Judge Roy Bean would have felt right at home in cyberspace. As a wilderness judge, Bean doled out justice that he molded to fit west of the Pecos, even if it was not always consistent with the U.S. Constitution. Now, modern-day judges presiding over cybercases are grappling to understand a world without boundaries--one that is, for the most part, unregulated.

Most companies are convinced of the business need for providing their employees with Internet access. It has become a business tool much like a telephone or fax machine. But the staggering growth of the Internet -- Gartner Group estimates that by 1998, there will be 50 million business users worldwide -- has handed the judicial system a dazzling array of technical concepts, disparate societal models, conflicting legislation, and diverse commercial operations. The innocent and not so innocent use of a network that crosses international boundaries puts organizations at risk. Businesses need to take stock of legal vulnerabilities to which their employees make them susceptible. And, while the risks put an entire organization in jeopardy, it is up to the IS department -- as the keeper of technology --to alert management to the potential for trouble.

What are the risks? Employees who download pornography to their corporate networks leave their companies liable to legal challenges on harassment, free speech, privacy, jurisdiction, and even copyright infringement. Distributing unlicensed copies of downloaded software violates software copyrights. Lurid E-mail exchanges between employees can leave their companies open to discrimination and harassment charges. Also, since the Net transports data across national boundaries, businesses risk international legal challenges as well.

Unimagined scenarios that lack precedence or clear definition in U.S. or international legal systems will necessitate what at times will amount to frontier justice being meted out. Democratic societies don't much like that idea, but there are as yet no overarching policy guidelines or any unified international efforts underway to define Internet law. Jurisdiction is another unanswered question. Before legislative bodies can establish consistent laws for Internet infringement, they must first determine which government entities have responsibility. For example, if someone in Pennsylvania orders perfume from Paris using an Internet service provider (ISP) in Virginia, who collects sales tax?

Electronic commerce promises to become a huge business, and state and country governments all want their two bits on digital purchases. For now, the Clinton administration has nixed the idea of taxing Internet commerce, but that's surely a temporary condition that will be rectified as soon as legal wizards catch up with the nuances of the digital age and establish cyberlaws to govern global electronic commerce.

In the meantime, just as in the Wild West, judges will be deciding cases without much written law to guide them. And, as they settle these cybercases -- whether civil or criminal -- they will establish legal precedents that will help support or derail subsequent decisions.

Even disputes that only cross state lines cause confusion. In a 1996 cybercase, a California couple who trafficked pornography across the Internet and via postal carriers answered to the laws of Tennessee, where the offending data was received.

But, in another case, a dispute between a California stockbroker and a Connecticut investor, who allegedly was induced to purchase worthless stock, was settled on Connecticut turf, even though the incriminating E-mail was generated from California. The court concluded that "long-arm jurisdiction" applied, and the fact that the California resident was never physically present in Connecticut to conduct business was moot. His use of the telephone and E-mail to transmit "fraudulent misrepresentations" was sufficient.

Long-arm jurisdiction also applied in the well-publicized trademark infringement suit that Massachusetts-based Digital Equipment Corp. filed against California-based AltaVista Technology Inc. AltaVista attempted to have the suit dismissed on the grounds that Massachusetts lacked personal jurisdiction. But, in the 1997 decision that favored Digital, U.S. District Judge Nancy Gertner observed that ". . . the Courts have had to re-evaluate traditional concepts of personal jurisdiction in the light of the increasing globalization of the economy. The commercial use of the Internet tests the limits of these traditional, territorial-based concepts even further."

What to Do in the Meantime

When IS provides access to the Internet, that doesn't automatically mean employees have the right to access anything they want. Most will limit Internet freedom. Ethics aside, under the Computer Fraud and Abuse Act, individuals who intentionally exceed their authorization on a computer system and cause harm are susceptible to liability -- whether or not harm was intended. What constitutes harm is a gray area, but it can include invasion of privacy. And companies will be held accountable, along with their employees, should any fraud be suspected.

All organizations should, therefore, set rules for their employees regulating Internet usage on company time and with respect to using company equipment. However, having such a policy in place is still no guarantee against liability. The law recognizes that even rules, requirements, supervision, and monitoring cannot absolutely prevent fraud, should an employee act beyond those restrictions. An organization is exempt from liability for employee fraud, only if the employee "intentionally and will-fully" misrepresented what he or she did.

The legal challenges that companies face in the uncharted territory of cyberspace are numerous. Some, like copyright infringement or harassment, are certain to have their day in court. Others are more nebulous. Provided below are five likely legal challenges, as well as advice on how to protect against them.

1. Defamation and Libel

Defamation law is based on publication rights, which in the publishing world means you control what you print. Publishers are expected to ensure the accuracy of their content and therefore are liable for what they publish.

Translating that to the Internet makes employers publishers since they own the tools that allow information to be distributed over their corporate intranets and perhaps onto the Internet. An organization, therefore, is likely to be named along with any employee accused of libelous statements that were sent via E-mail, posted on bulletin boards, or even included in chat room discussions.

Proving libel requires that harm to one's reputation be demonstrated. The law was developed for individuals whose only recourse is recovery through the courts (this is why it is generally more difficult for public figures to successfully sue for libel). Some legal analysts, therefore, have suggested that the Internet renders defamatory statements irrelevant, since in cyberspace, everyone is on equal footing. All Internet users have a public platform, the capacity to cross words, and the capability to publicly defend themselves.

Employers, of course, cannot rely on libel losing its legal edge. They also cannot look to existing rulings for assurance.

Cyberlaw so far has been inconsistent.

In 1991, Cubby Inc., an electronic news database provider, filed suit against CompuServe for libel, business disparagement, and unfair competition, alleging that a rival newsletter posted to a CompuServe forum contained defamatory statements about Cubby's electronic news databases. The Court viewed CompuServe as a distributor, rather than a publisher, of information.

As such, the issue of whether or not statements posted to the company's bulletin board were defamatory was irrelevant. In this case, CompuServe was viewed as having no control over content, and therefore was not liable. However, in a controversial 1995 case, the Court ruled that Prodigy, which had promised its subscribers that it would control Internet content via screening software and supervision, had control over the content of its bulletin boards, and could be viewed as a publisher, rather than a distributor. Therefore, Prodigy was held liable for statements posted by its subscribers.

So, despite two "precedent-setting" cases, the legal expectation of what an ISP can be held responsible for is still undefined. With an understandably conservative approach, most ISPs have initiated "acceptable use policies," which define expectations for the behavior of subscribers. Although one would hope these acceptable use policies offer some legal protection, the policies are untested in the courts. Additionally, they raise concerns about freedom of speech and how to regulate behavior in an acceptable manner. For example, subscribers who break the rules have their accounts discontinued. They can also be ousted for "offensive" behavior. But who decides what is unacceptable?

2. Copyright Infringement

Software piracy is a common area of exposure on the Internet. If an employee uses company equipment to download software, and then wrongfully distributes the software or unlawfully makes changes to it, the company could be held liable for piracy -- which is, in effect, copyright infringement.

Though many companies have policies prohibiting piracy, a plaintiff may argue that despite corporate policy, the company failed to supervise and was therefore negligent and liable.

In a 1996 case that dealt with jurisdiction, copyright infringement, and licensing, ProCD, a Wisconsin software vendor, initiated a copyright infringement suit and other claims under state law against a customer who loaded the contents of a CD-ROM telephone directory he had purchased from the company onto a Web site. This case includes several interesting statements of law. The Court ruled that federal copyright law prevailed over state claims, that the data transferred to the Web site was unprotected (not copyrighted), and that ProCD's shrink-wrapped license was not applicable since it was inside the box and the consumer could not have agreed to its terms prior to purchase.

Don't depend on the legal reasoning applied here, or you'll conclude that public domain data is up for grabs despite the fact that it's compiled in a specific form. Also, shrink-wrapped software providers should take note of the license-in-the-box idea.

Probably the most far-reaching impact on copyright infringement law comes from a series of lawsuits filed by the Religious Technology Center against multiple parties in California, Virginia, and Colorado courts. In the fierce battle initiated by the Church of Scientology and its parent company, the Religious Technology Center, several individuals and organizations were charged with copyright infringement after a disgruntled former member of the religious organization posted "sacred" texts on a Usenet bulletin board (BBS). The lawsuits involve multiple jurisdictions and a wide range of defendants, including online services provider Netcom, owner of the BBS server, and the Washington Post, which printed excerpts of what had been posted. The case against the Washington Post was dismissed, but for the most part there are no clear winners in the complex proceedings that have generated numerous questions and rulings regarding online copyright law.

For example, the Court recognized that it is unreasonable to find an ISP liable for direct copyright infringement based on what individuals post on the Internet without its knowledge. However, it also said that ISPs could be found liable for "contributory" infringement, if the ISP "knew or should have known" of a copyright infringement.

The message for corporations is that the application of cyberjustice is mercurial (Netcom is, after all, a distributor, not a publisher), and that they are wise to err on the side of conservative behavior. Save ideals of free speech for the masses; employees are subject to corporate policies -- and so, apparently, are ISPs, individuals, and anyone else who stumbles into your cyberspace.

3. Discrimination and Harassment

The noble idea of freedom of speech brings with it some arguably ignoble practices, such as the dissemination of offensive literature, pornography, hate speech, and the like. The Internet, which provides illusions of anonymity, is a magnet for this type of activity.

While most organizations agree on a broad definition of pornography or unacceptable Web sites -- and software exists that can restrict access to offending sites -- internal communications are more difficult to control. For many companies, legal risk under these laws is most likely to occur through E-mail use. Even for organizations that limit employee network access to internal systems or intranets, employees can exchange E-mail messages with fellow employees regarding any topic at all -- business-related or otherwise. And, E-mail is not protected under the Freedom of Speech Act.

In a 1994 case against Microsoft, the Court allowed an employee, claiming sex discrimination, to use as evidence sexually suggestive E-mail messages she had received from her supervisor.

4. Spam

Unsolicited E-mail, also known as Spam, is the junk mail of the Internet, but with one advantage -- free postage. It's easy for sales and marketing departments to get carried away with the idea of reaching an audience that numbers in the millions, all at the mercy of some binary digits making their way to E-mail inboxes. Make sure your company has policies to prevent sending nuisance marketing messages over the Internet.

Legal issues for Spammers include invasion of privacy, consumer protection, misrepresentation, and harassment juxtaposed against freedom of speech and one's right to engage in commerce. Some recipients of Spam want it outlawed; others suggest boycotting the companies who spawn the Spam. Others favor software screening to block delivery.

Actions taken by Cyber Promotions, an enterprising organization that confronted America Online (AOL), CompuServe, and Prodigy, in landmark court cases, has led to heightened legal awareness of Spam and several pending bills for legislation. Among proposed legislation is the Netizens Protection Act of 1997, which would amend the Telephone Consumer Protection Act of 1991 to prohibit unsolicited E-mail advertisements. Other proposed statutes include, the Unsolicited Commercial Electronic Mail Choice Act of 1997 (would require ISPs to block E-mail advertisements on subscriber request); Electronic Mailbox Protection Act of 1997 (restricting E-mail "harvesting" and eliminating sender address falsification); and the Data Privacy Act of 1997.

5. Profiling

Profiling concerns issues of privacy and consumer protection. Although Spammers may rely on profiling databases for targeting particular demographics, profiling could be much more than just a tool for Spam.

Software records enable administrators to track who visited their Web sites, which files those visitors accessed, which records they were most interested in, how long the visits lasted, and other seemingly innocuous information. However, these records, combined with other data sources, could provide a detailed view of individual preferences. Potentially anyone -- from marketing wizards to law enforcement to insurance providers -- can amass such data. The possibilities for misuse of such information are tremendous. So is legal exposure. Think about the data your employees are collecting, why they are collecting it, what they are doing with it, and if it's secure from the outside world.

Until the law catches up with the demands of the information age, companies that want to minimize the legal risks associated with the Internet are in a precarious position. "When you give someone access to a ubiquitous tool that allows instantaneous communication to the world you've lost control," says Bruce Brickman, a Manalapan, N.J.-based attorney specializing in computer and Internet legal issues. That loss of control means potential legal exposure for any company that permits public or employee-only access to the Internet.

To a large extent, "netiquette" has established de facto expectations of "civilized" behavior. Occasionally, that behavior is at odds with commonly accepted practices in the physical world. For instance, restitution for defamation in cyberspace is sought through forums and flames. Individual users generally understand this; corporations and legal systems do not. So the courts struggle to apply old rules to new models.

In their search for fitting legal precedents and appropriate analogies from the non-digital world, judges sometimes get it right and sometimes do not. Like the U.S. West of the 1800s, cyberspace has its share of bandits, vigilantes, and inconsistently applied laws. Until law and order is brought to cyberspace, companies should be ready for just about anything.

Copyright 1997 Sentry Publishing Company Inc.

InfoSpin RPM* | Customers | Writing Samples

Testimonials | Photography | Links | Contact

InfoSpin Home

*Radiant. Powerful. Memorable.