.S. citizens or U.S. soil. The minimal contact requirement usually governs transborder technology-related commerce cases (International Shoe Co. v. Washington 1945). However, problems arise with the Internet as to what nation would be appropriate to pursue legal action. If a company in the Netherlands posts a child pornography web site, and someone in the U.S. browses, caches, and downloads a photo, what law would apply? Would the browsing, caching, and downloading be sufficient to bring the Netherlands web author to justice in the U.S.? Copyright law applies mainly to copies, and the whole technology of web browsing with files stored in every viewer's computer cache on their hard drive raises the question of what constitutes a copy. Do intellectual property rights apply to freely-accessible information? When creating a web page with links to someone else's web page, do you have to ask for permission first? It's rapidly becoming a norm, not a law, that you do. Also, there's the whole complex of community, self-regulation, and cyberculture. Major web sites, especially educational ones, are fond of cultivating what they call a "community", and do these communities have enough legal status to declare themselves independent -- like the Free States of CyberSpace? Does the Internet have it's own norms, enough that laws could be devised? A number of legal cases, involving the likes of AOL and Prodigy, as well as the way Internet Service Providers are cast into police roles, seem to be moving us in this direction, but it's unlikely that the Internet is going to become a separate nation-state.

CYBERSPACE LAW First of all, the Constitution requires that people care about their privacy. The key test applied to all privacy questions is the reasonable expectation test (Katz v. U.S. 1967), and the first prong of this test is whether or not, subjectively, the person held to a personal belief that privacy is important in their lives. You would fail this first prong if you became upset only after finding something about yourself on the Internet. Privacy is about preserving the inner self, and this you must do on your own. The government is there to help you all it can, but it also wants you to be actively involved in public life. A place-based conception of privacy is a fundamental right; a person-based conception of privacy is a fighting right. In cyberspace law, you've got to stand up for your rights. The Gertz test (Gertz v. Welch 1974) makes it clear that individuals who feel defamed or invaded in the Internet medium must first avail themselves of all accessible remedies for posting a reply or correction in the same medium before obtaining any standing. Secondly, there are a number of well-known exceptions to the privacy right on objective grounds. The notion of objectivity here means the law is convinced that custom allows such practices. Let's not review all of them, just the more relevant ones:

Plain View -- In cyberspace law, this means that as long as someone isn't using too
advanced a technology, they can peer through any "holes" in your security system. It has implications for what others can do with and to your hard drive via the Internet. Open Fields -- In cyberspace law, this means that anything posted beyond your "curtilage" is public domain or public property. Unless there's a really good copyright notice, or better yet, a registered trademark or patent, there's little, if any, intellectual property on the Internet. Public Places -- In cyberspace law, this means that any "flow" of information as part of ordinary commerce, regular transmission or exchange of information is not private. Banking, credit records, and all sorts of other databases qualify as nonprivate in this regard.

Next, let's consider the legal status of a web page. Is it "real speech" or binary code (computer algorithms) sent over the Internet and later translated into readable form on the end user's screen? In the latter case, it's the end user's responsibility, but unlike television (where the user can just change the channel), not too many computer users know how to filter out web page content. Sure, parents can install programs like NetNanny and so forth, but how many people regularly adjust the advanced security settings in their browser? Not many. The key case analyzing web content as speech or code is Bernstein v. U.S. Department of State (1996). Speech on the Internet works somewhat differently from other media. You first have to have some kind of source code (or operating system) to run the computers, for both sender and receiver. This source code (like Windows, MAC OS, or Linux) is not considered speech by the law, but it is regarded as a patentable product than can be made subject to licensing and restriction. As such, it is therefore subject to copyright and export restrictions. Export is the key issue here. Source codes cannot fall into the hands of nations the United States does not have tariff agreements with. Therefore, steps have to be taken to protect the privacy of source codes. One of the quickest ways to get into trouble is to make source codes downloadable from the Internet where they are globally accessible. Readers may or may not be familiar with PGP (Pretty Good Privacy) encryption software, but the source code for it should not fall into the hands of certain Middle Eastern or Asian nations. The next level of speech is software application (programs like word processors, games, etc.). The law refers to this as machine-readable code. There's a few more bits and pieces of it than source code which is understandable to the untrained eye. To be considered speech, it depends upon what higher-order language the code is written in. Higher-order languages (like C++, Fortran, or Pascal) tend to be treated by the courts the same as ordinary language (like English, French, or German). Lower-order, or uncompiled, programming is treated as irrelevant. The effect that most readers are familiar with is the vast proliferation of crappy, buggy, crashing software because the law holds compiled software to a higher standard. A programmer can get sued or held criminally liable by planting "Easter Eggs" or hidden messages in compiled software, but not with lower-order programming. Most modern software applications today are so large, they contain both types of programming. It's also difficult to impossible to tell who the author was of some rogue program.

Finally, we're at the level of Internet web browsing. In this case, the law refers to the HTML script that interprets itself as readable text on the user end as object code. Object code contains bits and pieces of source code, bits and pieces of machine-readable code, a series of arcane, program-like command words called "tags", and a whole lot of plain, ordinary words. Because there's a preponderance of plain, ordinary words (which are also visible when you go into "Source View"), HTML script is speech, pure and simple. It is therefore subject to the same restrictions on absolute freedom of speech as any other. To review those restrictions and apply them to the Internet produces the following:

the Brandenburg test -- In cyberspace law, this means that no matter how repugnant the web page, there can be no claim for invasion of privacy or harm unless the speaker intends incitement, openly encourages or urges incitement, imminent action, or suggests a duty to do harm. the O'Brien test -- In cyberspace law, this means that any offensive or invasive graphic images, design features, or symbols cannot be suppressed merely for the sake of suppression. There must be other reasons such as traffic congestion, trespass, disorderly conduct, or breach of peace. the Miller test -- In cyberspace law, this means that anything deemed obscene or invasive must appeal to prurient interests (morbid, abnormal, or disgusting), involve hard core demeaning acts to women, and lack serious literary, artistic, political, or scientific value. Libel -- In cyberspace law, this means that privacy is invaded when the intent of the web page author is malicious or reckless, providing that damage can be shown to reputation, profession, or business. Public figures are exempt, as is parody, cartoon, or anything clearly for entertainment purposes. Fighting words -- In cyberspace law, this means that privacy is invaded by anything abusive and insulting, which under face-to-face circumstances would provoke an immediate violent response. Public officials are held to higher standard, however. Pornography -- In cyberspace law, this means that privacy is invaded when the web content provider fails to restrict easy access to their site or fails to construct fencing that at least requires users to attest to age. Certain displays are prohibited but unenforced in some local jurisdictions, such as sadomasochism, bestiality, snuff flicks, and degradation to women. Solicitation of prostitution is, of course, expressly prohibited unless parties are in a private chat room. Hate sites -- In cyberspace law, race- or hate-motivated web sites do not invade privacy if the speaker honestly believes they are contributing to the free interchange of ideas and the ascertainment of truth. The best that can be done is to track and counter such sites.

Privacy law in the United States is a patchwork of specialized protections, liberally punctuated with loopholes and exceptions. For example, there is privacy protection for bank records but not for medical records. There is coverage for videotape rentals, but not magazine subscriptions. Credit records are covered, but insurance records are not. Even where privacy protection exists, new business practices and new technological

developments often make good laws quickly outdated. What is missing is a larger context of legal and social principles, such as the notion of "Informational Self-determination" CYBERSPACE THREATS TO PRIVACY GOVERNMENT RECORDS For many years, the policy of the U.S. government used to be "partitioning", or keeping different agency databases separate from accessing one another. However in recent years, support has grown for the idea of unified or "federated" databases in e-government. Since 1992, a joint NSA/FBI proposal called the "Clipper chip" has been hotly debated because it gives the government an ability to intercept all electronic forms of communication. It involves placing a tamper-resistant cryptographic device into every computer that not only gives it a unique ID, but runs a program called SKIPJACK which is a family key used by law enforcement and a device unique key that unlocks any encryption efforts the user tries to make. COMMERCIAL ORGANIZATIONS Because the threat to privacy has always been conceived of as a government threat, the U.S. has practically no legal traditions for dealing with threats to privacy from the commercial sector. Credit bureaus contain an alarming number of erroneous entries, for example, yet there's no government regulations which make them clean up their act. In the fields of medicine and insurance, there's nothing the consumer can even do to correct erroneous entries. Many employers regularly monitor their employee's electronic activities, from phone logs to emails to web pages visited, and there's no corresponding workplace freedom acts or laws protecting workers. People are regularly flooded with spam (junk email) because there's little to no control over direct-mail database services. MALEVOLENT INDIVIDUALS Every "hacker" knows that government and commercial computers can, accidentally or by design, disclose information that should be private. Government computers are especially susceptible to break-ins by pretending to be an authorized user. Commercial systems are just plain lax with security, but most are exploited by misusing the system until it's about to crash (as in denial of service attacks) and then gaining administrative privileges. Smalltime commercial systems (such as rental agencies) often simply leave their personal computers on at night, allowing network intrusion into things like "bad tenant" files. Every public key-based authentication/encryption system has a built-in "trapdoor" vulnerability. More secure cryptography that falls into public hands can thwart law enforcement and national security interests. WIRELESS CONSUMER NETWORKS Cellular and wireless technologies are bandwagons that people have jumped on without considering the privacy risks. Every mobile phone has a unique personal ID just as every computer has a unique IP address. Adding mobility to the picture means that every consumer's movements can be tracked electronically. It's as if you had a "bumper beeper" attached to your vehicle. In one respect, all computers are wireless. All desktops and peripheral devices emit electromagnetic radiation that can be intercepted and translated

using TEMPEST specifications for EMI emissions. Users who run the cables behind their equipment into a "rat's nest" are just creating an antenna which allows intercept over greater distances than several inches. The only alternative is to cover all your equipment with aluminum mesh. Cordless and wireless intercepts can produce credit card theft if used for financial purposes. CONSUMER PRIVACY REQUIREMENTS Write to any company you don't want to hear from and ask to be taken off its mailing list. Any envelopes with "Address Correction Requested" or "Return Postage Guaranteed" can be returned unopened by writing "Refused--Return to Sender" on the envelope. The company will have to pay the return postage. If there is a postage-paid return envelope inside, put all of the information in the return envelope with a note that you wish to have your name removed from the mailing list. To get off of ALL mailing lists, write to the Direct Marketing Association's (DMA) Mail Preference Service, P.O. Box 9008, Farmingdale, NY 11735. Tell the DMA you do not want to receive catalogs and other promotional material through the mail. They will put you into the "delete" file which is sent to the DMA's member organizations four times a year. Write to the customer service department of your credit card companies and request your name be removed from the lists they rent to others and from their "in-house" mailing list. Write to the three major credit reporting firms: Equifax, Trans Union and TRW, and ask to be removed from their marketing mailing lists. Be aware that warranty or "product registration" cards have less to do with warranties than they do with mailing lists. They all go to a company called National Demographics and Lifestyles, and you can ask them to delete you from their mailing lists: National Demographics and Lifestyles, List Order Department, 1621 18th Street, Suite 300 Denver, Colorado 80202 When shopping, checkout scanners can also be used to link your name to your purchases, especially if you are using the store's "buyers club" card. If you do not want information compiled about your personal buying habits through the use of price scanners, don't participate in the store's "buyers club." If you are concerned about keeping your name and address private, consider having an unlisted number. Or request that the local phone company publish just your name and phone number and omit your address. In addition, ask the phone company to remove your listing from its "street address directory." Also, write to the major directory companies and request that your listing be removed: Haines & Co., Criss-Cross Directory, 2382 East Walnut Ave., Fullerton, CA 92631; R. L. Polk & Co., List Compilation & Development, 6400 Monroe Blvd., Taylor, MI 48180-1814; Rueben H. Donnelley Corp., 287 Bowman Ave., Purchase, NY 10577. Never print your Social Security number on your checks, business cards, address labels or other identifying information. And do not carry your SSN card in your wallet, which could be lost or stolen. Attempt to resist merchants' requests to put your name and address into their cash registers when you purchase something. PRACTICUM QUESTIONS: 1. Discuss whether a territory-based or person-based notion of privacy would be appropriate for CyberSpace Law, justifying your answer in about 50 words or so. 2. List 3 regulations you think the CyberSpace community is capable of enforcing itself, and 3 which are going to require government enforcement.

3. Critique Prof. Tribe's proposed 28th Amendment. Find something wrong with it. Briefly explain your answer. 4. Suggest an improvement to Dr. O'Connor's new Terms and Conditions for using MegaLinks in Criminal Justice. Click on the words in the previous sentence to see it or find it mentioned at the bottom of his home page. INTERNET RESOURCES: About.com Law:CyberSpace Law Center for Democracy and Technology CyberSpace Law for Non-Lawyers Electronic Frontier Foundation (EFF) home page Electronic Privacy Information Center (EPIC) home page FindLaw's CyberSpace Law Center First Amendment Issues in CyberSpace John Marshall Law School CyberSpace Law Center Legal Issues in Computer Operator Liability Privacy.org news site Privacy Rights Clearinghouse San Diego Law Review article on Information Privacy Search & Seizure in CyberSpace Law Social Science Research Network's Lessons in CyberSpace Law Society for Computers and Law UCLA Online Institute for CyberSpace Law and Policy U.S. DOJ CyberCrime Section home page U.S. DOJ on Privacy Issues in the High-Tech Context PRINTED RESOURCES: Agre, P. & M. Rotenberg (1998) Technology and Privacy. Cambridge, MA: MIT Press. Cate, F. (1997) Privacy in the Information Age. Washington D.C.: Brookings Institute. Garfinkel, S. (2000) Database Nation: The Death of Privacy in the 21st Century. NY: O'Reilly. Henderson, H. (1999) Privacy in the Information Age: Library in a Book. NY: Facts on File, Inc. Lessig, L. (2000) Code and Other Laws of Cyberspace. NY: Basic Books. Reed, C. (2001) Internet Law: Text and Materials. London: Butterworths. Last updated: 03/29/01 Lecture List for JUS 410 MegaLinks in Criminal Justice