Information Technology and the Law

I believe that the Supreme Court correctly decided, in the case of United States v. American Library Association, that the Children’s Internet Protection Act does not facially violate the First Amendment guarantee of free speech. However, acknowledging this fact leaves open the important policy questions of whether requiring filtering of pornography in libraries is a good idea, or if there are certain ways of accomplishing the Act’s goals that are clearly preferable to others.

I agree with the majority’s analysis in U.S. v. American Library Assn. that the mere inclusion of internet access in a library does not create an open forum (which would hold any abridgments of free speech in libraries subject to strict scrutiny). The argument that libraries have a compelling interest to protect children from pornography – common ground amongst even the dissenting Justices, and probably most parties who would enter this argument from either side – is a convincing reason to enact something like CIPA. However, given that libraries are not public forums, such a strong argument in favor of CIPA is not even necessary. Libraries have the discretion to choose what information they make available to the public without violating First Amendment standards. They are not required to shelve every conceivable print resource that an author or patron might like to see available, so why should the internet be any different? I find arguments that the internet is, by its very nature, different from the print resources that libraries provide – and thus expected to be less subject to censorship and regulation – unconvincing. Indeed, a library could choose not to provide internet access at all, in the same way that it might not provide access to subscription cable television or radio broadcast facilities for patrons. In the case of the internet, this would surely not be the best policy for striving to meet a library’s goal of making information available to the public, but a library that chose to do so would be, barring other rules and restrictions, within its rights.

Some have argued that while CIPA may be constitutional, it is just not good policy to restrict access to the internet in the ways that filtering technology does. To the extent that filtering technology “overblocks,” thus preventing library patrons’ access to non-obscene material or otherwise inhibiting their web browsing experience, I agree with this position. However, it would seem that the provision of CIPA allowing for disabling of filtering software upon request does much to weaken objections on these grounds. For those unsatisfied with this solution –because a user might be too embarrassed, ignorant, or otherwise unwilling to request that filtering technology be disabled – I believe that a user profiles approach has much to offer. It does not seem unusual that a library might require patrons to sign up for internet access. In such an application, users could sign up for either a “child” or an “adult” account, or otherwise indicate the degree of blocking they wished to have on their own library internet access (to prevent minors from escalating their privileges, a parent or guardian could be required to cosign the application). In this manner, libraries would not have to maintain an unreasonably high number of user accounts – such as, say, in the case of one account per cardholder – but could still allow for some profile-based tailoring of users’ internet experiences and avoid the problem of instituting strict filtering as the baseline condition for web access.

Kudos to Harlan Yu for his well considered post on ICANN earlier this week. It strikes me as advisable to give more weight to proposals for reform of ICANN like the one that Harlan cites – which comes from the Internet Governance Project, “an interdisciplinary consortium of academics with scholarly and practical expertise in international governance, Internet policy, and information and communication technology” – than proposals, like those offered by some other students, that seem to rely on little more than neophyte college students’ vague personal impressions of “what is surely impossible to implement” or “what is clearly our best course of action.” I would like to first offer a few criticisms of some of the proposed solutions and points of discussion that have come up, and conclude with the idea that the internationalization of ICANN is not only feasible, but necessary for true accountability and representation in such an important governing agency.

First, the notion that the U.S. has some special right to govern the internet – to the exclusion of the legitimate interests of other nations that use the network – merely because internet technology grew out of the efforts of the U.S. government and other American groups is all but ludicrous. Some students advanced this argument in last week’s class discussion, though it is heartening to see that they have backed down from this indefensible point of view in writings posted to this blog. The tenets of democracy that are the very underpinnings of the United States government compel Americans to promote the equal representation of all users affected by internet policy decisions. Hording the power to govern the internet simply because “we started it” runs counter to every imaginable conception of American ideals, and approaches the kind of tyranny that the founders of this country rebelled against.

A number of proposals for solving the problems presented by ICANN endeavor to eliminate the need for ICANN in the first place, either by doing away with generic Top Level Domains completely (for example, by forcing them into a hierarchy where only country codes occupy the highest level – e.g., www.princeton.edu.us – and each country rules over its own respective domain) or by otherwise circumventing the need for a centralized governing agency. On one hand, such a solution only pushes the need for arbitration one level higher. Who, for example, decides what governments are “legitimate” and deserving of control of a country code domain, or when a sufficient shift of political power in some area of the world necessitates the transfer of control of a country code, the creation of a new one, or the discontinuation of a country code that has become (politically) obsolete? In any case, it seems ill-advised to tie the structure of the very backbone of the internet so inextricably to political boundaries, which are inherently subject to change. This says nothing of the practical matter of eliminating gTLDs like .com, .org, and .edu, a move that is likely to be opposed fiercely by those businesses and organizations that are quite fond of the generality implicit in the existing gTLD scheme.

A closely related problem is evident in proposals that advocate creating competing sets of DNS servers, to break down ICANN’s monopoly and, along with it, proponents claim, ICANN’s unchecked power. The main hitch here is that this plan subverts an important characteristic of any useful name-translation service: its universality. ICANN is valuable because it provides a central authority to resolve questions of which names translate to which IP addresses. If DNS servers were allowed to compete, one DNS provider might translate www.princeton.edu to the IP address of the servers of Princeton University, while another could translate it to the IP address of the servers in my parents’ basement, from which I sell unaccredited mail-order diplomas. The “real” Princeton University would then have to ensure that anyone who wanted to find its website use only a Princeton-authorized DNS translator. Text addresses alone would no longer be sufficient to reliably locate internet sites.

The fundamental and unavoidable problems facing ICANN today are its lack of legitimacy and its failure to adequately represent the interests of all of the internet users whom its policies affect. Where, after all, does ICANN get its mandate to govern? Self-installed directors adhering to a set of bylaws that they made up themselves hardly evokes the democratic ideal of the will of the people (where our understanding of “the people” should include all users of the internet, worldwide).

It seems entirely possible, however, for ICANN to reorient itself in such a way as to become legitimate, without undermining its usual course of operations. Instead of drawing its power from an arbitrarily-conceived order of a department of the U.S. government, the new ICANN could be authorized by some type of international agreement. Instead of a U.S. corporation, ICANN could be an international non-governmental agency, with its bylaws established by international consensus rather than by the Commerce Department. ICANN could still operate just as efficiently as before on a day to day basis, as these daily operations would not individually require any cumbersome international conventions (beyond, of course, the one that established ICANN’s “constitution” once and for all). Its charter (i.e., its source of power, its accountability, and rules for things like elections and disclosure of information) would be altered, but its fundamental functioning would be left intact. Although getting the nations of the world to agree on a constitution for ICANN would not be trivially easy, in light of the existence of the U.N. and any number of international treaties governing a myriad of issues, it certainly seems possible. And with so much to be gained over the existing system, we owe it to the current and future generations of internet users to at least try to move toward a fair solution.

This board has seen a number of posts recently regarding “implied consent” in online communication and accesses, and the implications of such consent for legal liability, particularly under the Computer Fraud and Abuse Act and trespass to chattels. For example, it has been suggested that a webmaster gives his “implied consent” that his openly accessible website may be transmitted out to all requestors, or that an email server – in order to fulfill its fundamental purpose – implicitly agrees to accept mail from arbitrary senders.

There seems to be limited consensus among posters here (or, there was, until Tron’s post earlier this evening beat me to the punch) that some technological means of exclusion (e.g., file permissions, passwords, etc.) should be a necessary component in any defensible prohibition of access to online materials. This conclusion is suggested by the reasoning that one of the foremost benefits of internet technology is its ability to make information widely available. If we are given the technological permission to access some online resource, the argument goes, it should be our right to utilize it to the extent that we desire (subject, of course, to other relevant laws, like copyright).

This is certainly a valid assumption in many cases, and technological limitations like passwords and file permissions often do define the scope of what it is acceptable for us to use a computer to access. However, we need not require that technological boundaries completely define what access is authorized. In our H:\ drive hypothetical, it is not only possible, but in fact very likely that many users might be inadequately equipped to set file permissions as they would prefer to have them enforced. The position of those who argue for solely technically-delineated boundaries is, “Too bad for those unfortunate suckers. They should have known better, and the next time they will.”

This view strikes me as overly simplistic for at least three reasons. First, such a hard and fast rule seems to overlook the opportunity for reasonable determinations to be made on a case-by-case basis. If the access in question is clearly unauthorized (such as in the case of copying someone’s homework or an opposing political party’s strategy from a shared drive), or clearly benign (as in a legitimate group collaboration on homework, or the access of a Senate staffer to his own Senator’s strategy materials), it is well within the abilities of the courts to make this determination. In ambiguous cases, a lack of technological protection could weigh heavily against the owner wishing to limit access without actually enacting any means for doing so. This presumption of legality when access is not technologically restricted would give any users unsure about the intended accessibility of data nearly the same protection from frivolous lawsuits as the “permissions-are-paramount” rule, while carving away at the number of the unfortunate victims who are taken advantage of because they inadvertently leave their data publicly accessible. Second, proponents of a technology-based rule argue that people will tend – either through past bad experiences or merely through advancement in society’s facility with technology in general – to become better-educated about how to technologically protect their data, and the problem with owner ignorance will resolve itself over time. Given the rate at which new and necessarily more complex technologies are developing, I contend that it is equally likely that the problem of user incompetence might only worsen with time, or at least remain at the same level. If judges can easily inject some human reason into play to partly combat this problem, why not let them do so when it is appropriate? Third, to rely solely on technological security measures is to put all of our faith in something that we know can never be 100% secure. What if a content owner works very hard to implement a security system that he believes is secure, only to be defeated easily by a much cleverer hacker? Must we rule that the access was authorized, because it was not adequately secured by technical means? If not, where, then, should we draw the line as to what technical level of security is sufficient to deny access? To me, it seems better that technological protection need only bear the burden of a lock on a screen door: it may minimally impede access, but its role is mostly to serve as notification of the owner’s intention that access be restricted.

I would like to deal in this post with the expanding scope of the Computer Fraud and Abuse Act over its 20-plus year history. Admittedly, this may be slightly premature at this point, as far as our treatment of the CFAA in our assigned reading and class discussion is concerned. Our primary concern with the Computer Fraud and Abuse Act’s relationship to the Morris case – specifically, whether the standard of “intention” should apply to both the unauthorized access and the damage caused by that access, or merely to the access action itself – has yet to be considered on this board, and we do not discuss the Morris case in class until Monday. However, such are the typical hardships of having Saturday – by which point in the week posts on this blog have all but beaten to death the issues from the previous week’s classes, but have yet to crack into the next week’s concerns – as an assigned posting day. As such, I offer my thoughts here mostly as an enrichment discussion of the CFAA in general, in the hopes that some readers might refer back to them once the rest of the discussion on this issue has evolved to the point of finding such tangential comments useful.

The Computer Fraud and Abuse Act was initially conceived in 1984 as a means of protecting classified information on federal government computers, as well as sensitive financial and credit information on government computers and the computers of financial institutions. By 1986, Congress had updated the language of the Act to protect the broader class of “federal interest computers” (this was the version under which Robert Morris was convicted). A decade later, in 1996, the scope of the CFAA expanded to cover “protected computers” in general, which brought under the Act’s authority any computer “which is used in interstate or foreign commerce or communication.” Commenting on the Act’s evolution, Edmund Burke writes that “[t]his was a giant step for the federal law of computer crime; Congress subtly moved from exercising its powers to protect federal interest computers – more or less a housekeeping function over federal property – to exercising federal power over all computers involved in interstate and foreign commerce, whether or not any federal government proprietary interest is implicated.”

The generalization of the CFAA’s applicability has led to its use in areas that seem beyond the original intent of the statute to enact penalties for “hacking.” For example, a court ruled in 2000, in the case of Shurgard Storage Centers v. Safeguard Self Storage, that the CFAA could be used to punish unfaithful employees who disclose trade secrets obtained through ostensibly-authorized computer access while still employed by a company. This holding was based on notion that employees forfeit their “authorization” to access private company information when they undertake such access on behalf of a competitor.

While such covert siphoning of information by employees that move from a company to its competitor surely deserves punishment, the CFAA is misapplied in dealing out such a penalty. This problem is better handled by charges like trade secret misappropriation, unfair competition, and tortious interference, which have traditionally been used to handle employee perfidiousness in general. For one thing, the CFAA was originally intended to target “outsiders” who breech the machines of an institution to cause damage or extract information. While disloyal employees could certainly be included amongst such “outsiders,” access that comes in the normal course of work should not qualify as “unauthorized” merely because of a change in the employee’s state of mind. The CFAA, it would seem, has some more physical and specifiable act of intrusion motivating its “unauthorized access” requirement. Further, it does not make much sense to subject employees to additional punishment merely because stolen information happens to come from a computer. If a printed copy of the plans for a company’s next product is just as valuable as a copy of those plans stored on a computer, why should an employee that misappropriates the computerized version be subject to harsher penalties than one who picks up the paper copy from her boss’s desk?

The application of “trespass to chattel” to online cases has certainly generated its share of controversy. A number of individuals in our class expressed some surprise that this charge – rather than something more conventional in the modern legal arsenal – would be called upon to enforce rights in the digital world. Shelving this particular concern for a moment, I would like to take up two related issues, which might shed some light on the former by the time we are through. First, I think we need to consider the normative interests that “trespass to chattel” is used to enforce in the cases in which it has been applied. Do we agree that the interests in these cases deserve the kind of protection that trespass to chattel has been used to carve out for them? Second, has trespass to chattel, if we momentarily assume its legitimacy and relevance to online litigation, been applied correctly in all recent cases, and if not, how might it be better applied?

The case of CompuServe, Inc. v. CyberPromotions, Inc is one in which I believe the trespass to chattel charge is used in a wholly acceptable and non-dangerous way. The court in this case lays out that one who commits trespass to chattel is subject to liability only if “(a) he dispossesses the other of the chattel, or (b) the chattel is impaired as to its condition, quality, or value, or (c) the possessor is deprived of the use of the chattel for a substantial time, or (d) bodily harm is caused to the possessor, or harm is caused to some person or thing in which the possessor has a legally protected interest.” Because the spammer’s mailings unreasonably tax CompuServe’s servers, the spammer is deemed liable under conditions (c), and (d) (where the “thing in which the possessor has a legally protected interest,” in (d), is CompuServe’s service itself, whose quality is degraded by the spamming): “To the extent that defendants’ multitudinous electronic mailings demand the disk space and drain the processing power of plaintiff’s computer equipment, those resources are not available to serve CompuServe subscribers. Therefore, the value of that equipment to CompuServe is diminished even though it is not physically damaged by defendants’ conduct.”

The key aspect, in my view, that makes the application of trespass to chattel correct in the CompuServe case is the fact that the spammer unreasonably taxes CompuServe’s servers. If an adversary launches a denial-of-service attack on your servers, for example, it is relatively easy to argue that he is interfering unacceptably with property that you have legal control over. However, if an attacker merely makes a single connection to your server, and so does not increase the load any more than a usual user would, I would not agree that the bandwidth used up by the connection alone would be actionable, under trespass to chattel, in this scenario. You may well be able to take action against the single-connection attacker on other grounds, but if the hacker’s connection does not damage your servers or deprive you of the privilege of using them, then trespass to chattel is not applicable. This distinction is precisely my problem with the use of trespass to chattel in the Thrify-Tel, Inc v. Bezenek case. The court did not base its ruling against the Bezeneks on the automated dialing that they did (which could have actually qualified for trespass to chattel under my DoS-like interpretation), since the company had not given them notice to stop their actions by this point. Instead, it ruled that calls that they made manually, which fell well within the bandwidth usage of a normal customer, tied up the system sufficiently to meet the trespass to chattel standard. I disagree.

The use of trespass to chattel in the domain of websites (see eBay v. Bidder’s Edge) further illustrates the usefulness of the distinction I advocate with respect to level of use. Under the Thrifty-Tel standard, the proprietor of a website might be able to arbitrarily sue anyone who accessed his website against his wishes (assuming he had notified the defendant of his desire that they avoid visiting his site). This does not seem right. On the other hand, a website owner should have some legal recourse, under trespass to chattel, if someone’s automated bot crawls their website nonstop, using up such a significant amount of bandwidth as to potentially deny legitimate visitors access. Alex Halderman raised an interesting question about websites in class discussion: are they more like books (which, after publication, are free to be read by anyone), or more like physical places that can be controlled and policed by their creators? My answer is that they are both. We might consider a website like a book that is willingly handed over to a reader – and thus not subject to trespass to chattel litigation – to the extent that it used like a book, i.e., when its reading does not impact the book’s author in any unusual way. It is more like a place – where trespass to chattel can apply – when an accessor’s use is so substantial that it impacts the author negatively by unreasonably overburdening his servers. Thus I suggest that electronic connections constitute the physical contact necessary for trespass to chattel only when those connections substantially exceed the patterns of use intended or anticipated, by knowledgeable professionals, for the service. This standard would allow action for denial-of-service type access, but would not furnish a loophole for litigating against any connection that an owner decided he or she did not especially like.

The 2nd Circuit’s opinion on Universal City Studios, Inc v. Corley (“the DeCSS case”) raises several interesting and intricate issues involved in interpreting computer code as speech. In particular, Appellants in this case challenge the constitutionality of the “anti-trafficking” provisions of the Digital Millennium Copyright Act on the grounds that such restrictions impinge on their First Amendment guarantees to freedom of speech. In affirming the lower Court’s finding that the DMCA anti-trafficking clauses are not unconstitutional, the 2nd Circuit arrives at a number of conclusions in the relatively unexplored legal territory of “code as speech” that I think deserve a second look.

First, the Court confronts the fundamental issue of whether – or, more properly, to what extent – computer code should qualify as protected speech. Judge Newman is quick to recognize that the fact that code is expressed in a relatively obscure language and format does not inherently lessen its potential to be regarded as speech. In fact, it is obvious that computer code conveys certain ideas (a central requirement for speech) to those programmers who are trained to read it, just as a written score communicates musical ideas amongst musicians. However, the opinion proceeds to limit the speech potential of computer code, in my view, too narrowly. It identifies three ways in which computer code might communicate: to another programmer, to the user of the code, and to the computer itself (in the form of machine instructions). Newman asserts that only the communication of the code to other programmers is unequivocally protected, that communication to the user is “not necessarily protected,” and that communication to the computer itself is “never protected.” While this last exemption from constitutional protection of speech-to-the-machine makes some sense in light of the fact that the mechanized execution of instructions serves a largely functional purpose (and therefore might be viewed as closer to an “act” than speech per se), I think that such a flat out denial of any expressive potential in this category goes too far. Imagine some code that, when run by a computer, causes that computer to output a clearly-communicative message (for example, some statement of political protest) that is not apparent in the source code, even when it is read by a trained professional. The expressive content of code like this that is only available by way of machine interpretation should not be entirely discounted.

Having established – though not entirely correctly, in my judgment – that code has at least some potential to be protected speech, the Court embarks down the road, relatively well-traveled in First Amendment jurisprudence, of determining whether the DMCA limitations on speech meet appropriate constitutional standards. The opinion concludes that the DMCA’s anti-trafficking limitations impose only a “content neutral” restriction on the acts of posting and linking to DeCSS software, since the DMCA regulates only the “functional” aspects of DeCSS (that is, its ability to decrypt DVDs), and not its expressive, pure speech component. The finding that restrictions are content neutral allows the Court to apply a lower standard for First Amendment constitutionality (essentially, that the DMCA does not “burden substantially more speech than is necessary to further the government’s legitimate interests” rather than fulfilling these interests by “by the least restrictive means available,” a tougher bar to get over).

The finding of content neutral regulation by the DMCA seems well considered. However, it also seems to me that the “functional” restriction of DeCSS should apply only to the charge leveled at Corley et al. of posting DeCSS on their own servers. Providing executable code for users to download is tantamount to providing those users with the functional capability to infringe. On the other hand, linking to another’s site – which the 2nd Circuit also implicates – appears, on the whole, to exhibit much more of a pure speech character. The Court rejects Appellants analogy that linking to another site that hosts illegal programs is similar to providing the address of a bookstore that sells obscene materials (constitutionally protected speech about another entity that provides unprotected content), contending that the nature of hyperlinks to provide instant redirection to the linked address gives them a “functional” component that can be regulated. I disagree, and assert that the bookstore analogy remains valid for hyperlinks, and that justice might be served (and speech better protected) by merely incriminating and shutting down the actual furnishers of contraband, and not all those who simply discuss its location.

Over the course of reading various opinions and briefs relevant to the Grokster case, I have found that my own views of the issues at hand have been far from set in stone. The various writings of the opposing sides have managed, in turn, to partially convince me of their arguments, often prompting me to rethink matters that, only a week earlier, I had convinced myself I had firmly decided in favor of a certain party. And, judging from the high correlation I have noticed between endorsement of particular viewpoints on this blog and our having considered some well-reasoned arguments for those viewpoints most recently in our readings and in class, I feel safe in concluding that I am not alone in this group in my vulnerability to the siren song of the most-recently-read brief.

From one perspective, this is not necessarily a bad thing. The fact of the matter is that the issues raised by the Grokster case (and those leading up to it) are far from clear cut; if they were, they could never have spawned the kind of impassioned debate – from both sides – that we have witnessed in the courts, all over the internet, and even within the confines of our very own weblog. Each time I read a brief or opinion and find myself partially “convinced” by the novel arguments that it raises, I inevitably end up not wholly replacing my previously held conceptions with these new ones, but rather factoring these considerations into an increasingly sophisticated and nuanced understanding of the case. This iterative process seems an effective way of building up a sturdy conception of the case that is likely to yield opinions that are better considered and more likely to stand the test of time and changing situational particulars. In this way, our own experience of informing ourselves of the full complexity of the Grokster case by modifying and reinventing our understanding at the urging of various diametrically opposed parties speaks to the wisdom of the Court’s method of formulating opinions, which follows a similar process.

The element of internal flip-flopping that I have noted is exacerbated in no small measure by the fact that it is possible to construct opposing arguments on these cases, based on the same set of established facts, such that all interests – legitimate as they may seem when considered in isolation – cannot be simultaneously satisfied. As an example, imagine that we first accept the argument – advanced by the computer science professors’ amici brief – that as long as a product has “substantial non-infringing uses,” the developers of the technology behind that product should not be held liable for secondary infringement, regardless of how their product is ultimately used. So far, this sounds convincing, as to hold such technology developers liable would be very likely to inhibit technological innovation. However, copyright holders then cry out with the complaint – again, legitimate in its own right – that this rule does little to protect their intellectual property from the kind of rampant infringement perpetrated by Grokster. An attempt to reconcile these opposing interests leads to some sort of “balancing” of uses actually seen in practice, but the CS profs’ brief and the IEEE brief counter with the assertion (again, very reasonable) that such balancing tests are unpredictable and unreliable, particularly when undertaken at the time of product development. At this point, all parties have argued fiercely, but no one has been wholly satisfied.

Jurisprudence on copyright law repeatedly recognizes that judging copyright disputes is a delicate matter of balancing the interest of society to have access to innovation against the interest of copyright holders to make fair profits from their intellectual property. As such, we should not be surprised that some “balancing” of interests is fundamentally necessary in a case like Grokster. While it may not be prudent to require the balancing of substantial non-infringing uses (as suggested by the likes of the 7th Circuit) when calculating contributory liability, even the active inducement test (suggested by the IEEE) requires some balancing (albeit at a different level). The questions of what, precisely, constitutes an “overt act,” what constitutes “knowledge,” and what constitutes “intent” to infringe (the three prongs of the active inducement test) themselves introduce a balancing act that must be undertaken by the court on a case-by-case basis. However, the active inducement test seems preferable to the 7th Circuit’s weighing of uses, since it moves the balancing to a point where it does not directly interfere with technological development: presumably it is easier for developers of technology to restrain from active inducement than it is for them to predict how their product will be used – in light of its design – in the marketplace. The Court’s responsibility, then, is to introduce its necessary balancing at the level where it least interferes with technological innovation.